Re: [users@httpd] [External] Re: [users@httpd] Struggling with "decryption failed or bad record mac" error
Hello, Perhaps you could try specifying only RSA ciphers just as a test. Most times I have found issues with old clients, specially java 1.6 ones and older they have issues with all sorts of Diffie Hellman exchanges. On another note, openssl 1.0.2 is EOL , perhaps you should try to compile 1.1.1 and compile 2.4.46 against it first. Cheers El jue, 10 jun 2021 a las 18:31, Piemonti, Matteo () escribió: > > Hi, > the only TLS available is TLS 1.2 and only 4 ciphers are configured: > > # TLS 1.2 (suites in server-preferred order) > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > But the problem is randomic even with the same cipher used > (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) > > The certificate is from an official CA and it is configured on apache with > Server cert, Intermediate and key. SSLLabs doesn't show any problem on it. > > > Thank you > > Matteo > > -Original Message- > From: Ran Mozes > Sent: giovedì 10 giugno 2021 11:16 > To: users@httpd.apache.org > Subject: Re: [users@httpd] [External] Re: [users@httpd] Struggling with > "decryption failed or bad record mac" error > > Hi Matteo, > > sounds like various issues could be the root cause. Maybe a negotiation issue > on the TLS version and/or the Ciphers used? > Another option, the error "SSL3_GET_RECORD:decryption failed or bad record > mac“ could also imply that something is wrong with the certificates being > used. > > HTH, > Ran > > > Am 09.06.2021 um 10:06 schrieb Piemonti, Matteo > > : > > > > Hi, > > has someone any suggestion about this topic? > > > > > > Thanks > > Matteo > > > > -Original Message- > > From: Piemonti, Matteo > > Sent: lunedì 24 maggio 2021 09:56 > > To: users@httpd.apache.org > > Subject: RE: [External] Re: [users@httpd] Struggling with "decryption > > failed or bad record mac" error > > > > Hi, > > in my first message you can find many informations... > > The only TLS available is TLS 1.2 and the openssl version is OpenSSL > > 1.0.2k-fips (the last one of RedHat 7.9), we have this random problem only > > from a customer that is using .net. In my opinion it should be a client > > problem but hard to demonstrate. > > Which specific directives do you want to see of httpd-ssl.conf? > > > > > > Matteo > > > > -Original Message- > > From: Daniel Ferradal > > Sent: domenica 23 maggio 2021 20:49 > > To: > > Subject: [External] Re: [users@httpd] Struggling with "decryption > > failed or bad record mac" error > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with > > links and attachments. > > > > Hello, > > > > Perhaps you may provide more info. Like the openssl version you are using, > > your SSL related directives in your server, the openssl version or SSL > > version of the client, the protocol the client is trying to use. > > > > Also, is this happening with all clients? just one? > > > > Can you reproduce it with "openssl s_client -connect" command? or even > > curl? etc. > > > > El vie, 21 may 2021 a las 12:25, Piemonti, Matteo > > () escribió: > >> > >> Hi, > >> > >> we’re having a weird error on Apache httpd server that I > >> can’t understand how to troubleshoot it and not clear to me if it is an > >> our problem (apache http server) or a problem of the caller. > >> > >> > >> > >> We have actually this configuration: > >> > >> > >> > >> Server version: Apache/2.4.46 (Unix) > >> > >> Server built: May 13 2021 05:46:31 > >> > >> Server's Module Magic Number: 20120211:93 > >> > >> Server loaded: APR 1.6.5, APR-UTIL 1.6.1 > >> > >> Compiled using: APR 1.6.5, APR-UTIL 1.6.1 > >> > >> Architecture: 64-bit > >> > >> Server MPM: event > >> > >> threaded: yes (fixed thread count) > >> > >>forked: yes (variable process count) > >> > >> Server compiled with > >> > >> -D APR_HAS_SENDFILE > >> > >> -D APR_HAS_MMAP > >> > >> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > >> > >> -D APR_USE_SYSVSEM_SERIALIZE > >> > >> -D APR_USE_PTHREAD_SERIALIZE > >> > >> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > >> > >> -D APR_HAS_OTHER_CHILD > >> > >> -D AP_HAVE_RELIABLE_PIPED_LOGS > >> > >> -D DYNAMIC_MODULE_LIMIT=256 > >> > >> -D HTTPD_ROOT="/data/apache2_frontend" > >> > >> -D SUEXEC_BIN="/data/apache2_frontend/bin/suexec" > >> > >> -D DEFAULT_PIDLOG="logs/httpd.pid" > >> > >> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > >> > >> -D DEFAULT_ERRORLOG="logs/error_log" > >> > >> -D AP_TYPES_CONFIG_FILE="conf/mime.types" > >> > >> -D SERVER_CONFIG_FILE="conf/httpd.conf" > >> > >> > >> > >> The problem we have is that during ssl handshake we can see (only with > >> debug or tcpdump) an “SSL Library Error: error:1408F119:SSL > >> routines:SSL3_GET_RECORD:decryption failed or bad record mac" into apache > >> httpd error_log. > >> > >> No other logs are written into access_log. > >> > >> How is possible to
RE: [users@httpd] Improve memory use [EXT]
Yes the answer is almost certainly to do with the number of domains/size of
code – even if all the sites are running the same code – they are likely to
have different copies of it (unless they are all running the exact same copy of
the code – and using a name based switch somewhere in it) There may be better
ways of handling this – having 800 PHP children is not ideal – look at ways of
using static servers if you can e.g.
