Log in

Registration

Starting Aid for Imperfect SSL Clients

Posted: November 9, 2010 / in: Nuts and Bolts / No comments

This article shows you how to by-pass show-stoppers in development projects when you are utilizing minimalistic or buggy implementations of SSL libraries. This also includes use cases where SSL is utilized, e.g. in HTTPS, LDAPS, STMPS etc.

The illustrated procedure is not dedicated to the Apache web server, but it will be utilized to provide an exemplary solution how to avoid critical situations when developing software for embedded devices or if you are required to utilize a given SSL client library.

SSL Sessions

There are some SSL clients out there expecting SSL servers providing a unique session id when initializing a network connection. In fact, for performance reasons high traffic servers often implement this feature. But SSL specifications do not force servers to provide SSL session id’s.

This could lead to problems when opening SSL secured connections. SSL handshakes will fail and your client system will not be able to communicate with server backend systems.

Finding out Details

If you are not sure how your server is responding when initializing a SSL connection you can start a connection manually and check connection properties. To find out how your server behaves you may utilize the following statement.

# open a connection to port 443 at server 'host' 
$ openssl s_client -connect host:443
 

The following example contains connection details of two separate hosts opened via HTTPS. The first connection does not contain a session id. The second one does.

# connection details for host without returning a unique session id
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
 -> Session-ID:
    Session-ID-ctx:
    Master-Key: 65AD27FBE7993BAF655815E6E255AE2648C8E088A22E851A2CD78D...
    Key-Arg   : None
    Start Time: 1289306470
    Timeout   : 300 (sec)
 
# connection details for host returning a unique session id
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
 -> Session-ID: 2FEFA33761A2CBC7032346FBEC517F6C0ED6544010BB2CB895FB37BB2253D723
    Session-ID-ctx:
    Master-Key: C1783840F28A488C6799BD1813CE83D45A3BC9328325377AA9740D2...
    Key-Arg   : None
    Start Time: 1289306450
    Timeout   : 300 (sec)
 

 

Build a Workaround

To persuate your buggy SSL client library to communicate with backend systems you have to teach your backend system to provide a SSL Session Id. If you are asking yourself what of your backend systems is affeced, the answer is very simple: it’s the one that is performing the SSL termination!

Advanced SSL server implementations provide the feature to add SSL Session Id’s. An exemplary configuration is provided by utilizing the Apache web server 2.x.

The Apache Server provides an configuration parameter dedicated to SSL hosts. This parameter activates the generation of SSL session id’s and hence an optimized session handling. The following description contains a list of contiguration settings for the parameter SSLSessionCache - valid for Apache 2.2 servers. Previous implementations provide just a subset of storage types.

Directive: SSLSessionCache 
 
Description: Type of the global/inter-process SSL Session Cache
Syntax:   SSLSessionCache type
Default:  SSLSessionCache none
Context:  server config
Status:   Extension
Module:   mod_ssl
 
This configures the storage type of the global/inter-process SSL Session Cache. 
This cache is an optional facility which speeds up parallel request processing. 
For requests to the same server process (via HTTP keep-alive), OpenSSL already 
caches the SSL session information locally. But because modern clients request 
inlined images and other data via parallel requests (usually up to four parallel 
requests are common) those requests are served by different pre-forked server 
processes. Here an inter-process cache helps to avoid unneccessary session handshakes.
 
The following four storage types are currently supported:
 
none
This disables the global/inter-process Session Cache. This will incur a noticeable 
speed penalty and may cause problems if using certain browsers, particularly if client 
certificates are enabled. This setting is not recommended.
 
nonenotnull
This disables any global/inter-process Session Cache. However it does force OpenSSL to 
send a non-null session ID to accommodate buggy clients that require one.
 
dbm:/path/to/datafile
This makes use of a DBM hashfile on the local disk to synchronize the local OpenSSL 
memory caches of the server processes. This session cache may suffer reliability issues 
under high load.
 
shm:/path/to/datafile[(size)]
This makes use of a high-performance cyclic buffer (approx. size bytes in size) inside 
a shared memory segment in RAM (established via /path/to/datafile) to synchronize the 
local OpenSSL memory caches of the server processes. This is the recommended session cache.
 
dc:UNIX:/path/to/socket
This makes use of the distcache distributed session caching libraries. The argument 
should specify the location of the server or proxy to be used using the distcache 
address syntax; for example, UNIX:/path/to/socket specifies a UNIX domain socket 
(typically a local dc_client proxy); IP:server.example.com:9001 specifies an IP address.
 
 
Examples
 
  SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
  SSLSessionCache shm:/usr/local/apache/logs/ssl_gcache_data(512000)
 

 

 

Example 

The following snippet of a configuration file illustrates how to configure a virutal host for handling SSL-enabled connections. 

Note: The first line enables the discussed session property. The second one sets the lifetime of the session data in seconds.

 

[...]
# speed-up of connection handling by utilizing the SSL Session Cache
SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache
SSLSessionCacheTimeout 180
 
<VirtualHost _default_:443>
  DocumentRoot "/usr/local/apache2/htdocs"
  ServerName 192.168.0.11:443
  ServerAdmin ServerAdmin@domain1.org
  ErrorLog /usr/local/apache2/logs/error_ssl_log
  TransferLog /usr/local/apache2/logs/access_ssl_log
 
  # turn on SSL support
  SSLEngine on
  # Certificate and key
  SSLCertificateFile /usr/local/apache2/conf/server.crt
  SSLCertificateKeyFile /usr/local/apache2/conf/server.key
 
  <Files ~ ".(cgi|shtml|phtml|php3?)$">
    # provide std. variables for PHP, SSI and CGI
    SSLOptions +StdEnvVars
  </Files>
 
  <Directory "/usr/local/apache2/cgi-bin">
    # provide std. variables for CGI scripts
    SSLOptions +StdEnvVars
  </Directory>
 
  # custom logfile for SSL files
  CustomLog ssl_log "$t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %b"
</VirtualHost>
 
[...]
 

 

At the Open Source Support Portal Linux-Support.com you can find profound system engineers for administration and development. If you are looking for assistance, you will receive first-class support!

 

Related resources:

© Copyrights and Licenses, 2012 - Linux-Support.com The Professional Linux and OSS Services Portal