Bug#113067: 'bad record mac' + SessionCache + libmm
FREENODE#debian-apache discussion regarding the issue of --with-mm:
09:36 < luca> ping
09:36 < Mithrandir> pong
09:36 < luca> can you read 212410, 196004 and 87289 and give me your opinion?
09:37 < luca> essentially:
09:37 < luca> latest libapache-mod-ssl has some problems with SSL session cache
09:37 < luca> which causes clients to get 404 or 'invalid message authenticaion
code'
09:38 < luca> setting SSLSessionCache none fixes it at significant performance
loss
09:38 < luca> apparently, according to 196004, this is because the dbm
mechanism isn't reliable
09:38 < luca> an alternate, shm mechanism could be enabled but there are issues
with it as described in 87289
09:39 < luca> these could be overcome, but require coordination of apache,
libapache-mod-ssl, etc.
09:42 < Mithrandir> sounds like some kind of locking issue with dbm..
09:45 < luca> perhaps
09:46 < luca> the 'no such file or directory' makes me think that the dbm file
is periodically cleaned (removed)
09:46 < luca> perhaps the SSLSessionCacheTimeout code is fubar
09:46 < luca> what i don't understand is why this appears to be a Debian-only
problem
09:46 < luca> googling for 'bad record mac' reveals very little
09:47 < luca> googling for 'received an invalid message authentication code'
same
09:48 < luca> http://article.gmane.org/gmane.comp.apache.mod-ssl.user/2976
09:48 < luca> I've seen similar problems a long time ago - I would recommend
09:48 < luca> installing the MM library and using an shm based session cache.
09:49 < Mithrandir> hmm
09:50 < luca> i sent an email to the above bug reports
09:51 < luca> i would encourage you folks to enable --with-mm by evaluating the
patches at http://pflanze.mine.nu/~chris/debian/apache/
09:51 < luca> i suspect that this may be a debian-only issue because other
vendors ship with mm support and have their default httpd.conf
using shm based session cache
09:52 < Mithrandir> maybe so, but then you have the problem if you start it as
non-root
09:52 < Mithrandir> (though, who does that?)
09:52 < Mithrandir> I'd recommend asking thom, he should know
09:54 < luca> those patches at http://pflanze.mine.nu/~chris/debian/apache
apparently address this
09:55 < Mithrandir> it's worth a try.
09:55 < Mithrandir> care to mail this information to one of the bugs?
09:55 < luca> this irc log?
09:55 < luca> sure
09:55 < luca> well, i'll email it to all the bugs :)
--
Luca Filipozzi
"Linux gives us the power to crush those that oppose us." - switchlinux
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D
Reply to: