9

I run a debian squeeze standard Apache installation (2.2) and make use of SSLClientCertificates to authorize users. This works fine so far.

But we noticed a slow down of some parallel requests and tried to check if my SSLSessionCache is working.

So I checked my localhost/server-status and it reads like this:

SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
subcaches: 32, indexes per subcache: 133
index usage: 0%, cache usage: 0%
total sessions stored since starting: 0
total sessions expired since starting: 0
total (pre-expiry) sessions scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss

Seems to be running but whatever SSL request I make, all counters stay at 0, so no sessions are cached.

I tried to set KeepAlive Off, to let every request establish a new SSL connection, but still I see no numbers counting up in my SSLSessionCache Status.

This is my SSLSessionCache Configuration from standard debian mods-enabled/ssl.conf:

SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLMutex               file:${APACHE_RUN_DIR}/ssl_mutex

in my ${APACHE_RUN_DIR} I see no files at all, no ssl_mutex and no ssl_cache file. When I switch my SSLSessionCache to

SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache

I can see a file in this directory, but all status numbers are still zero.

I tried to set LogLevel to debug. The only messages I get about the ssl cache are:

$ grep cache /var/log/apache2/error.log

ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
ssl_scache_shmcb.c(272): for 511920 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
ssl_scache_shmcb.c(308): subcache_num = 32
ssl_scache_shmcb.c(310): subcache_size = 15992
ssl_scache_shmcb.c(312): subcache_data_offset = 3208
ssl_scache_shmcb.c(314): subcache_data_size = 12784
ssl_scache_shmcb.c(316): index_num = 133
Shared memory session cache initialised
ssl_scache_shmcb.c(452): [client xyz] inside shmcb_status
ssl_scache_shmcb.c(512): [client xyz] leaving shmcb_status

(removed date an loglevel for readability, replaced IP for privacy)

So here are my questions:

  1. Is it correct to have no files for mutex and sessionCache in the given directory?
  2. If yes, how to prove my SessionCache is working?
Janning
  • 1,191
  • 1
  • 19
  • 35

3 Answers3

2

I'm not familiar with Debian Squeeze, but here are somethings to try:

Try connecting using openssl with the reconnect flag which use the same session 5 times:

openssl s_client -connect your.server.com:443 -state  -reconnect

and see what you get. Look for Session-ID & "Reused."

Other things to rule out:

  • A shot in the dark, but can you replace ${APACHE_RUN_DIR} with the actual path and see if that helps ... ?
  • Rule out write permissions (unlikely, but still) to the ssl_* files you note above by the user running apache.
KM.
  • 1,746
  • 2
  • 18
  • 31
  • As noted apache writes a file into the directory when I use dbm: as my sessionCache. So ${APACHE_RUN_DIR} and write permissions shpouldn't be the problem. I can't test it with openssl as i use a pcks#11 token for my client cert, can't get it to work on command line with openssl – Janning Jun 20 '12 at 16:21
  • I have the same problem on a windows machine. I tried to connect via openssl as suggested and I actually see that the same Session-ID is used for all reconnects. It also says: "Reused, TLSv1/SSLv3" at the beginning. However, this even happens when I remove the SSLSessionCache line from my apache config. Any ideas what this means? – lex82 May 01 '15 at 08:00
  • Been a year, anyone found a solution to this? – codenamezero Aug 25 '16 at 14:09
1

Mounting tmpfs on /dev/shm and replacing ${APACHE_RUN_DIR} with /dev/shm/apache in fixed it for me:

grep shm /etc/apache2/mods-enabled/ssl.conf
#SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCache        shmcb:/dev/shm/apache_ssl_scache(512000)
meebey
  • 46
  • 2
0

I'm facing a similar problem.

For me when running the given command. I've got an "unexpected message" error when it tries to reconnect.

But when running on the server this command work correctly, the session are reused.

At the time , i have no solution for this

benzen
  • 403
  • 1
  • 4
  • 8