Differences between revisions 1 and 12 (spanning 11 versions)
Revision 1 as of 2007-07-13 03:45:59
Size: 2133
Editor: c-76-104-89-150
Comment:
Revision 12 as of 2013-02-17 05:14:21
Size: 3976
Editor: 65-128-71-163
Comment: Typo fix in NTFS junction example: mklink's link-name arg. had some forward-slashes instead of backslashes. Changed capitalization in junction's name to match that used in shmcb entry (consistency).
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
== SSlSesionCache ==
I found the following error in the error.log file:
== SSLSessionCache ==
If the following error is encountered in the error.log file:
Line 6: Line 6:
    [warn] Init: Session Cache is not configured [hint: SSLSessionCache] {{{
[warn] Init: Session Cache is not configured [hint: SSLSessionCache]
}}}
Line 8: Line 10:
What follows is my attempt at correcting the problem: This usually points to a distro breaking up SSL directives from the base SSL virtual host configuration. The default SSL configuration shipped with apache.org's Apache package contains these SSL configurations along with a base virtual host configuration.
Line 10: Line 12:
I am running Apache/2.2.3 (Ubuntu) mod_ssl/2.2.3 Make sure that your SSL configuration file gets loaded before your virtual host configuration file and contains a line that looks like:
Line 12: Line 14:
I use the Ubuntu apache2 directory setup: http://wiki.apache.org/httpd/DistrosDefaultLayout {{{
SSLSessionCache shmcb:/some/example/path/ssl_scache(512000)
}}}
Line 14: Line 18:
The following setting was in /etc/apache2/mods-available/ssl.conf: For confirmation, use http://localhost/server-status to check the cache status.
Line 16: Line 20:
    SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) Output should be similar to the following:
{{{
SSL/TLS Session Cache Status: <<BR>>
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 1[[BR]]
sub-caches: 32, indexes per sub-cache: 133[[BR]]
time left on oldest entries' SSL sessions: avg: 297 seconds, (range: 297...297)[[BR]]
index usage: 0%, cache usage: 0%[[BR]]
total sessions stored since starting: 1[[BR]]
total sessions expired since starting: 0[[BR]]
total (pre-expiry) sessions scrolled out of the cache: 0[[BR]]
total retrieves since starting: 1 hit, 1 miss[[BR]]
total removes since starting: 0 hit, 0 miss[[BR]]}}}
Line 18: Line 33:
When I moved this to the /etc/apache2/apache2.conf near the bottom before the statement "Include /etc/apache2/sites-enabled/" the error message went away. If you do not get any session cache statistics on the server-status page then your SSL configuration is not correctly set.
Line 20: Line 35:
For confirmation I used http://localhost/server-status to check the cache status

It provided output similar to the following:

    SSL/TLS Session Cache Status: [[BR]]
    cache type: SHMCB, shared memory: 512000 bytes, current sessions: 1[[BR]]
    sub-caches: 32, indexes per sub-cache: 133[[BR]]
    time left on oldest entries' SSL sessions: avg: 297 seconds, (range: 297...297)[[BR]]
    index usage: 0%, cache usage: 0%[[BR]]
    total sessions stored since starting: 1[[BR]]
    total sessions expired since starting: 0[[BR]]
    total (pre-expiry) sessions scrolled out of the cache: 0[[BR]]
    total retrieves since starting: 1 hit, 1 miss[[BR]]
    total removes since starting: 0 hit, 0 miss[[BR]]

When the SSLSessionCache statement was in the ssl.conf file I did not get any session cache statistics on the server-status page.

To enable server-status I used the following construct in the apache2.conf
To enable server-status, the following construct can be used in your Apache configuration file:
Line 52: Line 50:
        Allow from 127.0.0.1
        #Allow from All
Line 56: Line 52:
}}}
Line 57: Line 54:
}}} === Problems on 64-bit Microsoft Windows ===
The following error may be encountered in the error.log file on a 64-bit version of Windows with the 32-bit version of Apache:

{{{
Syntax error on line 62 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
SSLSessionCache: Invalid argument: size has to be >= 8192 bytes
}}}

The offending line will be something like this:
{{{
SSLSessionCache "shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
}}}

