SNI Not Loading Propery Keyring KYR Files for Domains When More than Around 8 Domains

Mindwatering Incorporated

Author: Tripp W Black

Created: 06/23/2020 at 09:44 AM

 

Category:
Domino Server Issues Troubleshooting
Web/HTTP

Issue:
When using the HCL Domino 11.0.1 SNI feature of running multiple web sites on one IP, we've noticed that less used domains are not always loading the correct TLS (SSL) certs from their keyring and loading the host default keyring KYR file instead. When the default keyring is loaded, the browser predicably loads the error screen to do not proceed with an option to view the certificate for the site/server, which is main host server's certificate rather than the configure site certificate.

After troubleshooting the keyrings for corruption between Domino servers and checking both CentOS and even Ubuntu (which not a supported OS), the behavior, although not consistent for which domains were loaded all exhibited the same problem.
In all cases only about 8 to 10 of the 28 certificates would load. In all failure cases the SNI switch fails and presents the host certificate which of course gives the standard browser danger message/screen.

Confirmed not a keyring issue by restarting HTTP and bringing up one of the previously not working sites ss soon has HTTP loaded - it was almost always successful.
Confirmed not corruption of web site documents issue by recreating web site documents.
Confirmed not how servers are specified in the servers field issue, by trying with both "*" for the servers to run this site, and hardcoding the server names.


Resolution:
There is a new notes.ini which wasn't released in the documentation. HCL will be creating a knowledge document. The variable is:
SSL_KYR_CACHE_MAX_SIZE=x
where x can be a number between 10 and 50.

If not included, in the notes.ini, the default value is 10.
We changed the field to 50:
SSL_KYR_CACHE_MAX_SIZE=50

HCL support indicates that this cache is based on the certificate size, and no so much the number of domains. So extrapolating that logic and math, the more domains we load per cert, the more sites we can load into the cache before running out.
HCL support also asked we do a full Domino services restart, rather than just doing the HTTP services. They did NOT say it was required, only that it was preferred to make sure. Regardless, the SSL_KYR_CACHE_MAX_SIZE increase worked.

So in summary, to support more than around 10 TLS 1.2 (SSL) web sites on one IP, do the following:

1. Edit the notes.ini and add the keyring cache setting.
Note: You can edit the notes.ini "hot", but there is a chance the Domino server will write and update while you are editing. If you get a message when you go to wq (write/save and quit), then quit w/o save( !q), and do the edit again.
$ ssh notes@myserver.mydomain.com
<enter your password>
$ cd /local/notesdata/
$ vi notes.ini
...
<add to the bottom of the file, use i to insert, or a to append at the cursor mark>
SSL_KYR_CACHE_MAX_SIZE=50
<esc> :wq
(escape key, then a colon, a w, and a q to write/save and quit)

2. Restart the server. My notes user doesn't have sudo. So rather than switching to my OS administrative id and doing the restart (e.g. systemctl restart domino.service), we just used the Domino admin client, as it was already open and playing our server's console.
> rest server

3. After the restart, test all the web sites again using your web browser.



previous page