apache ssl - session resumption (caching)

37 views
Skip to first unread message

Massimo S.

unread,
Jan 19, 2023, 5:24:03 AM1/19/23
to Apache for OS/2
Hi all,

if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very good A+

but i don't understand how to fix this point:

Session resumption (caching) No (IDs assigned but not accepted)

the relate entry in http.conf is this:

SSLSessionCacheTimeout 300 SSLSessionCache
shmcb:X:/temp/ssl_scache(512000)

maybe a path problem?

thanks

massimo

Steven Levine

unread,
Jan 19, 2023, 9:25:21 PM1/19/23
to apa...@googlegroups.com
In <1fb3acd8-9ea8-77b7...@ecomstation.it>, on 01/19/23
at 11:23 AM, "Massimo S." <m...@ecomstation.it> said:

Hi Massimo,

>if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very
>good A+
>but i don't understand how to fix this point:

You are not alone. A web search finds a number of hits, but no explici
instructions on how to enable this feature. Looking at the sslabs
reports, it seems that many sites do not enable session resume.

>Session resumption (caching) No (IDs assigned but not accepted)
>the relate entry in http.conf is this:
>SSLSessionCacheTimeout 300
>SSLSessionCache shmcb:X:/temp/ssl_scache(512000)

>maybe a path problem?

Unlikely.

What happends if you add:

SSLSessionTickets on

Steven

--
----------------------------------------------------------------------
"Steven Levine" <ste...@earthlink.net> Warp/DIY/BlueLion etc.
www.scoug.com www.arcanoae.com www.warpcave.com
----------------------------------------------------------------------

Massimo S.

unread,
Jan 22, 2023, 3:19:40 PM1/22/23
to apa...@googlegroups.com



Il 20/01/2023 03:21, Steven Levine ha scritto:
> In <1fb3acd8-9ea8-77b7...@ecomstation.it>, on 01/19/23
> at 11:23 AM, "Massimo S." <m...@ecomstation.it> said:
>
> Hi Massimo,
>
>> if i test my (LE) certificates on www.ssllabs.com/ssltest/ i get a very
>> good A+
>> but i don't understand how to fix this point:
>
> You are not alone. A web search finds a number of hits, but no explici
> instructions on how to enable this feature. Looking at the sslabs
> reports, it seems that many sites do not enable session resume.
>
>> Session resumption (caching) No (IDs assigned but not accepted)
>> the relate entry in http.conf is this:
>> SSLSessionCacheTimeout 300
>> SSLSessionCache shmcb:X:/temp/ssl_scache(512000)
>
>> maybe a path problem?
>
> Unlikely.
>
> What happends if you add:
>
> SSLSessionTickets on
>
> Steven

hi,

unfortunately it don't fix that

massimo




Immagine 2023-01-22 211910.jpg

Massimo S.

unread,
Feb 5, 2023, 2:46:42 PM2/5/23
to apa...@googlegroups.com
Hi again Steven,

any idea?

maybe Paul could help?

some issue in the porting of apache?

massimo

Lewis G Rosenthal

unread,
Feb 5, 2023, 4:21:09 PM2/5/23
to apa...@googlegroups.com
Hi, Max...
Doubtful. This works fine, here.

What's your SSL caching mechanism? If you run httpd.exe -t -D DUMP_RUN_CFG,
what do you get for:

Mutex default:

As an example, I get:

Mutex default: dir="J:/APPS/apache24/logs/" mechanism=default

This is not an endorsement of the default method we have on the OS/2
platform, as apparently sysvsem (our compiled-in default) isn't all that
robust). Eventually, I plan to test a couple of the other methods, namely
pthread.

The last AH02026 error in the log here was Jan 24. Check your error log for
occurrences of this error.

FWIW, Paul's latest Apache build is:

https://smedley.id.au/tmp/httpd-2.4.55-os2-debug-20230204.zip

which contains a number of fixes for various things. Work is ongoing.