* you may be able to sit another apache in front of this one to handle the
static requests {using the event mpm} and use this one to server PHP code;
* or more this to mpm event model and use one of the fcgi wrappers for PHP
{mileage may vary on this if you have a large number of PHP code basese};
From: Marc Serra
Sent: 14 June 2021 10:08
To: users@httpd.apache.org
Subject: [users@httpd] Improve memory use [EXT]
Hi again,
I got an old Ubuntu server 16.04 with apache 2.4.18 serving 140 different
domains.
The server has 8 vCPUs and 16GB of memory. It's a virtual server hosted in
Digital Ocean.
As you can see above, the average memory use per apache process is 93MB.
It's possible to improve that? If not, why is so much memory used? In other
servers with similar configurations but with fewer hosted domains and low
resources (see at the bottom of this email), the memory usage is much lower. Is
it due precisely to the number of domains hosted? If not, what?
Sorry to insist on the memory used by each apache process, but I need to
improve it (if it's possible).
# ls /etc/apache2/sites-enabled/|grep -v ssl |wc
140
# cat /etc/issue
Ubuntu 16.04.6 LTS
# apache2 -V
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2019-10-08T13:31:25
Server's Module Magic Number: 20120211:52
Server loaded: APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"
# apache2 -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
Relevant part of /etc/apache2/apache2.conf ...
ServerLimit 800
StartServers10
MinSpareServers 200
MaxSpareServers 400
MaxRequestWorkers 800
MaxConnectionsPerChild 1
# free -m
totalusedfree shared buff/cache available
Mem: 160467198 496 23283518187
Swap: 4095 2433852
# ps aux | grep apache
root 1204 0.0 0.2 431016 47312 ?Ss May04 7:43
/usr/sbin/apache2 -k start
www-data 4778 0.0 0.4 531744 77132 ?S09:00 0:03
/usr/sbin/apache2 -k start
www-data 11661 0.1 0.3 518652 57868 ?S10:00 0:03
/usr/sbin/apache2 -k start
www-data 13839 0.0 0.2 443036 45928 ?S10:12 0:01
/usr/sbin/apache2 -k start
www-data 14763 0.1 0.2 443004 40676 ?S10:18 0:02
/usr/sbin/apache2 -k start
www-data 26848 0.0 0.4 533496 81960 ?S06:35 0:11
/usr/sbin/apache2 -k start
www-data 26849 0.0 0.5 537956 96632 ?S06:35 0:14
/usr/sbin/apache2 -k start
www-data 26850 0.0 0.5 528608 87912 ?S06:35 0:09
/usr/sbin/apache2 -k start
www-data 26851 0.0 0.4 519652 79560 ?S06:35 0:10
/usr/sbin/apache2 -k start
www-data 26852 0.1 0.6 545400 103880 ? S06:35 0:19
/usr/sbin/apache2 -k start
www-data 26853 0.0 0.5 541456 97776 ?S06:35 0:09
/usr/sbin/apache2 -k start
www-data 26854 0.0 0.8 578080 132944 ? S06:35 0:10
/usr/sbin/apache2 -k start
www-data 26855 0.0
[users@httpd] Improve memory use
Hi again, I got an old Ubuntu server 16.04 with apache 2.4.18 serving 140 different domains. The server has 8 vCPUs and 16GB of memory. It's a virtual server hosted in Digital Ocean. As you can see above, the average memory use per apache process is 93MB. It's possible to improve that? If not, why is so much memory used? In other servers with similar configurations but with fewer hosted domains and low resources (see at the bottom of this email), the memory usage is much lower. Is it due precisely to the number of domains hosted? If