DO NOT REPLY [Bug 16630] New: - SSL Session data not stored to the session cache

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16630>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16630

SSL Session data not stored to the session cache

           Summary: SSL Session data not stored to the session cache
           Product: Apache httpd-2.0
           Version: 2.0.44
          Platform: HP
        OS/Version: HP-UX
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: marjan.blatnik@gov.si

1.
For each downloaded document from https server with client authentication, a browser (IE 5.5, IE 6.0, Mozilla-1.2.1) ask for a private key password.

On server side, I tested next combinations:

• openssl-0.9.6g openssl-0.9.7
• Apache httpd-2.0.40 Apache httpd-2.0.44
• build-in sdbm gdbm 1.8.0
• CA cert uses 2048-bits
• server and user certs use 1024-bits
• HP-UX 11.00: HP-UX mailhub2 B.11.00 U 9000/800 154C....

I increase LogLevel to debug and next lines shows, that the session is not stored in dbm (sdbm or gdbm):
[Fri Jan 31 08:26:20 2003] [debug] ssl_engine_kernel.c(1604): Inter-Process Session Cache: request=SET status=BAD id=04547FF214...59BCE46 timeout=294s (session caching)
[Fri Jan 31 08:26:20 2003] [debug] ssl_engine_kernel.c(1604): Inter-Process Session Cache: request=GET status=MISSED id=04547FF214...59E159BCE46 (session renewal)
[Fri Jan 31 08:26:22 2003] [debug] ssl_engine_kernel.c(1604): Inter-Process Session Cache: request=SET status=BAD id=7A1E667FF...39E175C275EE timeout=298s (session caching)
[Fri Jan 31 08:26:47 2003] [debug] ssl_engine_kernel.c(1604): Inter-Process Session Cache: request=GET status=MISSED id=7A1E667FF3...39E175C275EE (session renewal)
[Fri Jan 31 08:26:49 2003] [debug] ssl_engine_kernel.c(1604): Inter-Process Session Cache: request=SET status=BAD id=3B83F5CB51...AB44344 timeout=298s (session caching)
[Fri Jan 31 08:26:55 2003] [debug] ssl_engine_kernel.c(1604): Inter-Process Session Cache: request=GET status=MISSED id=3B83F5CB51...AB44344 (session renewal)

I add some debuging code to the
modules/ssl/ssl_scache_dbm.c:ssl_scache_dbm_store which shows, that idlen is 32 bytes, nData(i2d_SSL_SESSION(sess, NULL)) is 1387 bytes, together 1419 bytes, that is more then 950 bytes (default dbm limit in modules/ssl/ssl_scache_dbm.c:ssl_scache_dbm_store).

As workaround, I change

• modules/ssl/ssl_scache_dbm.c:ssl_scache_dbm_store from if ((idlen + nData) >= 950 /* at least less than approx. 1KB */) return FALSE; to # Additional debuging code # char logstr[501]; # snprintf(logstr,500,"Dbm pairsize: idlen: %d, nData: %d, sum: %d, limit: less then 2000",idlen,nData,idlen+nData); # ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, logstr); if ((idlen + nData) >= 2000 return FALSE;
• srclib/apr-util/dbm/sdbm/sdbm_private.h from #define DBLKSIZ 4096 #define PBLKSIZ 1024 #define PAIRMAX 1008 /* arbitrary on PBLKSIZ-N */ to #define DBLKSIZ 16384 #define PBLKSIZ 8192 #define PAIRMAX 8008 /* arbitrary on PBLKSIZ-N */ 2. Not a bug, just for information At the upgrade from openssl-0.9.6g to openssl-0.9.7 I noticed that the serial number atribute name in env. variable SSL_CLIENT_S_DN changed from SN=... to serialNumber=...

  ---