logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: APACHE issue with RCA and ECC on systems
Author
Sraahvan



Joined: 21 Oct 2022
Posts: 7

PostPosted: Tue 29 Nov '22 8:55    Post subject: APACHE issue with RCA and ECC on systems Reply with quote

we are observing issue with Apache + ECC and Apache + RSA which are listed below


httpd configuration:

<VirtualHost *:443>
Header edit Set-Cookie (.*) "$1;Secure"
Header edit Set-Cookie ^((?!(siemens_automation_language|breadcrumb_autorefresh|sinema_DLS)).*)$ $1;HttpOnly;Secure
ServerAdmin sinema@localhost.com
ServerName "localhost"
SSLEngine on
SSLProxyEngine on
SecRuleEngine On
SSLCertificateFile ../SSLCertificates/server/cert.pem
SSLCertificateKeyFile ../SSLCertificates/server/key.pem
SSLCACertificateFile ../SSLCertificates/sinecnmsca/cacert.pem



in our application - 1 master and 100 slaves sending heartbeat every minute to the master (100 HB/min at master)

Apache with ECC :

Recently we had requirement to move to ECC - Apache + ECC certificate is used (curves namely secp256k1 or secp256r1 or secp384r1) . it works only for sometime and later the UI does not respond at all - issue is UI is very slow and later it throws error that the "localhost took time to respond" or "proxy error". In Apache error.log we could find below errors -

[Sat Nov 12 21:28:04.926797 2022] [socache_dbm:error] [pid 4280:tid 1092] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:/Apache24'

[Sat Nov 12 21:30:44.779314 2022] [mpm_winnt:error] [pid 4280:tid 2436] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting

[Mon Nov 14 07:22:54.300520 2022] [socache_dbm:error] [pid 4280:tid 1048] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:Apache24'

[Tue Nov 08 23:30:15.169189 2022] [proxy_http:error] [pid 8952:tid 1152] [client ::1:57555] AH01097: pass request body failed to [::1]:49115 (localhost) from ::1 ()

[Tue Nov 15 11:04:47.294809 2022] [proxy_http:error] [pid 8952:tid 1076] (70014)End of file found: [client ::1:54153] AH01102: error reading status line from remote server localhost:49115

We ran process monitor and started it on httpd process. after a while we see many socket CLOSE_WAIT leaks at Apache's end. which was not recovering on its own . Restart of apache was the only solution here

this issue of apache with ECC is observed while using tlsv1.2 as well as tlsv1.3


Apache with RSA :

when used with tlsv1.2
Apache + RSA certificate (key length 2048/3072)= works fine. No issues were observed for over 5 years

but when used with tlsv1.3
all the above mentioned issues for apache with ECC were observed here too.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Sun 04 Dec '22 0:05    Post subject: Reply with quote

I had the same issues with the curves. Current working config

Code:

<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000; preload"
    </IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
Back to top
Sraahvan



Joined: 21 Oct 2022
Posts: 7

PostPosted: Thu 23 Feb '23 12:14    Post subject: observing this issue after adding the changes suggested Reply with quote

Thanks for the reply ,
config changes suggested not fixing the issue and We are still observing below mentioned issue with Apache + any End Entity certificate issued by ECC based CA"


httpd configuration:

<VirtualHost *:443>
Header edit Set-Cookie (.*) "$1;Secure"
Header edit Set-Cookie ^((?!(siemens_automation_language|breadcrumb_autorefresh|sinema_DLS)).*)$ $1;HttpOnly;Secure
ServerAdmin sinema@localhost.com
ServerName "localhost"
SSLEngine on
SSLProxyEngine on
SecRuleEngine On
SSLCertificateFile ../SSLCertificates/server/cert.pem
SSLCertificateKeyFile ../SSLCertificates/server/key.pem
SSLCACertificateFile ../SSLCertificates/sinecnmsca/cacert.pem

In our application we have 1 master and 100 slaves and slaves are sending heartbeat every minute to the master (100 HB/min received at master)
Apache is configured with End Entity certificate (RSA or ECC based End Entity) issued by ECC based CA. The End entity certificate is signed with sha256ECDSA signature algorithm.
Apache works fine if RSA or ECC based End Entity certfificate is signed by RSA based parent CA (sha256RSA signature algorithm).
But Apache becomes slow and unresponsive if the if RSA or ECC based End Entity certfificate is signed by ECC based parent CA (sha256ECDSA signature algorithm)

The issus is it works only for sometime and later the UI does not respond at all - issue is UI is very slow and later it throws error that the "localhost took time to respond" or "proxy error". In Apache error.log we could find below errors -

[socache_dbm:error] [pid 4280:tid 1092] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:/Apache24'
[mpm_winnt:error] [pid 4280:tid 2436] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting
[socache_dbm:error] [pid 4280:tid 1048] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:Apache24'
[proxy_http:error] [pid 8952:tid 1152] [client ::1:57555] AH01097: pass request body failed to [::1]:49115 (localhost) from ::1 ()
[proxy_http:error] [pid 8952:tid 1076] (70014)End of file found: [client ::1:54153] AH01102: error reading status line from remote server localhost:49115

We ran process monitor and started it on httpd process. after a while we see many socket CLOSE_WAIT leaks at Apache's end. which was not recovering on its own . Restart of apache was the only solution here

This issue of apache with End Entity certificate signed with sha256ECDSA signature algorithm is observed while using tlsv1.2 as well as tlsv1.3
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 23 Feb '23 14:59    Post subject: Reply with quote

The first thing that I see is "No space left on device" aka your C: disk is full.
Back to top
Sraahvan



Joined: 21 Oct 2022
Posts: 7

PostPosted: Mon 27 Feb '23 11:34    Post subject: Reply with quote

"C: has enough space, over number of GBs". So low space in c: is not the issue. Kindly help
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 27 Feb '23 14:37    Post subject: Reply with quote

Another idea is insufficient permissions.
What are your SSLSessionCache and SSLStaplingCache set to?

You may try

Code:

SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
Back to top
Sraahvan



Joined: 21 Oct 2022
Posts: 7

PostPosted: Wed 01 Mar '23 15:18    Post subject: Reply with quote

Hi ,

Already these two cache settings are present and values are set to 512000

We are facing this issue in Apache only when the root CA or the signing CA is of ECC type. If the signing CA is of ECC type, and if the signature algorithm of the child Certificate is sha256ECDSA, then Apache becomes slow during handshake and lots of close_wait states observed. But when the signing CA is of RSA type (sha256RSA), Apache runs fine and we do not see this issue.
Back to top


Reply to topic   Topic: APACHE issue with RCA and ECC on systems View previous topic :: View next topic
Post new topic   Forum Index -> Apache