Opened 5 years ago

Last modified 8 months ago

#621 accepted defect

Could not allocate new session in SSL session shared cache

Reported by: www.google.com/accounts/o8/id?id=AItOawnekqKysAAZ9LmTL7mM1-Oq_HGAVrARWuE Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.7.x
Keywords: ssl Cc:
uname -a: Linux [host] 3.8.0-35-generic #52~precise1-Ubuntu SMP Thu Jan 30 17:24:40 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.1 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.7.1/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.7.1/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.7.1/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.7.1/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.7.1/debian/modules/ngx_http_substitutions_filter_module

Description

Hi,

I'm using nginx as reverse proxy in front of haproxy. I'm using this ssl_session_cache config:

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 512m;

Now I get from time to time such errors in the log:

2014-09-03T09:51:34+00:00 hostname nginx: 2014/09/03 09:51:34 [alert] 27#0: *144835271 could not allocate new session in SSL session shared cache "SSL" while SSL handshaking, client: a.b.c.d, server: 0.0.0.0:443

Unfortunately that error doesn't say much. Looking at the code shows that it probably failed to allocate via ngx_slab_alloc_locked():

https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl.c#L2088

I'll try to raise the session cache and see if it helps, but since it's just a cache I would expect only performance differences.

FWIW: The nginx is running in a docker container, to be specific: https://registry.hub.docker.com/u/fish/haproxy/ (Although I've raised the cache setting there already

Change History (3)

comment:1 Changed 5 years ago by mdounin

As the error says, nginx wasn't able to allocate new session in SSL shared cache. This is something that may happen if the cache is full, and nginx wasn't able to free enough space by removing a least recently used session. Use smaller session timeouts or a larger shared memory zone to avoid cache overflows.

The message is probably a bit too scary (while the situation itself is mostly harmless). It was set to "alert" level as it wasn't expected to happen in real life. It seems to happen though - especially after 5024d29354f1, with configurations assuming nginx will silently throw away old sessions if there will be not enough memory in the shared memory zone. The severity of the error should be reduced, and/or nginx should try harder (free more old sessions) before giving up.

For now you may use smaller session timeouts and/or a larger shared memory zone. This way sessions will expire and will be removed from the cache before the cache will be overflowed, and no errors will happen.

comment:2 Changed 3 years ago by mdounin

  • Status changed from new to accepted

comment:3 Changed 8 months ago by rosenqui@…

+1 on changing this log entry from alert to warning.

We've noticed this alert at busy sites with lots of clients, and found that having a mix of sessions that do/don't use client certificates makes it a lot worse.

Without a client certificate, SSL session data is about 150b. If there's a client certificate, the encoded size of the certificate is added to that, making if more like 1kb depending on the DN sizes, extensions, etc.

If the cache is full and there are no expired sessions, then when a new session using a client certificate is created, the code that tries to make space by getting rid of the oldest unexpired session won't free up anywhere near enough room if the oldest session didn't use a client certificate. Event if the oldest session did use a client certificate, its encoded size could be much smaller than the new session.

If ngx_ssl_expire_sessions was told how many bytes to free up rather than how many entries (with perhaps a cap on max # to purge), the alert messages would almost never appear.

Note: See TracTickets for help on using tickets.