Uncategorized

Unusable short session_id provided – Apache and openssl

So with the latest update for openssl (dev-libs/openssl-0.9.8f), I’ve been seeing the following in my error_log with SSL sites:


[Tue Oct 23 10:45:46 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 10:45:52 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:13 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:14 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:58:26 2007] [error] unusably short session_id provided (0 bytes)

So with the latest update for openssl (dev-libs/openssl-0.9.8f), I’ve been seeing the following in my error_log with SSL sites:


[Tue Oct 23 10:45:46 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 10:45:52 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:13 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:14 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:58:26 2007] [error] unusably short session_id provided (0 bytes)

This is definitely a message from Apache related to SSL. In the ssl_scache_shmcb_kill() method in the Apache source code, you can see this chunk of code:


+ if (idlen < 4) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "unusably short session_id provided " + "(%u bytes)", idlen); + goto done; + }

I've posted this on the Gentoo forum, but just getting the 'me too' posts. Anybody know more about this? Anybody know how to fix this?

Thanks!