# unusably short session_id provided? -Apache/PHP

## hanj

Hello All

Started seeing these in the logs today (I coincidentally restarted Apache on 3 boxes.. and now all 3 boxes are showing the error). The weird thing is that I've restarted Apache services in the past, and have not recently upgraded in the last week or so.

```
[Mon Oct 15 09:27:59 2007] [error] unusably short session_id provided (0 bytes)

[Mon Oct 15 09:29:15 2007] [error] unusably short session_id provided (0 bytes)

[Mon Oct 15 09:32:12 2007] [error] unusably short session_id provided (0 bytes)

[Mon Oct 15 09:35:00 2007] [error] unusably short session_id provided (0 bytes)

[Mon Oct 15 09:40:55 2007] [error] unusably short session_id provided (0 bytes)
```

My version of apache (same on all 3 boxes)

```
[ebuild   R   ] www-servers/apache-2.2.6  USE="mpm-prefork no-suexec ssl -debug -doc -ldap -mpm-event -mpm-itk -mpm-peruser -mpm-worker (-selinux) -static-modules -threads" 4,664 kB
```

Any ideas?

Thanks!

hanji

----------

## jexxie

First thought:

Is /dev/urandom or /dev/random still producuing pseudo-random data?

----------

## hanj

Yep.. here is a snip:

```
0001b9d0  a1 4f 97 3e 48 66 57 2e  ca cb 36 4d 06 79 54 03  |.O.>HfW...6M.yT.|

0001b9e0  3a 31 4b 56 7e 47 36 42  9f f0 45 4f d3 5b a2 67  |:1KV~G6B..EO.[.g|

0001b9f0  1a a1 2f a7 b9 f1 dd 93  c1 fc 3f 36 fd 0a b9 80  |../.......?6....|

0001ba00  21 d3 96 66 2f ff f2 2c  cb c2 35 d2 10 32 97 22  |!..f/..,..5..2."|

0001ba10  7e e6 70 22 fe ef 24 c5  51 c3 52 1d 63 f3 b5 af  |~.p"..$.Q.R.c...|

0001ba20  a2 12 01 d4 fe 0d bb 49  30 83 b6 8a 4a 89 f9 0d  |.......I0...J...|

0001ba30  6a 82 2e e2 f4 d3 4c 57  6f c5 1a aa 35 84 33 a9  |j.....LWo...5.3.|

0001ba40  7c df 09 60 b5 1d 8c 18  7a 4e a6 1d 07 ba ee e7  ||..`....zN......|

0001ba50  28 e0 40 de 31 90 e7 49  fe eb 0b 3e c7 6b 60 65  |(.@.1..I...>.k`e|

0001ba60  93 ca d4 cf f3 fd 89 ff  33 5c 2e 07 4c be 88 28  |........3\..L..(|

0001ba70  32 81 90 36 2e ec 1a 44  a5 a0 a8 2d f4 df e6 62  |2..6...D...-...b|

0001ba80  59 3c ff 19 d7 71 99 d0  4d 10 6d 51 8d bd 0a 1d  |Y<...q..M.mQ....|

0001ba90  0b 86 62 28 c4 2d 8e 33  8f ee d4 dc 0e e9 26 6e  |..b(.-.3......&n|

0001baa0  7e 17 50 5a a7 0d cd a1  93 13 1d 75 b1 30 d8 d9  |~.PZ.......u.0..|

0001bab0  2e c5 6b db 8f c7 4e 08  15 f6 c5 fd b6 81 51 19  |..k...N.......Q.|
```

I wonder if this could be related to binutils upgrade? Here are the last updates I did since last 'good' apache restart (good, meaning these errors were not reported)

```
Mon Oct 15 06:52:43 2007 >>> sys-apps/kbd-1.13-r1

     Mon Oct 15 07:06:16 2007 >>> sys-devel/binutils-2.18-r1

     Mon Oct 15 07:17:36 2007 >>> dev-libs/openssl-0.9.8f

     Mon Oct 15 07:30:14 2007 >>> media-libs/pdflib-7.0.2

     Mon Oct 15 09:05:08 2007 >>> sys-libs/glibc-2.6.1
```

Thanks!

hanji

----------

## hanj

Rebuilding apache and PHP.. maybe this will help. Google is yielding nothing on this error.. very strange.

hanji

----------

## hanj

Actually.. looks like something with openssl

```
+    if (idlen < 4) {

+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "unusably short session_id provided "

+                "(%u bytes)", idlen);

+        goto done;

+    }
```

BTW.. I did revdep-rebuild after openssl update

hanji

----------

## hanj

Nope.. recompiled Apache.. problem persists. Also, reran the following:

```
revdep-rebuild --library libcrypto.so.0.9.7

revdep-rebuild --library libssl.so.0.9.7

```

Didn't notice anything to rebuild.

Anyone else noticing this too?

Thanks!

hanji

----------

## karma

Hi,

I've got this problem too since openssl upgrade. Like you've said, re-emerging apache and openssl doesn't help, and revdep-rebuild is also clean.

I've read something about emerging previous version of openssl, but I haven't tried this yet...

Christophe

----------

## hanj

 *karma wrote:*   

> Hi,
> 
> I've got this problem too since openssl upgrade. Like you've said, re-emerging apache and openssl doesn't help, and revdep-rebuild is also clean.
> 
> I've read something about emerging previous version of openssl, but I haven't tried this yet...
> ...

 

Ah! So I'm not the only one on the planet with this problem. All my servers are doing this now.

hanji

----------

## Hideki

seeing same...

----------

## planet-admin

For those of you who are unaware, this is a bug in openssl-0.9.8f.

You can add openssl-0.9.8g to your package.keywords/unmask and update which contains the fix.

Details here:

http://rt.openssl.org/Ticket/Display.html?id=1591&user=guest&pass=guest

----------

## hanj

Awesome. Just upgraded and testing on one box now. Thanks for your help!

hanji

----------

