Bug#923302: libapache2-mod-gnutls: GnuTLSCache=dbm fails later restart of apache2
Quoting Jonas Smedegaard (2019-02-26 05:06:17) > I experienced on multiple hosts that upgrading to the new > libapache2-mod-gnutls went fine (I guess it simply reloaded apache2), > but that a later server restart would fail. > > Running "a2enmod socache_dbm" made apache2 work again. > > Debian-shipped config enables GnuTLSCache, using dbm. > Release 0.9.0 has GnuTLSSessionTickets enabled by default, > which seems to make GnuTLSCache unneeded for most common use cases > (exceptions being non-SNI needs and a pool of coordinated servers). > > Seems most sensible to remove or comment out the GnuTLSCache and > GnuTLSCacheTimeout lines. Ahh, cache and ticket is not mutually exclusive. Then maybe a better default setup is to keep cache enabled but change it to use shmcb as that is already used for GnuTLSOCSPStapling which is enabled by default. So something like this: GnuTLSCache shmcb:cache/gnutls_cache(65536) (or maybe a full path? What is the root of above relative path?) Also, to ensure that shmcb module is loaded (was on my systems but not sure if that is always the case), add this as topmost line to debian/gnutls.load: # Depends: socache_shmcb If there is reason to stay with current dbm by default, I recommend to consider instead adding this to debian/gnutls.load: # Depends: socache_dbm - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#923302: libapache2-mod-gnutls: GnuTLSCache=dbm fails later restart of apache2
Package: libapache2-mod-gnutls Version: 0.9.0-1 Severity: important -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I experienced on multiple hosts that upgrading to the new libapache2-mod-gnutls went fine (I guess it simply reloaded apache2), but that a later server restart would fail. Running "a2enmod socache_dbm" made apache2 work again. Debian-shipped config enables GnuTLSCache, using dbm. Release 0.9.0 has GnuTLSSessionTickets enabled by default, which seems to make GnuTLSCache unneeded for most common use cases (exceptions being non-SNI needs and a pool of coordinated servers). Seems most sensible to remove or comment out the GnuTLSCache and GnuTLSCacheTimeout lines. While at it, I suggest adding this, commented out, for those prioritizing strong security over Wondows XP compatibility: GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE (possibly %SERVER_PRECEDENCE is implied by PFS) - Jonas -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlx0uzYACgkQLHwxRsGg ASEhyg/9E+VpnZlbVx/4oZ94n0l5QJa/5RhCmtO68wz0F0SMN5uqhosLwdDjn5DZ 18P09r2m8zH2ckKVTlv0iy1p4ukko0em/htGUxph+zEmQfFVai67qPyWmAXBMDsW djgnvNeJ2Qtmn0uV0gESqzXxrBu4jr9Ojz3i2jEmg1B70z5IvvOzi7osZaOs7dgA nsNiBHcIVnipurqEU9hSZCl9s+S6QiNEYLtDSg0tCMf0dwi4POVuwfAiaRK1Yoid m/i0Igeh27NpwHKP6kVF2iiJxDimxUjOhx7WXUY4U4gddLtv1dA+1VLRJGrffDEp P96fD4rnFzKMapEaA2tHdxaRWFmwLZ1HNXFcKIG3aZbQN+J7a4lYOwkE7HFCka7J XYIdNfNhRSrbTg1RZtoo53QOsLxkE9iGItLIkb49hVPSzq1j/APSOQlcc7RcceXm rvqoutlaatBZEQFcP5gTPqWKzZCDvmbqWS1qKqlLBk6owOa+m5445ZTj1KcBjply RKGhyAsWapTulSrzC4ev2ToUl8Ye8m1j6QHjG08IxfrsitmerZ8j7L8Va+T3yNH3 /91f7PcsEdIswuvE20R42OFG/8rMfz2yTjc2LvuXwRC26uQk6lfrYeqK58swvjFk TgPdaIWA1TT54L0HHtN53wwRlNfKsQyFivSlwTH08VKOrfZDtmY= =pYFj -END PGP SIGNATURE-
