Bug 1214366 - ssl re-negotiation buffer size in mod_nss is hard-coded at 128K
Summary: ssl re-negotiation buffer size in mod_nss is hard-coded at 128K
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mod_nss
Version: 6.6
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact: Kaleem
Aneta Šteflová Petrová
Depends On:
Blocks: 1272422
TreeView+ depends on / blocked
Reported: 2015-04-22 14:42 UTC by Robert Bost
Modified: 2016-05-10 19:40 UTC (History)
6 users (show)

mod_nss now supports changing the SSL renegotiation buffer size

This update adds the `NSSRenegBufferSize` parameter to the _mod_nss_ package. The parameter allows users to configure the amount of memory to be used for buffering a POST request when a per-location SSL renegotiation is required. Previously, _mod_nss_ did not support this functionality, which caused such requests to fail with the following message recorded in Apache logging:

    request body exceeds maximum size for SSL buffer, could not buffer message body to allow SSL renegotiation to proceed.

`NSSRenegBufferSize` accepts buffer size in bytes. The default value is 128K. Setting `NSSRenegBufferSize` to `0` disables the buffering.
Clone Of:
Last Closed: 2016-05-10 19:40:42 UTC

Attachments (Terms of Use)
console.log (2.96 KB, text/plain)
2016-02-18 07:03 UTC, Abhijeet Kasurde
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0751 normal SHIPPED_LIVE mod_nss bug fix and enhancement update 2016-05-10 22:31:54 UTC

Description Robert Bost 2015-04-22 14:42:47 UTC
Description of problem: When POSTing a 1MB file, I received an HTTP 413 (Request Entity Too Large) and got the following error in Apache logging:

request body exceeds maximum size for SSL buffer, could not buffer message body to allow SSL renegotiation to proceed.

I am not able to increase the renegotiation buffer size.

Version-Release number of selected component (if applicable):
Issue applies to all currently released mod_nss versions at the time of creating this bug.

How reproducible: Always

Steps to Reproduce:
1. POST 1MB file to https URL (SSL must be configured using mod_nss)

Actual results: Receive HTTP 413 on client. See error stating that "body exceed maximum size for SSL buffer" on server side.

Expected results: File should be POSTed to server successfully.

Additional info: Need to be able to configure renegotiation buffer size just like mod_ssl's SSLRenegBufferSize.

Comment 8 Kaleem 2016-02-16 10:01:25 UTC
Please provide the steps to verify it.

Comment 10 Rob Crittenden 2016-02-17 14:26:15 UTC
The default buffer size is 128k (131072 bytes).

To verify create a CGI to accept the POST. I created one that simply echo's the data back and put it into /var/www/cgi-bin:



print "Content-Type: text/plain\r\n";
print "\r\n";

while (<>) {
    print $_;

Modify nss.conf and set a specific cipher for cgi-bin which will cause a re-negotiation:

<Directory "/var/www/cgi-bin">
    NSSCipherSuite +rsa_3des_sha
    NSSOptions +ExportCertData +CompatEnvVars +StdEnvVars

Restart Apache

Generate a file that is within the default range:

$ tr -dc A-Za-z0-9 </dev/urandom | head -c 131072 > /tmp/data

Try to get the file:

$ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl

It should succeed.

Try a bigger file:

$ tr -dc A-Za-z0-9 </dev/urandom | head -c 131073 > /tmp/data

$ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl

It should fail with 413 Request Entity Too Large

Edit nss.conf again and set a new, larger buffer size to the cgi-bin Directory block:

NSSRenegBufferSize 1048576

Restart Apache

Try the same POST again:

$ wget -O - --no-check-certificate --post-file /tmp/data https://`hostname`:8443/cgi-bin/echo.pl

It should succeed

Comment 11 Abhijeet Kasurde 2016-02-18 06:37:46 UTC
Verified using mod_nss ::

Steps followed to verify ::

Comment 12 Abhijeet Kasurde 2016-02-18 07:03 UTC
Created attachment 1128150 [details]

Comment 21 errata-xmlrpc 2016-05-10 19:40:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.