Re: [AOLSERVER] Feature request: ns_querygetarray function
Alexey Pechnikov wrote: 2011/5/11 Torben Brosten tor...@dekka.com: Here's a proc that uses ns_getform, and returns the form values to a supplied array name: qf_get_inputs_as_array See: http://fisheye.openacs.org/browse/OpenACS/openacs-4/packages/spreadsheet/tcl/form-procs.tcl?r=1.27 It uses ad_quotehtml from OpenACS and includes some basic protections. ACS is very complex solution. Custom AOL-based ORM (http://en.wikipedia.org/wiki/Object-relational_mapping) for AJAX applications may be extremly smaller than ACS. qf_get_inputs_as_array is available to use ns_getform with some common security constraints. To use qf_get_inputs_as_array outside of the ACS dependency, remove the first case of ad_quotehtml, it's redundant. For the second case of ad_quotehtml, substitute a proc defined as: return [string map { amp; \ quot; lt; gt;} $arg] There are no other dependencies on ACS. cheers, Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl and unexpected eof on write
Haig Didizian, Check out the AOLSERVER listserv archives for the discussions with subjects SSL data truncation and differences between ns_httppost and sockets? I'll post the final point, here I made earlier, but for more insight to the problem see those threads. Am 04.02.10 11:46, schrieb Torben Brosten: John Caruso et al, Could xotcl-core[2] be the work around/solution to this SSL ns_httpsget bug[1]? The mentioned bug [1] looks like a buffering problem to me. Since OpenSSL has its own buffering layer, the interaction can be tricky and might as well differ depending on the OpenSSL version. It has been a while, since i fiddled with this in another context (pound + streaming connections). I am not aware of the problem in the tls implementation, but we are not using tls intensively. In general, the http-client functions of xotcl-core provide an alternative http/https implementation based directly on the Tcl I/O functionality. So, this is indeed a different integration with OpenSSL, which can be tested/debugged also outside of aolserver. While the aolserver built-in functions work mostly without add-ons (nsopenssl), xotcl-core functions require (1) the tcl thread library (in this context for event driven I/O and mutex functionality), (2) tls and (3) xotcl. -gustaf neumann cheers, Torben 1. On July 15 2009 John Caruso wrote: We've run into a bug with AOLserver 4.5.1 / nsopenssl 3.0beta26. The bug is fully documented here: https://sourceforge.net/tracker/?func=detailaid=2822117group_id=3152atid=103152 But the short version is that when using the nsopenssl client-side routines (e.g. ns_httpsget), the result may be truncated if the client starts reading before all of the data has been received. This bug ONLY occurs with an AOLserver client (any version) running against an AOLserver 4 / nsopenssl 3.0beta26 server. We've reproduced the bug on RHEL4, RHEL5, and Mac OS X. The bug is easily demonstrated by copying the file I've attached to this message (sslbug.tcl) to the top-level context of a web server running AOLserver 4.x/nsopenssl 3.0beta26 and then navigating to https://server/sslbug.tcl. If you comment out the ns_httpsget and use ns_httpget instead, you'll see that the bug disappears. We've done a lot of instrumenting of nsopenssl/AOLserver, but haven't been able to track down the root cause. It seems likely that it's related to data buffering, which seems like it would be occurring within AOLserver or Tcl...but the issue is definitely specific to SSL, which implies that it's something in nsopenssl 3.0beta26. Does anyone have any idea what might be causing this problem? - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. 