Topic: ssl_scache error

[Phil Maley]

This question has been raised countless times and nobody seems to have offered a solution. Running a fresh installation of 5.5, any secure web access gives the following errors in /var/log/httpd/error_log:

[Fri Sep 27 09:25:46 2002] [error] mod_ssl: Cannot open SSLSessionCache DBM file /etc/httpd/logs/ssl_scache' for writing (store) (System error follows)
[Fri Sep 27 09:25:46 2002] [error] System: Permission denied (errno: 13)

The messages relate to reading and scanning as well as writing. I've tried creating a file /etc/httpd/logs/ssl_scache and setting its permissions to various levels but nothing helps. Secure access is working OK but the error messages are VERY annoying.

Any ideas?

Phil Maley

[Nathan Fowler]

rm -rf /var/log/httpd/*
/etc/rc.d/init.d/httpd restart
/etc/rc.d/init.d/httpd-admin restart

See what that does for you.

Nathan Fowler

[Phil Maley]

Nathan

Thanks very much for your reply. I tried your suggestion but it's still reporting the same errors.

Regards
Phil Maley

[Scott Smith]

I have the cure for this, but am not near a system. Post a reply tomorrow afternoon (about 12 hours from now) and I should be in a position to post the fix.

[Scott Smith]

I have the cure for this, but am not near a system. Post a reply tomorrow afternoon (about 12 hours from now) and I should be in a position to post the fix.

[Scott Smith]

Okay, here it is. I'm surprised this problem hasn't been fixed before now. Probably needs a copy to bugs@e-smith.com since it still exists in the 5.6 beta.

The problem is in the following template fragment:

   /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLSessionCache

The line:

   SSLSessionCache         dbm:state/ssl_scache

should be changed to read:

   SSLSessionCache         dbm:state/ssl_scache.dir

That's all. End of annoying but otherwise apparently harmless log messages.

BTW, if you change this, do it as a custom template (the following lines may wrap, but each new line is prefaced with 'root>'):

root> mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

root> cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLSessionCache /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL10SSLSessionCache

root> vi /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL10SSLSessionCache

Scott

[Rich Lafferty]

Scott Smith wrote:
>
> Okay, here it is. I'm surprised this problem hasn't been
> fixed before now. Probably needs a copy to bugs@e-smith.com
> since it still exists in the 5.6 beta.
>
> The problem is in the following template fragment:
>
>  
> /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLSessionCache
>
> The line:
>
>    SSLSessionCache         dbm:state/ssl_scache
>
> should be changed to read:
>
>    SSLSessionCache         dbm:state/ssl_scache.dir

That's not fixing it the way you think it's fixing it; you'll now find
yourself with files named "ssl_scache.dir.dir" and "ssl_scache.dir.pag".
The session cache is stored as DBM, which is implemented as two files
(data and index, roughly) but named as one file.

The problem is that in older versions of SME Server, both the admin
httpd and normal httpd use the same files for their session cache,
so whichever httpd gets to them second complains that they're already
in use.

The short version of the correct fix is to apply Update 2, which resolves
this issue.

The long version (and what the update does) *is* to use different filenames
for the admin and normal httpd, but I'd advise against naming them as per your example.

Cheers,
--Rich

[Scott Smith]

Rich

I'll take your word for it I've not run 5.5 so I can't speak to Update2.

I can tell you that on a 5.1.2 system the patch I use works and it does not create the files you indicate.

Glad to hear there is a better and permanent solution as of 5.5u2 that will carry through to future releases. I do see that 5.6a8 does not have this problem.

Scott

[Phil Maley]

Hi all

I did make the changes suggested by Scott and what Rich said would happen did happen. The errors have stopped but I now have:

-rw-------    1 admin    root            0 Sep 27 22:09 ssl_scache.dir
-rw-------    1 www      root            0 Sep 27 22:09 ssl_scache.dir.dir
-rw-------    1 www      root         1024 Sep 28 11:16 ssl_scache.dir.pag
-rw-------    1 admin    root            0 Sep 27 22:09 ssl_scache.pag

I don't mind - the errors have stopped filling my log file.

By the way this system does already have the second patch and it clearly did not fix the problem.

Regards
Phil Maley