Re: Hundreds of crypto file descriptors for Apache httpd

[Mike Pumford <mpumford%mudcovered.org.uk@localhost>]

On 10/03/2020 10:57, Frank Wille wrote:
> Michael van Elst wrote:

> But is it normal to create more than 200 crypto file descriptors for each
> httpd process? Then I would have to recompile PHP with a larger FD_SETSIZE,
> as it seems?
That seems excessive. My admittedly lightly loaded SSL server here has 6 
crypto filehandles open. One for each httpd process. Doesn't seem to go 
up at all when I push some traffic through it so could it be a 
configuration oddity?

I seem to recall having to enable ssl session caching:
#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache         "dbm:/var/run/ssl_scache"
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

And:
SSLUseStapling On

#   Define a relatively small cache for OCSP Stapling using
#   the same mechanism that is used for the SSL session cache
#   above.  If stapling is used with more than a few certificates,
#   the size may need to be increased.  (AH01929 will be logged.)
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"

#   Seconds before valid OCSP responses are expired from the cache
SSLStaplingStandardCacheTimeout 3600

#   Seconds before invalid OCSP responses are expired from the cache
SSLStaplingErrorCacheTimeout 600

From memory neither of these were on my default but I don't know what 
impact that would have on crypto filehandle usage.

Mike