apache ssl - session resumption (caching)
158 views
Skip to first unread message
Massimo S.
Jan 19, 2023, 5:24:03 AM1/19/23
to Apache for OS/2
Hi all,
if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very good A+
but i don't understand how to fix this point:
Session resumption (caching) No (IDs assigned but not accepted)
the relate entry in http.conf is this:
SSLSessionCacheTimeout 300 SSLSessionCache
shmcb:X:/temp/ssl_scache(512000)
maybe a path problem?
thanks
massimo
if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very good A+
but i don't understand how to fix this point:
Session resumption (caching) No (IDs assigned but not accepted)
the relate entry in http.conf is this:
SSLSessionCacheTimeout 300 SSLSessionCache
shmcb:X:/temp/ssl_scache(512000)
maybe a path problem?
thanks
massimo
Steven Levine
Jan 19, 2023, 9:25:21 PM1/19/23
to apa...@googlegroups.com
In <1fb3acd8-9ea8-77b7...@ecomstation.it>, on 01/19/23
at 11:23 AM, "Massimo S." <m...@ecomstation.it> said:
Hi Massimo,
>if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very
>good A+
>but i don't understand how to fix this point:
You are not alone. A web search finds a number of hits, but no explici
instructions on how to enable this feature. Looking at the sslabs
reports, it seems that many sites do not enable session resume.
>Session resumption (caching) No (IDs assigned but not accepted)
>the relate entry in http.conf is this:
>SSLSessionCacheTimeout 300
>SSLSessionCache shmcb:X:/temp/ssl_scache(512000)
>maybe a path problem?
Unlikely.
What happends if you add:
SSLSessionTickets on
Steven
--
----------------------------------------------------------------------
"Steven Levine" <ste...@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------
at 11:23 AM, "Massimo S." <m...@ecomstation.it> said:
Hi Massimo,
>if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very
>good A+
>but i don't understand how to fix this point:
instructions on how to enable this feature. Looking at the sslabs
reports, it seems that many sites do not enable session resume.
>Session resumption (caching) No (IDs assigned but not accepted)
>the relate entry in http.conf is this:
>SSLSessionCacheTimeout 300
>SSLSessionCache shmcb:X:/temp/ssl_scache(512000)
>maybe a path problem?
What happends if you add:
SSLSessionTickets on
Steven
--
----------------------------------------------------------------------
"Steven Levine" <ste...@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------
Massimo S.
Jan 22, 2023, 3:19:40 PM1/22/23
to apa...@googlegroups.com
Il 20/01/2023 03:21, Steven Levine ha scritto:
> In <1fb3acd8-9ea8-77b7...@ecomstation.it>, on 01/19/23
> at 11:23 AM, "Massimo S." <m...@ecomstation.it> said:
>
> Hi Massimo,
>
>> if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very
>> good A+
>> but i don't understand how to fix this point:
>
> You are not alone. A web search finds a number of hits, but no explici
> instructions on how to enable this feature. Looking at the sslabs
> reports, it seems that many sites do not enable session resume.
>
>> Session resumption (caching) No (IDs assigned but not accepted)
>> the relate entry in http.conf is this:
>> SSLSessionCacheTimeout 300
>> SSLSessionCache shmcb:X:/temp/ssl_scache(512000)
>
>> maybe a path problem?
>
> Unlikely.
>
> What happends if you add:
>
> SSLSessionTickets on
>
> Steven
unfortunately it don't fix that
massimo
Massimo S.
Feb 5, 2023, 2:46:42 PM2/5/23
to apa...@googlegroups.com
any idea?
maybe Paul could help?
some issue in the porting of apache?
massimo
Lewis G Rosenthal
Feb 5, 2023, 4:21:09 PM2/5/23
to apa...@googlegroups.com
Hi, Max...
Doubtful. This works fine, here.
What's your SSL caching mechanism? If you run httpd.exe -t -D DUMP_RUN_CFG,
what do you get for:
Mutex default:
As an example, I get:
Mutex default: dir="J:/APPS/apache24/logs/" mechanism=default
This is not an endorsement of the default method we have on the OS/2
platform, as apparently sysvsem (our compiled-in default) isn't all that
robust). Eventually, I plan to test a couple of the other methods, namely
pthread.
The last AH02026 error in the log here was Jan 24. Check your error log for
occurrences of this error.
FWIW, Paul's latest Apache build is:
https://smedley.id.au/tmp/httpd-2.4.55-os2-debug-20230204.zip
which contains a number of fixes for various things. Work is ongoing.
HTH
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
-------------------------------------------------------------
What's your SSL caching mechanism? If you run httpd.exe -t -D DUMP_RUN_CFG,
what do you get for:
Mutex default:
As an example, I get:
Mutex default: dir="J:/APPS/apache24/logs/" mechanism=default
This is not an endorsement of the default method we have on the OS/2
platform, as apparently sysvsem (our compiled-in default) isn't all that
robust). Eventually, I plan to test a couple of the other methods, namely
pthread.
