Bug 1214366
| Summary: | ssl re-negotiation buffer size in mod_nss is hard-coded at 128K | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Bost <rbost> | ||||
| Component: | mod_nss | Assignee: | Matthew Harmsen <mharmsen> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||
| Severity: | medium | Docs Contact: | Aneta Šteflová Petrová <apetrova> | ||||
| Priority: | medium | ||||||
| Version: | 6.6 | CC: | akasurde, dpal, mharmsen, msauton, nkinder, rcritten | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | mod_nss-1.0.10-2.el6 | Doc Type: | Release Note | ||||
| Doc Text: |
mod_nss now supports changing the SSL renegotiation buffer size
This update adds the `NSSRenegBufferSize` parameter to the _mod_nss_ package. The parameter allows users to configure the amount of memory to be used for buffering a POST request when a per-location SSL renegotiation is required. Previously, _mod_nss_ did not support this functionality, which caused such requests to fail with the following message recorded in Apache logging:
request body exceeds maximum size for SSL buffer, could not buffer message body to allow SSL renegotiation to proceed.
`NSSRenegBufferSize` accepts buffer size in bytes. The default value is 128K. Setting `NSSRenegBufferSize` to `0` disables the buffering.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-05-10 19:40:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1272422 | ||||||
| Attachments: |
|
||||||
|
Description
Robert Bost
2015-04-22 14:42:47 UTC
Please provide the steps to verify it. The default buffer size is 128k (131072 bytes).
To verify create a CGI to accept the POST. I created one that simply echo's the data back and put it into /var/www/cgi-bin:
#!/usr/bin/perl
binmode(STDOUT);
binmode(STDIN);
print "Content-Type: text/plain\r\n";
print "\r\n";
while (<>) {
print $_;
}
Modify nss.conf and set a specific cipher for cgi-bin which will cause a re-negotiation:
<Directory "/var/www/cgi-bin">
NSSCipherSuite +rsa_3des_sha
NSSOptions +ExportCertData +CompatEnvVars +StdEnvVars
</Directory>
Restart Apache
Generate a file that is within the default range:
$ tr -dc A-Za-z0-9 </dev/urandom | head -c 131072 > /tmp/data
Try to get the file:
$ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl
It should succeed.
Try a bigger file:
$ tr -dc A-Za-z0-9 </dev/urandom | head -c 131073 > /tmp/data
$ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl
It should fail with 413 Request Entity Too Large
Edit nss.conf again and set a new, larger buffer size to the cgi-bin Directory block:
NSSRenegBufferSize 1048576
Restart Apache
Try the same POST again:
$ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl
It should succeed
Verified using mod_nss :: mod_nss-1.0.10-5.el6.x86_64 Steps followed to verify :: https://bugzilla.redhat.com/show_bug.cgi?id=1214366#c10 Created attachment 1128150 [details]
console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0751.html |