not, what? Sorry to insist on the memory used by each apache process, but I need to improve it (if it's possible). # ls /etc/apache2/sites-enabled/|grep -v ssl |wc 140 # cat /etc/issue Ubuntu 16.04.6 LTS # apache2 -V Server version: Apache/2.4.18 (Ubuntu) Server built: 2019-10-08T13:31:25 Server's Module Magic Number: 20120211:52 Server loaded: APR 1.5.2, APR-UTIL 1.5.4 Compiled using: APR 1.5.2, APR-UTIL 1.5.4 Architecture: 64-bit Server MPM: prefork threaded: no forked: yes (variable process count) Server compiled with -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" # apache2 -M Loaded Modules: core_module (static) so_module (static) watchdog_module (static) http_module (static) log_config_module (static) logio_module (static) version_module (static) unixd_module (static) access_compat_module (shared) alias_module (shared) auth_basic_module (shared) authn_core_module (shared) authn_file_module (shared) authz_core_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) expires_module (shared) filter_module (shared) headers_module (shared) mime_module (shared) mpm_prefork_module (shared) negotiation_module (shared) php7_module (shared) rewrite_module (shared) setenvif_module (shared) socache_shmcb_module (shared) ssl_module (shared) status_module (shared) Relevant part of /etc/apache2/apache2.conf ... ServerLimit 800 StartServers10 MinSpareServers 200 MaxSpareServers 400 MaxRequestWorkers 800 MaxConnectionsPerChild 1 # free -m totalusedfree shared buff/cache available Mem: 160467198 496 2328351 8187 Swap: 4095 2433852 # ps aux | grep apache root 1204 0.0 0.2 431016 47312 ?Ss May04 7:43 /usr/sbin/apache2 -k start www-data 4778 0.0 0.4 531744 77132 ?S09:00 0:03 /usr/sbin/apache2 -k start www-data 11661 0.1 0.3 518652 57868 ?S10:00 0:03 /usr/sbin/apache2 -k start www-data 13839 0.0 0.2 443036 45928 ?S10:12 0:01 /usr/sbin/apache2 -k start www-data 14763 0.1 0.2 443004 40676 ?S10:18 0:02 /usr/sbin/apache2 -k start www-data 26848 0.0 0.4 533496 81960 ?S06:35 0:11 /usr/sbin/apache2 -k start www-data 26849 0.0 0.5 537956 96632 ?S06:35 0:14 /usr/sbin/apache2 -k start www-data 26850 0.0 0.5 528608 87912 ?S06:35 0:09 /usr/sbin/apache2 -k start www-data 26851 0.0 0.4 519652 79560 ?S06:35 0:10 /usr/sbin/apache2 -k start www-data 26852 0.1 0.6 545400 103880 ? S06:35 0:19 /usr/sbin/apache2 -k start www-data 26853 0.0 0.5 541456 97776 ?S06:35 0:09 /usr/sbin/apache2 -k start www-data 26854 0.0 0.8 578080 132944 ? S06:35 0:10 /usr/sbin/apache2 -k start www-data 26855 0.0 0.5 535320 94640 ?S06:35 0:11 /usr/sbin/apache2 -k start www-data 26856 0.0 0.4 528912 73644 ?S06:35 0:05 /usr/sbin/apache2 -k start www-data 26857 0.0 0.5 528156 86332 ?S06:35 0:08 /usr/sbin/apache2 -k start www-data 26872 0.0 0.4 522028 69292 ?S06:35 0:07 /usr/sbin/apache2 -k start www-data 26873 0.0 0.5 530952 86820 ?S06:35 0:11 /usr/sbin/apache2 -k start www-data 26874 0.0 0.4 524660 77884 ?S06:35 0:07 /usr/sbin/apache2 -k start www-data 26875 0.0 0.4 522320 77392 ?S06:35 0:11 /usr/sbin/apache2 -k start www-data 26876 0.0 0.4 529936 80368 ?S06:35 0:13 /usr/sbin/apache2 -k start www-data 26877 0.0 0.6 553920 109604 ? S06:35 0:10 /usr/sbin/apache2 -k start www-data 26887 0.0 0.5 534996 87504 ?S06:35 0:06
