|
 |
49b7d4 |
From 5709d481a3cd327c157a1f39a2e9018e0feefd75 Mon Sep 17 00:00:00 2001
|
|
|
49b7d4 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
49b7d4 |
Date: Tue, 7 Feb 2017 10:46:56 -0500
|
|
|
49b7d4 |
Subject: [PATCH] Fix the TLS Session ID cache
|
|
|
49b7d4 |
|
|
|
49b7d4 |
At some point that I never noticed the way I was trying to
|
|
|
49b7d4 |
determine whether the worker or prefork model was being used
|
|
|
49b7d4 |
broke such that the reverse of what I intended was happening
|
|
|
49b7d4 |
causing no session ID caching at all.
|
|
|
49b7d4 |
|
|
|
49b7d4 |
My first crack at this fixed the query to be used which fixed
|
|
|
49b7d4 |
the prefork model but the worker model was only caching about
|
|
|
49b7d4 |
20% of requests. This is because it is a hybrid of
|
|
|
49b7d4 |
forked/threading so still needs the MP cache.
|
|
|
49b7d4 |
|
|
|
49b7d4 |
By configuring MP for all I now get the expected level of
|
|
|
49b7d4 |
caching. I used the NSS tool strsclnt to confirm levels of
|
|
|
49b7d4 |
caching.
|
|
|
49b7d4 |
---
|
|
|
49b7d4 |
nss_engine_init.c | 19 +++++--------------
|
|
|
49b7d4 |
1 file changed, 5 insertions(+), 14 deletions(-)
|
|
|
49b7d4 |
|
|
|
49b7d4 |
diff --git a/nss_engine_init.c b/nss_engine_init.c
|
|
|
49b7d4 |
index aec845a..2ffff53 100644
|
|
|
49b7d4 |
--- a/nss_engine_init.c
|
|
|
49b7d4 |
+++ b/nss_engine_init.c
|
|
|
49b7d4 |
@@ -430,7 +430,6 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
|
|
49b7d4 |
server_rec *s;
|
|
|
49b7d4 |
int sslenabled = FALSE;
|
|
|
49b7d4 |
int fipsenabled = FALSE;
|
|
|
49b7d4 |
- int threaded = 0;
|
|
|
49b7d4 |
struct semid_ds status;
|
|
|
49b7d4 |
char *split_vhost_id = NULL;
|
|
|
49b7d4 |
char *last1;
|
|
|
49b7d4 |
@@ -637,11 +636,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
|
|
49b7d4 |
|
|
|
49b7d4 |
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
|
|
|
49b7d4 |
"Initializing SSL Session Cache of size %d. SSL3/TLS timeout = %d.", mc->session_cache_size, mc->ssl3_session_cache_timeout);
|
|
|
49b7d4 |
- ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded);
|
|
|
49b7d4 |
- if (!threaded)
|
|
|
49b7d4 |
- SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL);
|
|
|
49b7d4 |
- else
|
|
|
49b7d4 |
- SSL_ConfigServerSessionIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL);
|
|
|
49b7d4 |
+ SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL);
|
|
|
49b7d4 |
|
|
|
49b7d4 |
/* Load our layer */
|
|
|
49b7d4 |
nss_io_layer_init();
|
|
|
49b7d4 |
@@ -1525,7 +1520,6 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server)
|
|
|
49b7d4 |
SSLModConfigRec *mc = myModConfig(base_server);
|
|
|
49b7d4 |
SSLSrvConfigRec *sc;
|
|
|
49b7d4 |
server_rec *s;
|
|
|
49b7d4 |
- int threaded = 0;
|
|
|
49b7d4 |
int sslenabled = FALSE;
|
|
|
49b7d4 |
|
|
|
49b7d4 |
mc->pid = getpid(); /* only call getpid() once per-process */
|
|
|
49b7d4 |
@@ -1555,13 +1549,10 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server)
|
|
|
49b7d4 |
return;
|
|
|
49b7d4 |
}
|
|
|
49b7d4 |
|
|
|
49b7d4 |
- ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded);
|
|
|
49b7d4 |
- if (!threaded) {
|
|
|
49b7d4 |
- if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
|
|
|
49b7d4 |
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
49b7d4 |
- "SSL_InheritMPServerSIDCache failed");
|
|
|
49b7d4 |
- nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
|
|
|
49b7d4 |
- }
|
|
|
49b7d4 |
+ if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) {
|
|
|
49b7d4 |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
49b7d4 |
+ "SSL_InheritMPServerSIDCache failed");
|
|
|
49b7d4 |
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
|
|
|
49b7d4 |
}
|
|
|
49b7d4 |
|
|
|
49b7d4 |
nss_init_SSLLibrary(base_server, mc->pPool);
|
|
|
49b7d4 |
--
|
|
|
49b7d4 |
2.9.4
|
|
|
49b7d4 |
|