diff --git a/SOURCES/mod_nss-session_cache.patch b/SOURCES/mod_nss-session_cache.patch new file mode 100644 index 0000000..e73bbc5 --- /dev/null +++ b/SOURCES/mod_nss-session_cache.patch @@ -0,0 +1,76 @@ +From 5709d481a3cd327c157a1f39a2e9018e0feefd75 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 7 Feb 2017 10:46:56 -0500 +Subject: [PATCH] Fix the TLS Session ID cache + +At some point that I never noticed the way I was trying to +determine whether the worker or prefork model was being used +broke such that the reverse of what I intended was happening +causing no session ID caching at all. + +My first crack at this fixed the query to be used which fixed +the prefork model but the worker model was only caching about +20% of requests. This is because it is a hybrid of +forked/threading so still needs the MP cache. + +By configuring MP for all I now get the expected level of +caching. I used the NSS tool strsclnt to confirm levels of +caching. +--- + nss_engine_init.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/nss_engine_init.c b/nss_engine_init.c +index aec845a..2ffff53 100644 +--- a/nss_engine_init.c ++++ b/nss_engine_init.c +@@ -430,7 +430,6 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + server_rec *s; + int sslenabled = FALSE; + int fipsenabled = FALSE; +- int threaded = 0; + struct semid_ds status; + char *split_vhost_id = NULL; + char *last1; +@@ -637,11 +636,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, + + ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, + "Initializing SSL Session Cache of size %d. SSL3/TLS timeout = %d.", mc->session_cache_size, mc->ssl3_session_cache_timeout); +- ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded); +- if (!threaded) +- SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); +- else +- SSL_ConfigServerSessionIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); ++ SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL); + + /* Load our layer */ + nss_io_layer_init(); +@@ -1525,7 +1520,6 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server) + SSLModConfigRec *mc = myModConfig(base_server); + SSLSrvConfigRec *sc; + server_rec *s; +- int threaded = 0; + int sslenabled = FALSE; + + mc->pid = getpid(); /* only call getpid() once per-process */ +@@ -1555,13 +1549,10 @@ void nss_init_Child(apr_pool_t *p, server_rec *base_server) + return; + } + +- ap_mpm_query(AP_MPMQ_MAX_THREADS, &threaded); +- if (!threaded) { +- if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, +- "SSL_InheritMPServerSIDCache failed"); +- nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL); +- } ++ if (SSL_InheritMPServerSIDCache(NULL) != SECSuccess) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, ++ "SSL_InheritMPServerSIDCache failed"); ++ nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL); + } + + nss_init_SSLLibrary(base_server, mc->pPool); +-- +2.9.4 + diff --git a/SPECS/mod_nss.spec b/SPECS/mod_nss.spec index c075986..062e1a4 100644 --- a/SPECS/mod_nss.spec +++ b/SPECS/mod_nss.spec @@ -6,7 +6,7 @@ Name: mod_nss Version: 1.0.14 -Release: 10%{?dist} +Release: 10%{?dist}.1 Summary: SSL/TLS module for the Apache HTTP server Group: System Environment/Daemons License: ASL 2.0 @@ -58,6 +58,8 @@ Patch11: mod_nss-ocsp-tuning-knobs.patch Patch12: mod_nss-pcache_nodbinit.patch # Update nss_pcache man page to drop directory and prefix Patch13: mod_nss-nss_pcache_man.patch +# Fix TLS Session cache +Patch14: mod_nss-session_cache.patch %description The mod_nss module provides strong cryptography for the Apache Web @@ -80,6 +82,7 @@ security library. %patch11 -p1 -b .ocsp_tuning %patch12 -p1 -b .pcache_nodbinit %patch13 -p1 -b .pcache_man +%patch14 -p1 -b .session_cache # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -194,6 +197,9 @@ fi %{_sbindir}/gencert %changelog +* Wed Jul 19 2017 Rob Crittenden - 1.0.14-10.1 +- TLS session cache was not working (#1479766) + * Wed May 10 2017 Rob Crittenden - 1.0.14-10 - Apply the nss_pcache man page patch (#1382102)