2. On Feb 4, 2010, at 1:21 AM, Gustaf Neumann wrote: Dear Brian and all, xotcl-core of OpenACS contains a full set of HTTP client support, including POST requests and https (via the tcl tls package). Below is the description included in the source best regards -gustaf neumann === # Defined classes # 1) HttpCore (common base class) # 2) HttpRequest (for blocking requests + timeout support) # 3) AsyncHttpRequest (for non-blocking requests + timeout support) # 4) HttpRequestTrace (mixin class) # 5) Tls (mixin class, applicable to various protocols) # ## # # 1 HttpRequest # # HttpRequest is a class to implement the client side # for the HTTP methods GET and POST. # # Example of a GET request: # # set r [::xo::HttpRequest new -url http://www.openacs.org/] # # The resulting object $r contains all information # about the requests, such as e.g. status_code or # data (the response body from the server). For details # look into the output of [$r serialize]. The result # object $r is automatically deleted at cleanup of # a connection thread. # # Example of a POST request with a form with var1 and var2 # (providing post_data causes the POST request). # # set r [::xo::HttpRequest new \ # -url http://yourhost.yourdomain/yourpath \ # -post_data [export_vars {var1 var2}] \ # -content_type application/x-www-form-urlencoded] # # More recently, we added timeout support for blocking http # requests. By passing a timeout parameter, you gain control # on the total roundtrip time (in milliseconds, ms): # # set r [::xo::HttpRequest new \ # -url http://www.openacs.org/ \ # -timeout 1500] # # Please, make sure that you use a recent distribution of tclthread # ( 2.6.5 ) to have the blocking-timeout feature working # safely. This newly introduced
Re: [AOLSERVER] differences between ns_httppost and sockets? (fix/insight for thread: SSL data truncation?)
John Caruso et al, Could xotcl-core[2] be the work around/solution to this SSL ns_httpsget bug[1]? cheers, Torben 1. On July 15 2009 John Caruso wrote: We've run into a bug with AOLserver 4.5.1 / nsopenssl 3.0beta26. The bug is fully documented here: https://sourceforge.net/tracker/? func=detailaid=2822117group_id=3152atid=103152 But the short version is that when using the nsopenssl client-side routines (e.g. ns_httpsget), the result may be truncated if the client starts reading before all of the data has been received. This bug ONLY occurs with an AOLserver client (any version) running against an AOLserver 4 / nsopenssl 3.0beta26 server. We've reproduced the bug on RHEL4, RHEL5, and Mac OS X. The bug is easily demonstrated by copying the file I've attached to this message (sslbug.tcl) to the top-level context of a web server running AOLserver 4.x/nsopenssl 3.0beta26 and then navigating to https://server/sslbug.tcl. If you comment out the ns_httpsget and use ns_httpget instead, you'll see that the bug disappears. We've done a lot of instrumenting of nsopenssl/AOLserver, but haven't been able to track down the root cause. It seems likely that it's related to data buffering, which seems like it would be occurring within AOLserver or Tcl...but the issue is definitely specific to SSL, which implies that it's something in nsopenssl 3.0beta26. Does anyone have any idea what might be causing this problem? - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. 2. On Feb 4, 2010, at 1:21 AM, Gustaf Neumann wrote: Dear Brian and all, xotcl-core of OpenACS contains a full set of HTTP client support, including POST requests and https (via the tcl tls package). Below is the description included in the source best regards -gustaf neumann === # Defined classes # 1) HttpCore (common base class) # 2) HttpRequest (for blocking requests + timeout support) # 3) AsyncHttpRequest (for non-blocking requests + timeout support) # 4) HttpRequestTrace (mixin class) # 5) Tls (mixin class, applicable to various protocols) # ## # # 1 HttpRequest # # HttpRequest is a class to implement the client side # for the HTTP methods GET and POST. # # Example of a GET request: # # set r [::xo::HttpRequest new -url http://www.openacs.org/] # # The resulting object $r contains all information # about the requests, such as e.g. status_code or # data (the response body from the server). For details # look into the output of [$r serialize]. The result # object $r is automatically