AnsweredAssumed Answered

Enabling session resumption in Apache 2.4.6

Question asked by cfmunster on Jul 31, 2013
Latest reply on Aug 2, 2013 by Ivan Ristić

Hi, I am running Apache 2.4.6 (compiled from source) on Debian 7. I have been using the SSLLabs tool to check my configuration, and it looks good except for the fact that session resume returns this:

 

Session resumption No (IDs empty)

 

I ran the suggested openssl test (openssl 1.0.1e) from this page:

 

https://community.qualys.com/message/16874#16874

 

$ openssl s_client -connect www.ssllabs.com:443 -reconnect -no_ticket | grep Session-ID

 

and the ids look good, so I seem to have a problem with my configuration. I tried disabling TLS v1.2, but that didn't work.

 

Here are some details of my Apache config:

 

SSLProtocol All -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH;

 

SSLSessionCache        "shmcb:/opt/apache2/logs/ssl_scache(512000)"

SSLSessionCacheTimeout  300

 

and in httpd.conf

 

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

 

 

I have also tried dbm cache and that isn't working either, so I am wondering if it could be the issue with too many ciphers being used, or if I have another configuration issue. I have also considered the possibility that compiling Apache from source might require some configuration for session resumption that I missed.

 

Any help is appreciated.

Outcomes