Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1461580

Summary: TLS Session ID not maintained
Product: Red Hat Enterprise Linux 7 Reporter: Robert Bost <rbost>
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: urgent    
Version: 7.3CC: dsirrine, hkario, ksiddiqu, mharmsen, msauton, myusuf, nkinder, rbost, rcritten
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_nss-1.0.14-11.el7 Doc Type: Bug Fix
Doc Text:
_mod_nss_ properly detects the threading model in Apache to improve performance Previously, the _mod_nss_ module was not detecting the threading model properly in Apache. Consequently, users experienced slower performance because the TLS Session ID was not maintained across handshakes and a new session ID was generated for each handshake. This update fixes the threading model detection. As a result, TLS Session IDs are now properly cached, which eliminates the described performance problems.
 Story Points: ---
Clone Of:
: 1479766 (view as bug list) Environment:
Last Closed: 2018-04-10 18:28:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851, 1472344, 1477926, 1479766, 1490412    

Description Robert Bost 2017-06-14 20:32:10 UTC 
Description of problem: The TLS Session ID is not maintained across handshakes and a new Session ID is generated each handshake.


Version-Release number of selected component (if applicable): mod_nss-1.0.14-10.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. yum install -y httpd mod_nss
2. systemctl start httpd
3. # echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 003650B19B45B603120D4CC1611E07A5F681338884832A5E2111F8B242E818BC
    Session-ID: 003570E3FFFEABB33DC3816C64CDBC625F663ABD5CDFDC19A298CF51BCB0F62D
    Session-ID: 0034DDC8CFABC4CC8665A833E380D917E083801E0CD11BD97103F34884FD798E
    Session-ID: 0033B3E13C454E0359719A6B8E1355A1F5C320B5C3F8419A2C101B004A655767
    Session-ID: 00377682357FD9D5B924DEEBD85828044D448B04B9077390B4145C73DFBBF464
    Session-ID: 0032F2E98707894674C2BD8875972196E1D412C4505F0286285E0EC6DC9C48E5

Actual results: Different TLS Session ID every handshake.


Expected results: Reuse of TLS Session ID like below:
# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B


Additional info:
This upstream patch resolves the issue (I've confirmed locally) https://pagure.io/mod_nss/c/5709d481a3cd327c157a1f39a2e9018e0feefd75?branch=master
Comment 5 Alicja Kario 2017-07-14 10:58:30 UTC 
(Just to make sure that it's not combination of multiple bugs.)

What is the protocol version used? What is the ciphersuite negotiated?
Comment 6 Robert Bost 2017-07-18 15:19:11 UTC 
> What is the protocol version used? What is the ciphersuite negotiated?

Protocol: TLSv1.2
Cipher  : ECDHE-RSA-AES256-SHA

The issue is reproducible with TLSv1.1 and other cipher suites as well. For example:

# echo Q | openssl s_client -tls1_1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 30BC19DADBE27D59C961BC2A6F324D460B4C292570954CD78E9FCFE81FBDA760
    Session-ID: 30BB5E1A2699568E8F3463B29C5A943111279786298A2266C115BAD07B001045
    Session-ID: 30BE616E7463261CAD4C408E667CC4A1CB028ACE3D30E3F8940C87E3B6F6B3A3
    Session-ID: 30BF41121B9D051ECAE5F5927CE5F7B1F5873EA7185D1E1C9F7FC6F5945BF7B6
    Session-ID: 30BD7CDCE14334442B1E908D77089D214C49719A499DCD87ED3936AB902D04BC
    Session-ID: 30BC2193077E20DC2E0760FA4992FC06E2D77C6A33DDBF1B77A1EA7A7A95140A
Comment 12 Mohammad Rizwan 2017-11-20 10:20:36 UTC 
Version:
mod_nss - mod_nss-1.0.14-12.el7.x86_64
httpd - httpd-2.4.6-79.el7.x86_64

steps:

[root@master ~]# yum install -y httpd mod_nss
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package httpd-2.4.6-79.el7.x86_64 already installed and latest version
Package mod_nss-1.0.14-12.el7.x86_64 already installed and latest version
Nothing to do
[root@master ~]# systemctl start httpd
[root@master ~]# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6

[root@master ~]# rpm  -qa mod_nss
mod_nss-1.0.14-12.el7.x86_64
[root@master ~]# rpm  -qa httpd
httpd-2.4.6-79.el7.x86_64
Comment 17 Rob Crittenden 2017-12-06 13:22:06 UTC 
Looks good.
Comment 20 errata-xmlrpc 2018-04-10 18:28:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0988