Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: APACHE issue with RCA and ECC on systems |
|
| Author |
|
Sraahvan
Joined: 21 Oct 2022
Posts: 4
|
 Posted: Tue 29 Nov '22 8:55 Post subject: APACHE issue with RCA and ECC on systems |
 |
|
we are observing issue with Apache + ECC and Apache + RSA which are listed below
httpd configuration:
<VirtualHost *:443>
Header edit Set-Cookie (.*) "$1;Secure"
Header edit Set-Cookie ^((?!(siemens_automation_language|breadcrumb_autorefresh|sinema_DLS)).*)$ $1;HttpOnly;Secure
ServerAdmin sinema@localhost.com
ServerName "localhost"
SSLEngine on
SSLProxyEngine on
SecRuleEngine On
SSLCertificateFile ../SSLCertificates/server/cert.pem
SSLCertificateKeyFile ../SSLCertificates/server/key.pem
SSLCACertificateFile ../SSLCertificates/sinecnmsca/cacert.pem
in our application - 1 master and 100 slaves sending heartbeat every minute to the master (100 HB/min at master)
Apache with ECC :
Recently we had requirement to move to ECC - Apache + ECC certificate is used (curves namely secp256k1 or secp256r1 or secp384r1) . it works only for sometime and later the UI does not respond at all - issue is UI is very slow and later it throws error that the "localhost took time to respond" or "proxy error". In Apache error.log we could find below errors -
[Sat Nov 12 21:28:04.926797 2022] [socache_dbm:error] [pid 4280:tid 1092] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:/Apache24'
[Sat Nov 12 21:30:44.779314 2022] [mpm_winnt:error] [pid 4280:tid 2436] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting
[Mon Nov 14 07:22:54.300520 2022] [socache_dbm:error] [pid 4280:tid 1048] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:Apache24'
[Tue Nov 08 23:30:15.169189 2022] [proxy_http:error] [pid 8952:tid 1152] [client ::1:57555] AH01097: pass request body failed to [::1]:49115 (localhost) from ::1 ()
[Tue Nov 15 11:04:47.294809 2022] [proxy_http:error] [pid 8952:tid 1076] (70014)End of file found: [client ::1:54153] AH01102: error reading status line from remote server localhost:49115
We ran process monitor and started it on httpd process. after a while we see many socket CLOSE_WAIT leaks at Apache's end. which was not recovering on its own . Restart of apache was the only solution here
this issue of apache with ECC is observed while using tlsv1.2 as well as tlsv1.3
Apache with RSA :
when used with tlsv1.2
Apache + RSA certificate (key length 2048/3072)= works fine. No issues were observed for over 5 years
but when used with tlsv1.3
all the above mentioned issues for apache with ECC were observed here too. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7169
Location: Germany, Next to Hamburg
|
| Posted: Sun 04 Dec '22 0:05 Post subject: |
|
|
I had the same issues with the curves. Current working config
| Code: |
<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; preload"
</IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
|
|
|
| Back to top |
|
|
|
|
|
|