The last AH02026 error in the log here was Jan 24. Check your error log for
occurrences of this error.
FWIW, Paul's latest Apache build is:
https://smedley.id.au/tmp/httpd-2.4.55-os2-debug-20230204.zip
which contains a number of fixes for various things. Work is ongoing.
HTH
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
-------------------------------------------------------------
Lewis G Rosenthal
Feb 5, 2023, 4:33:01 PM2/5/23
to apa...@googlegroups.com
don't know on OS/2 what methods we actually have. It may be that something
like file would be a better alternative (I really don't know, and haven't
taken a deep dive into this on any platform, usually just accepting the
default).
This is all a work in progress over here, so time will tell.
<snip>
Massimo S.
Feb 6, 2023, 4:01:44 AM2/6/23
to apa...@googlegroups.com
thanks
but i get no dump file, i get this:
Main DocumentRoot: "X:/apache/htdocs"
Main ErrorLog: "X:/lMutex default: dir="X:/apache/logs/" mechanism=default
Mutex rewrite-map: using_Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
MutePidFile: "X:/apache/logs/httpd.pid"
Define: DUMP_RUN_CFG
i'm going to upgrade to the latest build 2.4.55
didn't know there was a new build i've seen the announcement on APACHE/2 ML
and on Paul website it's still at 2.4.52
thanks
massimo
Steven Levine
Feb 6, 2023, 10:42:30 AM2/6/23
to apa...@googlegroups.com
In <42b61227-a594-1b59...@ecomstation.it>, on 02/06/23
at 10:01 AM, "Massimo S." <m...@ecomstation.it> said:
HI massimo,
>but i get no dump file,
What makes you think that httpd.exe -t -D DUMP_RUN_CFG writes to anywhere
but stderr/stdout?
>didn't know there was a new build i've seen the announcement on APACHE/2
>ML and on Paul website it's still at 2.4.52
Lewis and Paul and I have been generating and testing a large number of
new builds for both httpd and php7. Some of these build are experimental.
The plan is that once the rate of change slows down, the builds likely to
be suitable for production will be announced here and in the usual places.
With a bit of luck, the resulting php7 builds will be more stable that
what you are currently running.
Stay tuned. :-)
at 10:01 AM, "Massimo S." <m...@ecomstation.it> said:
HI massimo,
>but i get no dump file,
but stderr/stdout?
>didn't know there was a new build i've seen the announcement on APACHE/2
>ML and on Paul website it's still at 2.4.52
new builds for both httpd and php7. Some of these build are experimental.
The plan is that once the rate of change slows down, the builds likely to
be suitable for production will be announced here and in the usual places.
With a bit of luck, the resulting php7 builds will be more stable that
what you are currently running.
Stay tuned. :-)
Lewis G Rosenthal
Feb 6, 2023, 10:44:42 AM2/6/23
to apa...@googlegroups.com
> Main DocumentRoot: "X:/apache/htdocs"
>
> Main ErrorLog: "X:/lMutex default: dir="X:/apache/logs/" mechanism=default
> Mutex rewrite-map: using_Mutex ssl-stapling-refresh: using_defaults
> Mutex ssl-stapling: using_defaults
> MutePidFile: "X:/apache/logs/httpd.pid"
> Define: DUMP_RUN_CFG
>
Mutex ssl-cache: using_defaults
You can also run Steve's apachectl.cmd with the testv option to produce this.
You might want to try a different method for your SSL cache. I am using dbm
instead of shmcb, so I have:
SSLSessionCache "dbm:j:/var/cache/ssl_scache"
> i'm going to upgrade to the latest build 2.4.55
>
> didn't know there was a new build i've seen the announcement on APACHE/2 ML
> and on Paul website it's still at 2.4.52
>
Massimo S.
Feb 6, 2023, 2:53:36 PM2/6/23
to apa...@googlegroups.com
Il 06/02/2023 16:25, Steven Levine ha scritto:
> In <42b61227-a594-1b59...@ecomstation.it>, on 02/06/23
> at 10:01 AM, "Massimo S." <m...@ecomstation.it> said:
>
> HI massimo,
>
>> but i get no dump file,
>
> What makes you think that httpd.exe -t -D DUMP_RUN_CFG writes to anywhere
> but stderr/stdout?
>
>> didn't know there was a new build i've seen the announcement on APACHE/2
>> ML and on Paul website it's still at 2.4.52
>
> Lewis and Paul and I have been generating and testing a large number of
> new builds for both httpd and php7. Some of these build are experimental.
> The plan is that once the rate of change slows down, the builds likely to
> be suitable for production will be announced here and in the usual places.
>
> With a bit of luck, the resulting php7 builds will be more stable that
> what you are currently running.
>
> Stay tuned. :-)
>
> Steven
massimo
Reply all
Reply to author
Forward
0 new messages