Bug 1461580
| Summary: | TLS Session ID not maintained | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Bost <rbost> | |
| Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | urgent | Docs Contact: | Aneta Šteflová Petrová <apetrova> | |
| Priority: | urgent | |||
| Version: | 7.3 | CC: | dsirrine, hkario, ksiddiqu, mharmsen, msauton, myusuf, nkinder, rbost, rcritten | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | mod_nss-1.0.14-11.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
_mod_nss_ properly detects the threading model in Apache to improve performance
Previously, the _mod_nss_ module was not detecting the threading model properly in Apache. Consequently, users experienced slower performance because the TLS Session ID was not maintained across handshakes and a new session ID was generated for each handshake. This update fixes the threading model detection. As a result, TLS Session IDs are now properly cached, which eliminates the described performance problems.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1479766 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 18:28:26 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1420851, 1472344, 1477926, 1479766, 1490412 | |||
(Just to make sure that it's not combination of multiple bugs.) What is the protocol version used? What is the ciphersuite negotiated? > What is the protocol version used? What is the ciphersuite negotiated?
Protocol: TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
The issue is reproducible with TLSv1.1 and other cipher suites as well. For example:
# echo Q | openssl s_client -tls1_1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
Session-ID: 30BC19DADBE27D59C961BC2A6F324D460B4C292570954CD78E9FCFE81FBDA760
Session-ID: 30BB5E1A2699568E8F3463B29C5A943111279786298A2266C115BAD07B001045
Session-ID: 30BE616E7463261CAD4C408E667CC4A1CB028ACE3D30E3F8940C87E3B6F6B3A3
Session-ID: 30BF41121B9D051ECAE5F5927CE5F7B1F5873EA7185D1E1C9F7FC6F5945BF7B6
Session-ID: 30BD7CDCE14334442B1E908D77089D214C49719A499DCD87ED3936AB902D04BC
Session-ID: 30BC2193077E20DC2E0760FA4992FC06E2D77C6A33DDBF1B77A1EA7A7A95140A
Version:
mod_nss - mod_nss-1.0.14-12.el7.x86_64
httpd - httpd-2.4.6-79.el7.x86_64
steps:
[root@master ~]# yum install -y httpd mod_nss
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package httpd-2.4.6-79.el7.x86_64 already installed and latest version
Package mod_nss-1.0.14-12.el7.x86_64 already installed and latest version
Nothing to do
[root@master ~]# systemctl start httpd
[root@master ~]# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
[root@master ~]# rpm -qa mod_nss
mod_nss-1.0.14-12.el7.x86_64
[root@master ~]# rpm -qa httpd
httpd-2.4.6-79.el7.x86_64
Looks good. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0988 |
Description of problem: The TLS Session ID is not maintained across handshakes and a new Session ID is generated each handshake. Version-Release number of selected component (if applicable): mod_nss-1.0.14-10.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. yum install -y httpd mod_nss 2. systemctl start httpd 3. # echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID: Session-ID: 003650B19B45B603120D4CC1611E07A5F681338884832A5E2111F8B242E818BC Session-ID: 003570E3FFFEABB33DC3816C64CDBC625F663ABD5CDFDC19A298CF51BCB0F62D Session-ID: 0034DDC8CFABC4CC8665A833E380D917E083801E0CD11BD97103F34884FD798E Session-ID: 0033B3E13C454E0359719A6B8E1355A1F5C320B5C3F8419A2C101B004A655767 Session-ID: 00377682357FD9D5B924DEEBD85828044D448B04B9077390B4145C73DFBBF464 Session-ID: 0032F2E98707894674C2BD8875972196E1D412C4505F0286285E0EC6DC9C48E5 Actual results: Different TLS Session ID every handshake. Expected results: Reuse of TLS Session ID like below: # echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID: Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B Additional info: This upstream patch resolves the issue (I've confirmed locally) https://pagure.io/mod_nss/c/5709d481a3cd327c157a1f39a2e9018e0feefd75?branch=master