Problems with SSLSessionCache
Title: Problems with SSLSessionCache I am getting the following message each time my server tries to cache a session id in my dbm file: [31/Mar/2004 16:03:34 01122] [trace] Inter-Process Session Cache: request=SET status=BAD id=E05AA054474E712D1E59220EE8A07E46523457EC557ACF1730DB2B319931C106 timeout=1199s (session caching) I know I haven't given much information, but any ideas? I also get this when it tries to reuse a session: [31/Mar/2004 16:03:27 01120] [trace] Inter-Process Session Cache: request=GET status=MISSED id=6E353CAC3C6970AA0EC526304B7DBC97A6CC1451C014B39F9276342D1B870970 (session renewal) This only occurs when I turn on client authentication. It works fine with plain ssl. Jerrod
Re: Problems with SSLSessionCache
On April 2, 2004 09:52 am, Loyless Jerrod A Contr ESC/NI7S1 wrote: I am getting the following message each time my server tries to cache a session id in my dbm file: [31/Mar/2004 16:03:34 01122] [trace] Inter-Process Session Cache: request=SET status=BAD id=E05AA054474E712D1E59220EE8A07E46523457EC557ACF1730DB2B319931C106 timeout=1199s (session caching) I know I haven't given much information, but any ideas? I also get this when it tries to reuse a session: [31/Mar/2004 16:03:27 01120] [trace] Inter-Process Session Cache: request=GET status=MISSED id=6E353CAC3C6970AA0EC526304B7DBC97A6CC1451C014B39F9276342D1B870970 (session renewal) This only occurs when I turn on client authentication. It works fine with plain ssl. That would indicate (probably) that the session is too big, as they include client certs in when client-auth is being used. You didn't mention which session cache type you're using - what's the SSLSessionCache directive in your config? Also, if you run with tracing on and you get a GET/MISSED, can you check backwards from there for a log message with the same id byte-string, hopefully it's a PUT/MISSED or something like that, indicating that the session store failed. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with SSLSessionCache
I am using SSLSessionCache dbm:/usr/local/apache/logs/ssl_cache. The dbm files are created but they remain empty when I attempt with client auth turned on. Where is the size limitation set on the caching of sessions? I do see the request=SET, status=BAD as you mentioned, which seems to indicate that Apache is never able to write to the file. Jerrod -Original Message- From: Geoff Thorpe [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: Re: Problems with SSLSessionCache On April 2, 2004 09:52 am, Loyless Jerrod A Contr ESC/NI7S1 wrote: I am getting the following message each time my server tries to cache a session id in my dbm file: [31/Mar/2004 16:03:34 01122] [trace] Inter-Process Session Cache: request=SET status=BAD id=E05AA054474E712D1E59220EE8A07E46523457EC557ACF1730DB2B319931C106 timeout=1199s (session caching) I know I haven't given much information, but any ideas? I also get this when it tries to reuse a session: [31/Mar/2004 16:03:27 01120] [trace] Inter-Process Session Cache: request=GET status=MISSED id=6E353CAC3C6970AA0EC526304B7DBC97A6CC1451C014B39F9276342D1B870970 (session renewal) This only occurs when I turn on client authentication. It works fine with plain ssl. That would indicate (probably) that the session is too big, as they include client certs in when client-auth is being used. You didn't mention which session cache type you're using - what's the SSLSessionCache directive in your config? Also, if you run with tracing on and you get a GET/MISSED, can you check backwards from there for a log message with the same id byte-string, hopefully it's a PUT/MISSED or something like that, indicating that the session store failed. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with SSLSessionCache
On April 2, 2004 01:41 pm, Loyless Jerrod A Contr ESC/NI7S1 wrote: I am using SSLSessionCache dbm:/usr/local/apache/logs/ssl_cache. The dbm files are created but they remain empty when I attempt with client auth turned on. Where is the size limitation set on the caching of sessions? I do see the request=SET, status=BAD as you mentioned, which seems to indicate that Apache is never able to write to the file. - mod_ssl-2.8.16-1.3.29/pkg.sslmod/ssl_scache_dbm.c:151-158 /* be careful: do not try to store too much bytes in a DBM file! */ #ifdef SSL_USE_SDBM if ((idlen + nData) = PAIRMAX) return FALSE; #else if ((idlen + nData) = 950 /* at least less than approx. 1KB */) return FALSE; #endif - and - mod_ssl-2.8.16-1.3.29/pkg.sslmod/ssl_util_sdbm.h:76-84 #ifdef MOD_SSL #define DBLKSIZ 16384 /* SSL cert chains require more */ #define PBLKSIZ 8192/* SSL cert chains require more */ #define PAIRMAX 8008/* arbitrary on PBLKSIZ-N */ #else #define DBLKSIZ 4096 #define PBLKSIZ 1024 #define PAIRMAX 1008/* arbitrary on PBLKSIZ-N */ #endif - My advice would be to use shmcb rather than dbm, if you can. Not that I'm biased of course, oh no. :-) Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with SSLSessionCache
Apache setup : Windows 2000 Server / Apache 2.0.47 / mos_ssl 2.0.48 / OpenSSL 0.9.7c I have one site responding to HTTP (80) and two virtual hosts responding to HTTPS (443) all using separate IP addresses. I have a question about the SSLSessionCache directive The directive was setup to the default dbm:logs/ssl_scache but started to cause problems... The HTTP site kept running but both the HTTPS sites would hang They would initiate the SSL handshaking but would hang at that point. I was able to get the HTTPS sites to start responding again by deleting ssl_scache.pag and ssl_scache.dir Is this a known problem?? I have since changed the SSLSessionCache directive to none because I cannot have it cause all HTTPS sites to hang... I have read that there is a performance hit for not using SSLSessionCache Does anyone know how much of a performance hit there is? Cheers, Patrick Sweitzer Server Services [EMAIL PROTECTED]
