Bug 1479766
Summary: | TLS Session ID not maintained [rhel-7.4.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Reznik <jreznik> |
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.3 | CC: | dsirrine, hkario, ksiddiqu, lmanasko, mharmsen, msauton, nkinder, rbost, rcritten, tlavigne |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mod_nss-1.0.14-10.el7_4.1 | Doc Type: | Bug Fix |
Doc Text: |
Cause: The mechanism for detecting the Apache model changed and mod_nss was not updated to accommodate it.
Consequence: The NSS TLS session ID cache was not setup properly so was effectively disabled.
Fix: Import upstream patch which always enables the multi-process NSS TLS session ID cache.
Result: TLS Session ID is maintained.
|
Story Points: | --- |
Clone Of: | 1461580 | Environment: | |
Last Closed: | 2017-09-05 11:26:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1461580 | ||
Bug Blocks: |
Description
Jaroslav Reznik
2017-08-09 11:13:54 UTC
[root@dhcp207-177 ~]# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID: Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8 Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8 Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8 Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8 Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8 Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8 [root@dhcp207-177 ~]# echo Q | openssl s_client -tls1_1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID: Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43 Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43 Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43 Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43 Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43 Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43 [root@dhcp207-177 ~]# echo Q | openssl s_client -tls1_2 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID: Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B [root@dhcp207-177 ~]# echo Q | openssl s_client -tls1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID: Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43 Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43 Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43 Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43 Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43 Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43 [root@dhcp207-177 ~]# rpm -q mod_nss mod_nss-1.0.14-10.el7_4.1.x86_64 [root@dhcp207-177 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2578 |