logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS Twitter


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: APACHE issue with RCA and ECC on systems
Author
Sraahvan



Joined: 21 Oct 2022
Posts: 4

PostPosted: Tue 29 Nov '22 8:55    Post subject: APACHE issue with RCA and ECC on systems Reply with quote

we are observing issue with Apache + ECC and Apache + RSA which are listed below


httpd configuration:

<VirtualHost *:443>
Header edit Set-Cookie (.*) "$1;Secure"
Header edit Set-Cookie ^((?!(siemens_automation_language|breadcrumb_autorefresh|sinema_DLS)).*)$ $1;HttpOnly;Secure
ServerAdmin sinema@localhost.com
ServerName "localhost"
SSLEngine on
SSLProxyEngine on
SecRuleEngine On
SSLCertificateFile ../SSLCertificates/server/cert.pem
SSLCertificateKeyFile ../SSLCertificates/server/key.pem
SSLCACertificateFile ../SSLCertificates/sinecnmsca/cacert.pem



in our application - 1 master and 100 slaves sending heartbeat every minute to the master (100 HB/min at master)

Apache with ECC :

Recently we had requirement to move to ECC - Apache + ECC certificate is used (curves namely secp256k1 or secp256r1 or secp384r1) . it works only for sometime and later the UI does not respond at all - issue is UI is very slow and later it throws error that the "localhost took time to respond" or "proxy error". In Apache error.log we could find below errors -

[Sat Nov 12 21:28:04.926797 2022] [socache_dbm:error] [pid 4280:tid 1092] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:/Apache24'

[Sat Nov 12 21:30:44.779314 2022] [mpm_winnt:error] [pid 4280:tid 2436] AH00326: Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting

[Mon Nov 14 07:22:54.300520 2022] [socache_dbm:error] [pid 4280:tid 1048] (28)No space left on device: AH00808: Cannot store socache object to DBM file `C:Apache24'

[Tue Nov 08 23:30:15.169189 2022] [proxy_http:error] [pid 8952:tid 1152] [client ::1:57555] AH01097: pass request body failed to [::1]:49115 (localhost) from ::1 ()

[Tue Nov 15 11:04:47.294809 2022] [proxy_http:error] [pid 8952:tid 1076] (70014)End of file found: [client ::1:54153] AH01102: error reading status line from remote server localhost:49115

We ran process monitor and started it on httpd process. after a while we see many socket CLOSE_WAIT leaks at Apache's end. which was not recovering on its own . Restart of apache was the only solution here

this issue of apache with ECC is observed while using tlsv1.2 as well as tlsv1.3


Apache with RSA :

when used with tlsv1.2
Apache + RSA certificate (key length 2048/3072)= works fine. No issues were observed for over 5 years

but when used with tlsv1.3
all the above mentioned issues for apache with ECC were observed here too.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7169
Location: Germany, Next to Hamburg

PostPosted: Sun 04 Dec '22 0:05    Post subject: Reply with quote

I had the same issues with the curves. Current working config

Code:

<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000; preload"
    </IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1
Back to top


Reply to topic   Topic: APACHE issue with RCA and ECC on systems View previous topic :: View next topic
Post new topic   Forum Index -> Apache