deleted at cleanup of # a connection thread. # # Example of a POST request with a form with var1 and var2 # (providing post_data causes the POST request). # # set r [::xo::HttpRequest new \ # -url http://yourhost.yourdomain/yourpath \ # -post_data [export_vars {var1 var2}] \ # -content_type application/x-www-form-urlencoded] # # More recently, we added timeout support for blocking http # requests. By passing a timeout parameter, you gain control # on the total roundtrip time (in milliseconds, ms): # # set r [::xo::HttpRequest new \ # -url http://www.openacs.org/ \ # -timeout 1500] # # Please, make sure that you use a recent distribution of tclthread # ( 2.6.5 ) to have the blocking-timeout feature working # safely. This newly introduced feature makes use of advanced thread # synchronisation offered by tclthread that needed to be fixed in # tclthread = 2.6.5. At the time of this writing, there was no # post-2.6.5 release of tclthread, hence, you are required to obtain a # CVS snapshot, dating at least 2008-05-23. E.g.: # # cvs -z3 -d:pserver:anonym...@tcl.cvs.sourceforge.net:/cvsroot/ tcl co \ # -D 20080523 -d thread2.6.5~20080523 thread # # Provided that the Tcl module tls (see e.g. http:// tls.sourceforge.net/) # is available and can be loaded via package require tls into # the aolserver, you can use both TLS/SSL secured or unsecured requests # in the synchronous/ asynchronous mode by using an # https url. # # set r [::xo::HttpRequest new -url https://learn.wu-wien.ac.at/] # ## # # 2 AsyncHttpRequest # # AsyncHttpRequest is a subclass for HttpCore implementing # asynchronous HTTP requests without vwait (vwait causes # stalls on aolserver). AsyncHttpRequest requires to provide a listener # or callback object that will be notified upon success or failure of # the request. # # Asynchronous requests are much more complex to handle, since # an application (a connection thread) can submit multiple # asynchronous
Re: [AOLSERVER] Compiling nspostgres 4.1 (PG 8.4 on Mac OS X Leopard)
Cesáreo García Rodicio wrote: Hi! I had an Aolserver 4.5.1 working with some modules on Mac OS Leopard (10.5.8) but I couldn't get to build nspostgres-4.1. Postgres (8.4.1) was installed using Macports: roraima:nspostgres-4.1 root# port installed | grep postg postgresql84 @8.4.1_1 (active) postgresql84-doc @8.4.1_0 postgresql84-server @8.4.1_0 (active) When I try to build it (I suppose I have to do make make install): make POSTGRES=SEPARATELY PGINC=/opt/local/include/postgresql84/ PGLIG=/opt/local/lib/postgresql84/ ACS=1 AOLSERVER=/usr/local/aolserver45 I get this error: gcc -bundle -pipe-o nspostgres.so nspostgres.o -L -lpq -lnsdb -L. -lnspostgres -L/usr/local/aolserver45/lib -lnsd -lnsthread -L/usr/local/aolserver45/lib -ltcl8.4g -lpthread ld: library not found for -lpq I think LD_LIBRARY_PATH is right and that libpq exists: roraima:nspostgres-4.1 root# env | grep LD_ LD_LIBRARY_PATH=:/usr/local/pgsql/lib:/opt/local/lib/postgresql84/ roraima:nspostgres-4.1 root# ls /opt/local/lib/postgresql84/libpq.* /opt/local/lib/postgresql84/libpq.5.2.dylib /opt/local/lib/postgresql84/libpq.a /opt/local/lib/postgresql84/libpq.5.dylib /opt/local/lib/postgresql84/libpq.dylib If checked http://openacs.org/forums/message-view?message_id=1539251 but I did't see any solution. Cesáreo, check out this url which currently describes install for MacOSX Leopard.. http://openacs.org/xowiki/openacs-system-install-osx-macports cheers, Torben Thanks for the suport Cesáreo -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] SSL data truncation
