Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

SSL Issues on Client and Server

Daniel Nashed – 28 February 2012 21:11:35
There is an issue with the way the SSL key buffer is managed that will fixed in 8.5.4.
The problem can occur with concurrent (multi-threaded) access to the SSL ring buffer (used to store SSL sessions).

By default the size of the buffer is quite small and in some cases the size of those entries need to be increased on the fly by reallocating the entry.


This is mainly an issue on Servers but I ran into this issue on my Notes Client with HTML mail loading remote images from websites using SSL.


I had crashes for some mails and I only figured out what was going wrong when debugging the logs.

It turned out that some SSL sites need larger buffers and due to the multi-threading and the reallocation caused the crash.


In 8.5.3 there is a new parameter for server and clients to use a new implementation of this code. It will be default in 8.5.4 but you can enabled it in 8.5.3


SSL_USE_ADDSESSION2=1 will enable the new code.


You should set this parameter for all servers and clients that use SSL to avoid crashes.


And you could increase the buffer size of each ring entry via for example SSL_SESSION_SIZE=4096 to avoid reallocations.


Reference: SPR # SFPN69ET56 / http://www.lotus.com/ldd/r5fixlist.nsf/Public/E9BAC1A4277A6FD88525709200001E26?OpenDocument


-- Daniel



Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]