Troubleshooting Apache2 SSLSessionCache: Why Sessions Aren’t Being Stored in SHMCB


2 views

When dealing with SSL/TLS performance optimization in Apache 2.2 (particularly on Debian systems), the session cache mechanism should be your first checkpoint. The status output showing zero sessions cached despite active SSL traffic indicates a fundamental configuration or implementation issue.

Your configuration appears correct at first glance:

SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLMutex               file:${APACHE_RUN_DIR}/ssl_mutex

However, several factors could explain why no sessions are being cached:

  • SSLProtocol restrictions: Some older protocols may not support session caching
  • Client-side behavior: Modern browsers sometimes disable session caching for security
  • VirtualHost configuration: Cache directives might be overridden in specific vhosts

First, let's enhance our logging for better visibility:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLVerifyClient optional_no_ca
SSLVerifyDepth  1
SSLOptions +StdEnvVars +ExportCertData
SSLSessionCache shmcb:/tmp/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLStrictSNIVHostCheck off

Then monitor with:

tail -f /var/log/apache2/ssl_engine.log | grep -i session

If SHMCB continues to fail, try these alternatives:

# Option 1: DBM backend
SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCacheTimeout 300

# Option 2: File-based (for testing only)
SSLSessionCache dc:UNIX:${APACHE_RUN_DIR}/ssl_scache

Create a test script to force session reuse:

#!/bin/bash
for i in {1..10}; do
  curl -k -v https://yourserver/testpage > /dev/null 2>&1
done

Then check server-status for cache hits.

  • Verify /tmp directory permissions (or whichever directory you specify)
  • Check for SELinux/AppArmor restrictions on shared memory
  • Test with different SSL protocols (TLSv1 vs TLSv1.2)
  • Consider upgrading to Apache 2.4 if possible

When monitoring my Debian Squeeze Apache 2.2 server's /server-status page, I noticed the SSL session cache shows zero activity:

SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
subcaches: 32, indexes per subcache: 133
index usage: 0%, cache usage: 0%
total sessions stored since starting: 0
total retrieves since starting: 0 hit, 0 miss

My SSL configuration in mods-enabled/ssl.conf appears correct:

SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLMutex               file:${APACHE_RUN_DIR}/ssl_mutex

Yet, no physical files appear in ${APACHE_RUN_DIR} for either the mutex or cache when using SHMCB mode.

To validate session caching behavior, I performed these tests:

  1. Disabled KeepAlive to force new SSL handshakes
  2. Switched cache backend to DBM (which did create files)
  3. Enabled debug logging with LogLevel debug

The debug output only showed initialization messages, no actual caching operations:

ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes
ssl_scache_shmcb.c(272): recommending 32 subcaches, 133 indexes
ssl_scache_shmcb.c(452): [client x.x.x.x] inside shmcb_status

1. SHMCB Implementation Details

The shared memory cache (SHMCB) doesn't create visible files because it uses:

  • System V shared memory segments (ipcs -m to view)
  • Memory-mapped files that don't persist on disk

Verify active segments with:

ipcs -m | grep apache

2. Why Sessions Aren't Caching

Common reasons for zero cached sessions include:

  • Session ID reuse: Clients may not support session resumption
  • Configuration conflicts: Other SSL directives may override caching
  • VirtualHost inheritance: Cache settings might not propagate

Session Resumption Test

Use OpenSSL to test session reuse:

openssl s_client -connect localhost:443 -reconnect -no_ticket

Look for Reused, TLSv1/SSLv3 in the output.

Alternative Configuration

Try an explicit cache path with proper permissions:

SSLSessionCache shmcb:/var/cache/apache2/ssl_scache(512000)
SSLMutex file:/var/cache/apache2/ssl_mutex

Then verify directory permissions:

chown www-data:www-data /var/cache/apache2
chmod 755 /var/cache/apache2

1. Confirm OpenSSL version supports session caching:

openssl version

2. Check for conflicting SSLProtocol directives:

apache2ctl -t -D DUMP_MODULES | grep ssl

3. Monitor cache operations in real-time:

watch -n 1 'grep ssl_scache /var/log/apache2/error.log'

For maximum visibility, combine SHMCB with logging:

<IfModule mod_ssl.c>
    SSLSessionCache shmcb:/var/cache/apache2/ssl_scache(512000)
    SSLSessionCacheTimeout 300
    SSLMutex file:/var/cache/apache2/ssl_mutex
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:!MD5:@STRENGTH
    SSLHonorCipherOrder on
    SSLCompression off
    CustomLog ${APACHE_LOG_DIR}/ssl_cache.log "%t %h %{SSL_SESSION_ID}x %{SSL_CLIENT_VERIFY}x"
</IfModule>