Problems with SSLSessionCache
This is a multipart message in MIME format.
--=_alternative 0076C2DB85256DE9_=
Content-Type: text/plain; charset="US-ASCII"
Apache setup :
Windows 2000 Server / Apache 2.0.47 / mos_ssl 2.0.48 / OpenSSL 0.9.7c
I have one site responding to HTTP (80) and two virtual hosts responding
to HTTPS (443) all using separate IP addresses.
I have a question about the SSLSessionCache directive....
The directive was setup to the default "dbm:logs/ssl_scache" but started
to cause problems...
The HTTP site kept running but both the HTTPS sites would hang.... They
would initiate the SSL handshaking but would hang at that point.
I was able to get the HTTPS sites to start responding again by deleting
ssl_scache.pag and ssl_scache.dir
Is this a known problem??
I have since changed the SSLSessionCache directive to none because I
cannot have it cause all HTTPS sites to hang...
I have read that there is a performance hit for not using
SSLSessionCache....
Does anyone know how much of a performance hit there is?
Cheers,
Patrick Sweitzer
Server Services
patricks [at] ca.ibm.com
--=_alternative 0076C2DB85256DE9_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Apache setup :</font>
<br>
<br><font size=2 face="sans-serif">Windows 2000 Server / Apache 2.0.47
/ mos_ssl 2.0.48 / OpenSSL 0.9.7c</font>
<br><font size=2 face="sans-serif">I have one site responding to HTTP (80)
and two virtual hosts responding to HTTPS (443) all using separate IP addresses.</font>
<br>
<br>
<br><font size=2 face="sans-serif">I have a question about the SSLSessionCache
directive....</font>
<br><font size=2 face="sans-serif">The directive was setup to the default
"dbm:logs/ssl_scache" but started to cause problems...</font>
<br><font size=2 face="sans-serif">The HTTP site kept running but both
the HTTPS sites would hang.... They would initiate the SSL handshaking
but would hang at that point.</font>
<br>
<br><font size=2 face="sans-serif">I was able to get the HTTPS sites to
start responding again by deleting ssl_scache.pag and ssl_scache.dir</font>
<br>
<br><font size=2 face="sans-serif">Is this a known problem??</font>
<br>
<br><font size=2 face="sans-serif">I have since changed the SSLSessionCache
directive to none because I cannot have it cause all HTTPS sites to hang...</font>
<br><font size=2 face="sans-serif">I have read that there is a performance
hit for not using SSLSessionCache.... </font>
<br><font size=2 face="sans-serif">Does anyone know how much of a performance
hit there is?</font>
<br>
<br><font size=2 face="sans-serif"><br>
<br>
Cheers,<br>
<br>
Patrick Sweitzer<br>
Server Services<br>
patricks [at] ca.ibm.com</font>
--=_alternative 0076C2DB85256DE9_=--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
RE: Problems with SSLSessionCache
I am using SSLSessionCache dbm:/usr/local/apache/logs/ssl_cache. The dbm
files are created but they remain empty when I attempt with client auth
turned on. Where is the size limitation set on the caching of sessions? I
do see the request=SET, status=BAD as you mentioned, which seems to indicate
that Apache is never able to write to the file.
Jerrod
-----Original Message-----
From: Geoff Thorpe [mailto:geoff [at] geoffthorpe.net]
Sent: Friday, April 02, 2004 10:30 AM
To: modssl-users [at] modssl.org
Subject: Re: Problems with SSLSessionCache
On April 2, 2004 09:52 am, Loyless Jerrod A Contr ESC/NI7S1 wrote:
> > I am getting the following message each time my server tries to
> > cache a session id in my dbm file:
> >
> > [31/Mar/2004 16:03:34 01122] [trace] Inter-Process Session Cache:
> > request=SET status=BAD
> > id=E05AA054474E712D1E59220EE8A07E46523457EC557ACF1730DB2B319 931C106
> > timeout=1199s (session caching)
> >
> > I know I haven't given much information, but any ideas?
> >
> > I also get this when it tries to reuse a session:
> >
> > [31/Mar/2004 16:03:27 01120] [trace] Inter-Process Session Cache:
> > request=GET status=MISSED
> > id=6E353CAC3C6970AA0EC526304B7DBC97A6CC1451C014B39F9276342D1 B870970
> > (session renewal)
>
> This only occurs when I turn on client authentication. It works
fine
> with plain ssl.
That would indicate (probably) that the session is too big, as they
include client certs in when client-auth is being used. You didn't
mention which session cache type you're using - what's the
SSLSessionCache directive in your config? Also, if you run with tracing
on and you get a "GET/MISSED", can you check backwards from there for a
log message with the same id byte-string, hopefully it's a "PUT/MISSED"
or something like that, indicating that the session store failed.
Cheers,
Geoff
--
Geoff Thorpe
geoff [at] geoffthorpe.net
http://www.geoffthorpe.net/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
Re: Problems with SSLSessionCache
On April 2, 2004 01:41 pm, Loyless Jerrod A Contr ESC/NI7S1 wrote:
> I am using SSLSessionCache dbm:/usr/local/apache/logs/ssl_cache. The
> dbm files are created but they remain empty when I attempt with client
> auth turned on. Where is the size limitation set on the caching of
> sessions? I do see the request=SET, status=BAD as you mentioned, which
> seems to indicate that Apache is never able to write to the file.
-----------------
mod_ssl-2.8.16-1.3.29/pkg.sslmod/ssl_scache_dbm.c:151-158
/* be careful: do not try to store too much bytes in a DBM file! */
#ifdef SSL_USE_SDBM
if ((idlen + nData) >= PAIRMAX)
return FALSE;
#else
if ((idlen + nData) >= 950 /* at least less than approx. 1KB */)
return FALSE;
#endif
-----------------
and
-----------------
mod_ssl-2.8.16-1.3.29/pkg.sslmod/ssl_util_sdbm.h:76-84
#ifdef MOD_SSL
#define DBLKSIZ 16384 /* SSL cert chains require more */
#define PBLKSIZ 8192 /* SSL cert chains require more */
#define PAIRMAX 8008 /* arbitrary on PBLKSIZ-N */
#else
#define DBLKSIZ 4096
#define PBLKSIZ 1024
#define PAIRMAX 1008 /* arbitrary on PBLKSIZ-N */
#endif
-----------------
My advice would be to use shmcb rather than dbm, if you can. Not that I'm
biased of course, oh no. :-)
Cheers,
Geoff
--
Geoff Thorpe
geoff [at] geoffthorpe.net
http://www.geoffthorpe.net/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
