1

For the context : Apache HTTPD 2.4.6-90.el7 on RHEL 7.4

  • I had a AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] warning in the logs, so I added to the configuration :
<IfModule socache_shmcb_module>
    SSLSessionCache shmcb:/run/httpd/sslcache(512000)
</IfModule>
  • I checked the socache_shmcb_module module is loaded :
$ httpd -M | grep shmcb
socache_shmcb_module (shared)
  • I checked the syntax was fine :
$httpd -t
Syntax OK
  • then did a graceful restart :
httpd -k graceful
  • afterwards, I saw no more AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] warning in the logs. Hours later, the whole HTTPD server was not functional anymore and the logs reported :
[socache_shmcb:error] AH00820: shared memory segment too small

The Apache documentation itself gives no details about the size of this cache, the value I applied is actually the one shown in examples.

How may I determine the acceptable size of this cache ? Do you have any details regarding this AH00820 error ?

Httqm
  • 225
  • 2
  • 10

2 Answers2

0

The output of mod_status includes a section on session cache status and usage. Here's what it looks like on our host:

SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current entries: 0
subcaches: 32, indexes per subcache: 88
index usage: 0%, cache usage: 0%
total entries stored since starting: 0
total entries replaced since starting: 0
total entries expired since starting: 0
total (pre-expiry) entries scrolled out of the cache: 0
total retrieves since starting: 0 hit, 8 miss
total removes since starting: 0 hit, 0 miss

You could monitor that, and/or double the cache size until the problems go away.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
  • thanks for your answer. How do you get the SSL/TLS status information with `mod_status` ? I can't manage to get these, even with `ExtendedStatus on`. Is this feature available in Apache 2.4 as suggested in this question : https://serverfault.com/questions/414411/session-cache-is-not-configured-why ? – Httqm Mar 02 '21 at 11:49
  • No special configuration of mod_status. Our host is RHEL7, but note that we're running httpd 2.4.34 from RHSCL, not the stock Apache which is 2.4.6. That may make a difference since many improvements were introduced in 2.4.7. – Andrew Schulman Mar 02 '21 at 13:06
  • 1
    I've been able to setup `mod_status` on Apache 2.4.6-90.el7 and let it report about SSL/TLS cache status. Please note that the "Machine readable status" described in the documentation (https://httpd.apache.org/docs/2.4/mod/mod_status.html) does not display the "SSL/TLS Session Cache Status" block, only the web status page has it. – Httqm Mar 08 '21 at 08:54
0

Answering my own question : my mistake was I added to the Apache configuration :

<IfModule socache_shmcb_module>
    SSLSessionCache shmcb:/run/httpd/sslcache(512000)
</IfModule>

The crash and AH00820 error did not occur again after I changed that to :

<IfModule socache_shmcb_module>
    SSLSessionCache shmcb:/run/httpd/sslcache(512000)
    SSLSessionCacheTimeout 300
</IfModule>

The Apache documentation mentions that SSLSessionCacheTimeout 300 is the default value, which is why I initially omitted it. Looks like this directive is mandatory, even to repeat the default value.

Back to my initial questions :

1. How may I determine the acceptable size of this cache ?

Once Apache is configured with both SSLSessionCache and SSLSessionCacheTimeout directives, it is stable again and mod_status (described in the answer + comments above) outputs the percentage of cache used. It's pretty low in my case, so the configured value 512000 looks fine.

2. Do you have any details regarding this AH00820 error ?

Not much about this error, actually. I just can tell it disappeared when I used both directives.

Httqm
  • 225
  • 2
  • 10