Problems with SSLSessionCache

Problems with SSLSessionCache

am 25.11.2003 22:37:17 von Patrick Sweitzer

This is a multipart message in MIME format.
--=_alternative 0076C2DB85256DE9_=
Content-Type: text/plain; charset="US-ASCII"

Apache setup :

Windows 2000 Server / Apache 2.0.47 / mos_ssl 2.0.48 / OpenSSL 0.9.7c
I have one site responding to HTTP (80) and two virtual hosts responding
to HTTPS (443) all using separate IP addresses.


I have a question about the SSLSessionCache directive....
The directive was setup to the default "dbm:logs/ssl_scache" but started
to cause problems...
The HTTP site kept running but both the HTTPS sites would hang.... They
would initiate the SSL handshaking but would hang at that point.

I was able to get the HTTPS sites to start responding again by deleting
ssl_scache.pag and ssl_scache.dir

Is this a known problem??

I have since changed the SSLSessionCache directive to none because I
cannot have it cause all HTTPS sites to hang...
I have read that there is a performance hit for not using
SSLSessionCache....
Does anyone know how much of a performance hit there is?



Cheers,

Patrick Sweitzer
Server Services
patricks@ca.ibm.com
--=_alternative 0076C2DB85256DE9_=
Content-Type: text/html; charset="US-ASCII"



Apache setup :



Windows 2000 Server / Apache 2.0.47
/ mos_ssl 2.0.48 / OpenSSL 0.9.7c

I have one site responding to HTTP (80)
and two virtual hosts responding to HTTPS (443) all using separate IP addresses.





I have a question about the SSLSessionCache
directive....

The directive was setup to the default
"dbm:logs/ssl_scache" but started to cause problems...

The HTTP site kept running but both
the HTTPS sites would hang....   They would initiate the SSL handshaking
but would hang at that point.



I was able to get the HTTPS sites to
start responding again by deleting ssl_scache.pag and ssl_scache.dir



Is this a known problem??



I have since changed the SSLSessionCache
directive to none because I cannot have it cause all HTTPS sites to hang...

I have read that there is a performance
hit for not using SSLSessionCache....  

Does anyone know how much of a performance
hit there is?







Cheers,



Patrick Sweitzer

Server Services

patricks@ca.ibm.com
--=_alternative 0076C2DB85256DE9_=--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Problems with SSLSessionCache

am 02.04.2004 20:41:01 von Jerrod.Loyless

I am using SSLSessionCache dbm:/usr/local/apache/logs/ssl_cache. The dbm
files are created but they remain empty when I attempt with client auth
turned on. Where is the size limitation set on the caching of sessions? I
do see the request=SET, status=BAD as you mentioned, which seems to indicate
that Apache is never able to write to the file.

Jerrod



-----Original Message-----
From: Geoff Thorpe [mailto:geoff@geoffthorpe.net]
Sent: Friday, April 02, 2004 10:30 AM
To: modssl-users@modssl.org
Subject: Re: Problems with SSLSessionCache


On April 2, 2004 09:52 am, Loyless Jerrod A Contr ESC/NI7S1 wrote:
> > I am getting the following message each time my server tries to
> > cache a session id in my dbm file:
> >
> > [31/Mar/2004 16:03:34 01122] [trace] Inter-Process Session Cache:
> > request=SET status=BAD
> > id=E05AA054474E712D1E59220EE8A07E46523457EC557ACF1730DB2B319 931C106
> > timeout=1199s (session caching)
> >
> > I know I haven't given much information, but any ideas?
> >
> > I also get this when it tries to reuse a session:
> >
> > [31/Mar/2004 16:03:27 01120] [trace] Inter-Process Session Cache:
> > request=GET status=MISSED
> > id=6E353CAC3C6970AA0EC526304B7DBC97A6CC1451C014B39F9276342D1 B870970
> > (session renewal)
>
> This only occurs when I turn on client authentication. It works
fine
> with plain ssl.

That would indicate (probably) that the session is too big, as they
include client certs in when client-auth is being used. You didn't
mention which session cache type you're using - what's the
SSLSessionCache directive in your config? Also, if you run with tracing
on and you get a "GET/MISSED", can you check backwards from there for a
log message with the same id byte-string, hopefully it's a "PUT/MISSED"
or something like that, indicating that the session store failed.

Cheers,
Geoff

--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problems with SSLSessionCache

am 02.04.2004 21:37:02 von Geoff Thorpe

On April 2, 2004 01:41 pm, Loyless Jerrod A Contr ESC/NI7S1 wrote:
> I am using SSLSessionCache dbm:/usr/local/apache/logs/ssl_cache. The
> dbm files are created but they remain empty when I attempt with client
> auth turned on. Where is the size limitation set on the caching of
> sessions? I do see the request=SET, status=BAD as you mentioned, which
> seems to indicate that Apache is never able to write to the file.

-----------------
mod_ssl-2.8.16-1.3.29/pkg.sslmod/ssl_scache_dbm.c:151-158
/* be careful: do not try to store too much bytes in a DBM file! */
#ifdef SSL_USE_SDBM
if ((idlen + nData) >= PAIRMAX)
return FALSE;
#else
if ((idlen + nData) >= 950 /* at least less than approx. 1KB */)
return FALSE;
#endif
-----------------

and

-----------------
mod_ssl-2.8.16-1.3.29/pkg.sslmod/ssl_util_sdbm.h:76-84
#ifdef MOD_SSL
#define DBLKSIZ 16384 /* SSL cert chains require more */
#define PBLKSIZ 8192 /* SSL cert chains require more */
#define PAIRMAX 8008 /* arbitrary on PBLKSIZ-N */
#else
#define DBLKSIZ 4096
#define PBLKSIZ 1024
#define PAIRMAX 1008 /* arbitrary on PBLKSIZ-N */
#endif
-----------------

My advice would be to use shmcb rather than dbm, if you can. Not that I'm
biased of course, oh no. :-)

Cheers,
Geoff

--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org