Bug 1461580 - TLS Session ID not maintained
Summary: TLS Session ID not maintained
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_nss   
(Show other bugs)
Version: 7.3
Hardware: All Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: ipa-qe
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords: ZStream
Depends On:
Blocks: 1420851 1477926 1472344 1479766 1490412
TreeView+ depends on / blocked
 
Reported: 2017-06-14 20:32 UTC by Robert Bost
Modified: 2018-04-10 18:28 UTC (History)
9 users (show)

Fixed In Version: mod_nss-1.0.14-11.el7
Doc Type: Bug Fix
Doc Text:
_mod_nss_ properly detects the threading model in Apache to improve performance Previously, the _mod_nss_ module was not detecting the threading model properly in Apache. Consequently, users experienced slower performance because the TLS Session ID was not maintained across handshakes and a new session ID was generated for each handshake. This update fixes the threading model detection. As a result, TLS Session IDs are now properly cached, which eliminates the described performance problems.
Story Points: ---
Clone Of:
: 1479766 (view as bug list)
Environment:
Last Closed: 2018-04-10 18:28:26 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0988 None None None 2018-04-10 18:28 UTC

Description Robert Bost 2017-06-14 20:32:10 UTC
Description of problem: The TLS Session ID is not maintained across handshakes and a new Session ID is generated each handshake.


Version-Release number of selected component (if applicable): mod_nss-1.0.14-10.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. yum install -y httpd mod_nss
2. systemctl start httpd
3. # echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 003650B19B45B603120D4CC1611E07A5F681338884832A5E2111F8B242E818BC
    Session-ID: 003570E3FFFEABB33DC3816C64CDBC625F663ABD5CDFDC19A298CF51BCB0F62D
    Session-ID: 0034DDC8CFABC4CC8665A833E380D917E083801E0CD11BD97103F34884FD798E
    Session-ID: 0033B3E13C454E0359719A6B8E1355A1F5C320B5C3F8419A2C101B004A655767
    Session-ID: 00377682357FD9D5B924DEEBD85828044D448B04B9077390B4145C73DFBBF464
    Session-ID: 0032F2E98707894674C2BD8875972196E1D412C4505F0286285E0EC6DC9C48E5

Actual results: Different TLS Session ID every handshake.


Expected results: Reuse of TLS Session ID like below:
# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B


Additional info:
This upstream patch resolves the issue (I've confirmed locally) https://pagure.io/mod_nss/c/5709d481a3cd327c157a1f39a2e9018e0feefd75?branch=master

Comment 5 Hubert Kario 2017-07-14 10:58:30 UTC
(Just to make sure that it's not combination of multiple bugs.)

What is the protocol version used? What is the ciphersuite negotiated?

Comment 6 Robert Bost 2017-07-18 15:19:11 UTC
> What is the protocol version used? What is the ciphersuite negotiated?

Protocol: TLSv1.2
Cipher  : ECDHE-RSA-AES256-SHA

The issue is reproducible with TLSv1.1 and other cipher suites as well. For example:

# echo Q | openssl s_client -tls1_1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 30BC19DADBE27D59C961BC2A6F324D460B4C292570954CD78E9FCFE81FBDA760
    Session-ID: 30BB5E1A2699568E8F3463B29C5A943111279786298A2266C115BAD07B001045
    Session-ID: 30BE616E7463261CAD4C408E667CC4A1CB028ACE3D30E3F8940C87E3B6F6B3A3
    Session-ID: 30BF41121B9D051ECAE5F5927CE5F7B1F5873EA7185D1E1C9F7FC6F5945BF7B6
    Session-ID: 30BD7CDCE14334442B1E908D77089D214C49719A499DCD87ED3936AB902D04BC
    Session-ID: 30BC2193077E20DC2E0760FA4992FC06E2D77C6A33DDBF1B77A1EA7A7A95140A

Comment 12 Mohammad Rizwan 2017-11-20 10:20:36 UTC
Version:
mod_nss - mod_nss-1.0.14-12.el7.x86_64
httpd - httpd-2.4.6-79.el7.x86_64

steps:

[root@master ~]# yum install -y httpd mod_nss
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Package httpd-2.4.6-79.el7.x86_64 already installed and latest version
Package mod_nss-1.0.14-12.el7.x86_64 already installed and latest version
Nothing to do
[root@master ~]# systemctl start httpd
[root@master ~]# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6
    Session-ID: 759476A77C3ADC43FBF64DA49DFF3F8C82C3774D3FDB117206EA9867C920FBC6

[root@master ~]# rpm  -qa mod_nss
mod_nss-1.0.14-12.el7.x86_64
[root@master ~]# rpm  -qa httpd
httpd-2.4.6-79.el7.x86_64

Comment 17 Rob Crittenden 2017-12-06 13:22:06 UTC
Looks good.

Comment 20 errata-xmlrpc 2018-04-10 18:28:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0988


Note You need to log in before you can comment on or make changes to this bug.