HTH

--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
-------------------------------------------------------------

Lewis G Rosenthal

unread,
Feb 5, 2023, 4:33:01 PM2/5/23
to apa...@googlegroups.com
To clarify, the only methods available are those provided by the APR. I
don't know on OS/2 what methods we actually have. It may be that something
like file would be a better alternative (I really don't know, and haven't
taken a deep dive into this on any platform, usually just accepting the
default).

This is all a work in progress over here, so time will tell.

<snip>

Massimo S.

unread,
Feb 6, 2023, 4:01:44 AM2/6/23
to apa...@googlegroups.com
hi,

thanks

but i get no dump file, i get this:

Main DocumentRoot: "X:/apache/htdocs"

Main ErrorLog: "X:/lMutex default: dir="X:/apache/logs/" mechanism=default
Mutex rewrite-map: using_Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
MutePidFile: "X:/apache/logs/httpd.pid"
Define: DUMP_RUN_CFG

i'm going to upgrade to the latest build 2.4.55

didn't know there was a new build i've seen the announcement on APACHE/2 ML
and on Paul website it's still at 2.4.52

thanks

massimo

Steven Levine

unread,
Feb 6, 2023, 10:42:30 AM2/6/23
to apa...@googlegroups.com
In <42b61227-a594-1b59...@ecomstation.it>, on 02/06/23
at 10:01 AM, "Massimo S." <m...@ecomstation.it> said:

HI massimo,

>but i get no dump file,

What makes you think that httpd.exe -t -D DUMP_RUN_CFG writes to anywhere
but stderr/stdout?

>didn't know there was a new build i've seen the announcement on APACHE/2
>ML and on Paul website it's still at 2.4.52

Lewis and Paul and I have been generating and testing a large number of
new builds for both httpd and php7. Some of these build are experimental.
The plan is that once the rate of change slows down, the builds likely to
be suitable for production will be announced here and in the usual places.

With a bit of luck, the resulting php7 builds will be more stable that
what you are currently running.

Stay tuned. :-)

Lewis G Rosenthal

unread,
Feb 6, 2023, 10:44:42 AM2/6/23
to apa...@googlegroups.com
I didn't say you would get a dump file.

> Main DocumentRoot: "X:/apache/htdocs"
>
> Main ErrorLog: "X:/lMutex default: dir="X:/apache/logs/" mechanism=default
> Mutex rewrite-map: using_Mutex ssl-stapling-refresh: using_defaults
> Mutex ssl-stapling: using_defaults
> MutePidFile: "X:/apache/logs/httpd.pid"
> Define: DUMP_RUN_CFG
>

I see nothing like:

Mutex ssl-cache: using_defaults

You can also run Steve's apachectl.cmd with the testv option to produce this.

You might want to try a different method for your SSL cache. I am using dbm
instead of shmcb, so I have:

SSLSessionCache "dbm:j:/var/cache/ssl_scache"

> i'm going to upgrade to the latest build 2.4.55
>
> didn't know there was a new build i've seen the announcement on APACHE/2 ML
> and on Paul website it's still at 2.4.52
>

This have been happening fast, with a lot of testing going on.

Massimo S.

unread,
Feb 6, 2023, 2:53:36 PM2/6/23
to apa...@googlegroups.com


Il 06/02/2023 16:25, Steven Levine ha scritto:
> In <42b61227-a594-1b59...@ecomstation.it>, on 02/06/23
> at 10:01 AM, "Massimo S." <m...@ecomstation.it> said:
>
> HI massimo,
>
>> but i get no dump file,
>
> What makes you think that httpd.exe -t -D DUMP_RUN_CFG writes to anywhere
> but stderr/stdout?
>
>> didn't know there was a new build i've seen the announcement on APACHE/2
>> ML and on Paul website it's still at 2.4.52
>
> Lewis and Paul and I have been generating and testing a large number of
> new builds for both httpd and php7. Some of these build are experimental.
> The plan is that once the rate of change slows down, the builds likely to
> be suitable for production will be announced here and in the usual places.
>
> With a bit of luck, the resulting php7 builds will be more stable that
> what you are currently running.
>
> Stay tuned. :-)
>
> Steven

guys, thanks you so much :)

massimo
Reply all
Reply to author
Forward
0 new messages