Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

SSL Issues on Client and Server

Daniel Nashed  28 February 2012 22:11:35

There is an issue with the way the SSL key buffer is managed that will fixed in 8.5.4.
The problem can occur with concurrent (multi-threaded) access to the SSL ring buffer (used to store SSL sessions).
By default the size of the buffer is quite small and in some cases the size of those entries need to be increased on the fly by reallocating the entry.

This is mainly an issue on Servers but I ran into this issue on my Notes Client with HTML mail loading remote images from websites using SSL.

I had crashes for some mails and I only figured out what was going wrong when debugging the logs.
It turned out that some SSL sites need larger buffers and due to the multi-threading and the reallocation caused the crash.

In 8.5.3 there is a new parameter for server and clients to use a new implementation of this code. It will be default in 8.5.4 but you can enabled it in 8.5.3

SSL_USE_ADDSESSION2=1 will enable the new code.

You should set this parameter for all servers and clients that use SSL to avoid crashes.

And you could increase the buffer size of each ring entry via for example SSL_SESSION_SIZE=4096 to avoid reallocations.

Reference: SPR # SFPN69ET56 / http://www.lotus.com/ldd/r5fixlist.nsf/Public/E9BAC1A4277A6FD88525709200001E26?OpenDocument

-- Daniel


Comments

1Don  29.02.2012 9:17:12  SSL Issues on Client and Server

thanks for sharing!

2Christian Henseler  22.05.2012 22:04:03  SSL Issues on Client and Server

Im Februar denke ich mir noch "mmmh, habe noch nie Probleme mit SSL-Verbindungen gehabt, obwohl ich täglich welche aufbaue, betrifft mich schon nicht..."

Heute crashed mein 8.5.3 Notes Client permanent nach dem Login, ohne dass ich was in der Konfig geändert habe, ehrlich ;-)

Schaue also in den NSD-Dump und lese was von "nsslplus.SSL_AddSession..."

mmmh, da war doch neulich was bei Daniel im Blog ...

Parameter gesetzt wie beschrieben, keine Crashes mehr :-)

Hast mir einiges an Zeit für Troubleshooting gespart, Danke schön ;-)

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]