1461580 – TLS Session ID not maintained

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1461580 - TLS Session ID not maintained

Summary: TLS Session ID not maintained

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_nss
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:	Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks:	1420851 1472344 1477926 1479766 1490412
TreeView+	depends on / blocked

Reported:	2017-06-14 20:32 UTC by Robert Bost
Modified:	2020-12-14 08:52 UTC (History)
CC List:	9 users (show)
Fixed In Version:	mod_nss-1.0.14-11.el7
Doc Type:	Bug Fix
Doc Text:	_mod_nss_ properly detects the threading model in Apache to improve performance Previously, the _mod_nss_ module was not detecting the threading model properly in Apache. Consequently, users experienced slower performance because the TLS Session ID was not maintained across handshakes and a new session ID was generated for each handshake. This update fixes the threading model detection. As a result, TLS Session IDs are now properly cached, which eliminates the described performance problems.
Clone Of:
Clones:	1479766 (view as bug list)
Environment:
Last Closed:	2018-04-10 18:28:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0988	0	None	None	None	2018-04-10 18:28:46 UTC

Description Robert Bost 2017-06-14 20:32:10 UTC

Description of problem: The TLS Session ID is not maintained across handshakes and a new Session ID is generated each handshake.


Version-Release number of selected component (if applicable): mod_nss-1.0.14-10.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. yum install -y httpd mod_nss
2. systemctl start httpd
3. # echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 003650B19B45B603120D4CC1611E07A5F681338884832A5E2111F8B242E818BC
    Session-ID: 003570E3FFFEABB33DC3816C64CDBC625F663ABD5CDFDC19A298CF51BCB0F62D
    Session-ID: 0034DDC8CFABC4CC8665A833E380D917E083801E0CD11BD97103F34884FD798E
    Session-ID: 0033B3E13C454E0359719A6B8E1355A1F5C320B5C3F8419A2C101B004A655767
    Session-ID: 00377682357FD9D5B924DEEBD85828044D448B04B9077390B4145C73DFBBF464
    Session-ID: 0032F2E98707894674C2BD8875972196E1D412C4505F0286285E0EC6DC9C48E5

Actual results: Different TLS Session ID every handshake.


Expected results: Reuse of TLS Session ID like below:
# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B


Additional info:
This upstream patch resolves the issue (I've confirmed locally) https://pagure.io/mod_nss/c/5709d481a3cd327c157a1f39a2e9018e0feefd75?branch=master

Comment 5 Alicja Kario 2017-07-14 10:58:30 UTC

(Just to make sure that it's not combination of multiple bugs.)

What is the protocol version used? What is the ciphersuite negotiated?

Comment 6 Robert Bost 2017-07-18 15:19:11 UTC

> What is the protocol version used? What is the ciphersuite negotiated?

Protocol: TLSv1.2
Cipher  : ECDHE-RSA-AES256-SHA

The issue is reproducible with TLSv1.1 and other cipher suites as well. For example:

# echo Q | openssl s_client -tls1_1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 30BC19DADBE27D59C961BC2A6F324D460B4C292570954CD78E9FCFE81FBDA760
    Session-ID: 30BB5E1A2699568E8F3463B29C5A943111279786298A2266C115BAD07B001045
    Session-ID: 30BE616E7463261CAD4C408E667CC4A1CB028ACE3D30E3F8940C87E3B6F6B3A3
    Session-ID: 30BF41121B9D051ECAE5F5927CE5F7B1F5873EA7185D1E1C9F7FC6F5945BF7B6
    Session-ID: 30BD7CDCE14334442B1E908D77089D214C49719A499DCD87ED3936AB902D04BC
    Session-ID: 30BC2193077E20DC2E0760FA4992FC06E2D77C6A33DDBF1B77A1EA7A7A95140A

Comment 12 Mohammad Rizwan 2017-11-20 10:20:36 UTC

Version:
mod_nss - mod_nss-1.0.14-12.el7.x86_64
httpd - httpd-2.4.6-79.el7.x86_64

steps:

[root@master ~]# yum install -y httpd mod_nss
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package httpd-2.4.6-79.el7.x86_64 already installed and latest version
Package mod_nss-1.0.14-12.el7.x86_64 already installed and latest version
Nothing to do
[root@master ~]# systemctl start httpd
[root@master ~]# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6

[root@master ~]# rpm  -qa mod_nss
mod_nss-1.0.14-12.el7.x86_64
[root@master ~]# rpm  -qa httpd
httpd-2.4.6-79.el7.x86_64

Comment 17 Rob Crittenden 2017-12-06 13:22:06 UTC

Looks good.

Comment 20 errata-xmlrpc 2018-04-10 18:28:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0988

Note You need to log in before you can comment on or make changes to this bug.