Hide Forgot
mod_nss now supports changing the SSL renegotiation buffer size This update adds the `NSSRenegBufferSize` parameter to the _mod_nss_ package. The parameter allows users to configure the amount of memory to be used for buffering a POST request when a per-location SSL renegotiation is required. Previously, _mod_nss_ did not support this functionality, which caused such requests to fail with the following message recorded in Apache logging: request body exceeds maximum size for SSL buffer, could not buffer message body to allow SSL renegotiation to proceed. `NSSRenegBufferSize` accepts buffer size in bytes. The default value is 128K. Setting `NSSRenegBufferSize` to `0` disables the buffering.
Description of problem: When POSTing a 1MB file, I received an HTTP 413 (Request Entity Too Large) and got the following error in Apache logging: request body exceeds maximum size for SSL buffer, could not buffer message body to allow SSL renegotiation to proceed. I am not able to increase the renegotiation buffer size. Version-Release number of selected component (if applicable): Issue applies to all currently released mod_nss versions at the time of creating this bug. How reproducible: Always Steps to Reproduce: 1. POST 1MB file to https URL (SSL must be configured using mod_nss) Actual results: Receive HTTP 413 on client. See error stating that "body exceed maximum size for SSL buffer" on server side. Expected results: File should be POSTed to server successfully. Additional info: Need to be able to configure renegotiation buffer size just like mod_ssl's SSLRenegBufferSize.
Please provide the steps to verify it.
The default buffer size is 128k (131072 bytes). To verify create a CGI to accept the POST. I created one that simply echo's the data back and put it into /var/www/cgi-bin: #!/usr/bin/perl binmode(STDOUT); binmode(STDIN); print "Content-Type: text/plain\r\n"; print "\r\n"; while (<>) { print $_; } Modify nss.conf and set a specific cipher for cgi-bin which will cause a re-negotiation: <Directory "/var/www/cgi-bin"> NSSCipherSuite +rsa_3des_sha NSSOptions +ExportCertData +CompatEnvVars +StdEnvVars </Directory> Restart Apache Generate a file that is within the default range: $ tr -dc A-Za-z0-9 </dev/urandom | head -c 131072 > /tmp/data Try to get the file: $ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl It should succeed. Try a bigger file: $ tr -dc A-Za-z0-9 </dev/urandom | head -c 131073 > /tmp/data $ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl It should fail with 413 Request Entity Too Large Edit nss.conf again and set a new, larger buffer size to the cgi-bin Directory block: NSSRenegBufferSize 1048576 Restart Apache Try the same POST again: $ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl It should succeed
Verified using mod_nss :: mod_nss-1.0.10-5.el6.x86_64 Steps followed to verify :: https://bugzilla.redhat.com/show_bug.cgi?id=1214366#c10
Created attachment 1128150 [details] console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0751.html