Due to a parser error the "(x86)" in the path is mistakenly found when looking for the bracketed cache size parameter at the end. A work-around is to create a link to the Apache folder somewhere else and then replace the Apache folder of the above path with the path of that link. For example, create a link to
 C:/Program Files (x86)/Apache Software Foundation

in your user folder as:

 c:\Users\myusername\Apache

and then use that path in the config file:

{{{
SSLSessionCache "shmcb:c:/Users/myusername/Apache/Apache2.2/logs/ssl_scache(512000)"
}}}

As an alternative under Vista/Windows 7/Server 2008/Server 2008 R2 64bit you can create a junction:

{{{
mklink /j "C:\Program Files\Apache Software Foundation\Apache2.2\logs" "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs"
}}}

and then simply remove the (x86) from the path in the config file:

{{{
"shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
}}}

A less complex alternative is to use the 8.3 compatible short name for "Program Files (x86)" which can be found by running:

{{{
dir /x c:\
}}}

The short name will probably look like "PROGRA~2". The offending line can then be changed to:

{{{
SSLSessionCache "shmcb:C:/PROGRA\~2/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
}}}

NOTE: The tilde (~) must be backslash escaped.

SSLSessionCache

If the following error is encountered in the error.log file:

[warn] Init: Session Cache is not configured [hint: SSLSessionCache]

This usually points to a distro breaking up SSL directives from the base SSL virtual host configuration. The default SSL configuration shipped with apache.org's Apache package contains these SSL configurations along with a base virtual host configuration.

Make sure that your SSL configuration file gets loaded before your virtual host configuration file and contains a line that looks like:

SSLSessionCache        shmcb:/some/example/path/ssl_scache(512000)

For confirmation, use http://localhost/server-status to check the cache status.

Output should be similar to the following:

SSL/TLS Session Cache Status: <<BR>> 
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 1[[BR]]
sub-caches: 32, indexes per sub-cache: 133[[BR]]
time left on oldest entries' SSL sessions: avg: 297 seconds, (range: 297...297)[[BR]]
index usage: 0%, cache usage: 0%[[BR]]
total sessions stored since starting: 1[[BR]]
total sessions expired since starting: 0[[BR]]
total (pre-expiry) sessions scrolled out of the cache: 0[[BR]]
total retrieves since starting: 1 hit, 1 miss[[BR]]
total removes since starting: 0 hit, 0 miss[[BR]]

If you do not get any session cache statistics on the server-status page then your SSL configuration is not correctly set.

To enable server-status, the following construct can be used in your Apache configuration file:

Example

<IfModule mod_status.c>
    #
    # Allow server status reports generated by mod_status,
    # with the URL of http://servername/server-status
    # Change the ".example.com" to match your domain to enable.
    #
    ExtendedStatus On 
    <Location /server-status>
        SetHandler server-status
        Order deny,allow
        Deny from all
        Allow from .example.com
    </Location>
</IfModule>

Problems on 64-bit Microsoft Windows

The following error may be encountered in the error.log file on a 64-bit version of Windows with the 32-bit version of Apache:

Syntax error on line 62 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/extra/httpd-ssl.conf:
SSLSessionCache: Invalid argument: size has to be >= 8192 bytes

The offending line will be something like this:

SSLSessionCache "shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"

Due to a parser error the "(x86)" in the path is mistakenly found when looking for the bracketed cache size parameter at the end. A work-around is to create a link to the Apache folder somewhere else and then replace the Apache folder of the above path with the path of that link. For example, create a link to

  • C:/Program Files (x86)/Apache Software Foundation

in your user folder as:

  • c:\Users\myusername\Apache

and then use that path in the config file:

SSLSessionCache "shmcb:c:/Users/myusername/Apache/Apache2.2/logs/ssl_scache(512000)"

As an alternative under Vista/Windows 7/Server 2008/Server 2008 R2 64bit you can create a junction:

mklink /j "C:\Program Files\Apache Software Foundation\Apache2.2\logs" "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs"

and then simply remove the (x86) from the path in the config file:

"shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"

A less complex alternative is to use the 8.3 compatible short name for "Program Files (x86)" which can be found by running:

dir /x c:\

The short name will probably look like "PROGRA~2". The offending line can then be changed to:

SSLSessionCache "shmcb:C:/PROGRA\~2/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"

NOTE: The tilde (~) must be backslash escaped.

SSLSessionCache (last edited 2013-02-17 05:14:21 by 65-128-71-163)