Bug 1479766
| Summary: | TLS Session ID not maintained [rhel-7.4.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Reznik <jreznik> |
| Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | dsirrine, hkario, ksiddiqu, lmanasko, mharmsen, msauton, nkinder, rbost, rcritten, tlavigne |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mod_nss-1.0.14-10.el7_4.1 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: The mechanism for detecting the Apache model changed and mod_nss was not updated to accommodate it.
Consequence: The NSS TLS session ID cache was not setup properly so was effectively disabled.
Fix: Import upstream patch which always enables the multi-process NSS TLS session ID cache.
Result: TLS Session ID is maintained.
|
Story Points: | --- |
| Clone Of: | 1461580 | Environment: | |
| Last Closed: | 2017-09-05 11:26:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1461580 | ||
| Bug Blocks: | |||
|
Description
Jaroslav Reznik
2017-08-09 11:13:54 UTC
[root@dhcp207-177 ~]# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8
Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8
Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8
Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8
Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8
Session-ID: 01BC4407FFA3F871E8ACA66DC9F68488062795F16711218F533D8FBB8E35B4A8
[root@dhcp207-177 ~]# echo Q | openssl s_client -tls1_1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43
Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43
Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43
Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43
Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43
Session-ID: 01BC067ED38EDAA92D9FFDE8ED34569504CEEAAEAA4DEB81E5C199E4B8780F43
[root@dhcp207-177 ~]# echo Q | openssl s_client -tls1_2 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B
Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B
Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B
Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B
Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B
Session-ID: 01BBC8F1EE1588BCF27D8EC173C8BA8E92CE9C12C51F054A40BD7B64E3CFDC4B
[root@dhcp207-177 ~]# echo Q | openssl s_client -tls1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43
Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43
Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43
Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43
Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43
Session-ID: 01BACBF9C72CA4E39126A353415416499A5DB9918441BEA656A757634F888E43
[root@dhcp207-177 ~]# rpm -q mod_nss
mod_nss-1.0.14-10.el7_4.1.x86_64
[root@dhcp207-177 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2578 |