Looking through modules/https.tcl .. ns_httpsopen depends on server's content-length header to be somewhat accurate or greater than 0 if supplied. iirc, AOLserver has a bug that returns inaccurate content-lengths, sometimes 0. Could this be a/the cause? Torben John Caruso wrote: On Tuesday 09:01 PM 7/21/2009, Mark Aufflick wrote: You say that This bug ONLY occurs with an AOLserver client (any version) running against an AOLserver 4 / nsopenssl 3.0beta26 server - so you're saying this issue doesn't occur when using httpsget against, say, Apache? Yes, that's correct. As I mention in the bug report, we were unable to reproduce the bug in any of these scenarios: - AOLserver client talking to an Apache server - AOLserver client talking to a Java server - wget client talking to an AOLserver server - Firefox/IE client talking to an AOLserver server And, crucially, it also doesn't happen with an AOLserver client (any version) running against an AOLserver 3/nsopenssl 2.1a server. For the bug to occur, the server *must* be AOLserver 4 with nsopenssl 3.0beta26. It seems very odd that it would be server specific - that would fall in that painful bug category of If I wanted that behaviour I have no idea how I would code it! Actually, I think you're going on the assumption that it's a client bug, but it appears to me that it's a server bug (since an AOLserver 4/nsopenssl 3.0beta26 server is the consistent feature of the failing scenarios). The odd part to me is that only an AOLserver client triggers the bug. By the way, this isn't a theoretical problem; we ran into this bug because Arena's web application comprises multiple services which sometimes make client calls to one another via SSL. When we tried to migrate from AOLserver 3/nsopenssl 2.1a to AOLserver 4/nsopenssl 3.0beta26, we saw occasional and seemingly random failures on various pages--and after a lot of investigation we managed to narrow it down to this bug. This is actually just one of several SSL-related issues that have prevented us from migrating to AOLserver 4 (but we haven't investigated all of them as deeply as this one, and so we're hoping this is the root cause of all of them). - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] SSL data truncation
Torben Brosten wrote: Looking through modules/https.tcl .. ns_httpsopen er, I mean.. ns_httpspost depends on server's content-length header to be somewhat accurate or greater than 0 if supplied. In particular, won't this code break if a server's header returns Content-length of 0? set length [ns_set iget $headers content-length] if [string match $length] { set length -1 } set err [catch { # # Read the content. # while 1 { set buf [_ns_https_read $timeout $rfd $length] append page $buf if [string match $buf] { break } if {$length 0} { incr length -[string length $buf] if {$length = 0} { break } } } } errMsg] iirc, AOLserver has a bug that returns inaccurate content-lengths, sometimes 0. Could this be a/the cause? Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Mac build error
Bas Scheffers wrote: I hadn't built AOLserver on Mac OS X for a while and there seems to be a problem since then: cc -dynamiclib -install_name /Users/bas/dev/aolserver/build/lib/libnsthread.dylib -init _NsthreadsInit -L../nsthread -L../nsd -o libnsthread.dylib error.o master.o memory.o mutex.o cslock.o rwlock.o reentrant.o sema.o thread.o tls.o signal.o compat.o time.o fork.o pthread.o -framework Tcl -lpthread -framework CoreFoundation -lz -lgcc_s /usr/bin/libtool: can't locate file for: -lgcc_s /usr/bin/libtool: file: -lgcc_s is not an object file (not allowed in a library) make[1]: *** [libnsthread.dylib] Error 1 make: *** [all] Error 1 I suspect this might have something to do with XCode moving to GCC 4. (I am pretty sure that happened since the last time I built it) Any ideas? I saw this error on 1 machine, but not on another --both the same build etc. (1 machine about 6 months newer than the other). Couldn't find a fix after going back and forth with a Mac specialist. Re-installed the OS because of a time requirement. The problem did not return after re-installing the OS on the problematic machine. The only obvious difference between the two was that the problematic one had norton anti-virus regularly scanning (and auto-fixing) the libraries et al. hopefully there's an easier way for you than a complete re-install.. Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] nsopenssl, new certificate not loading, yet old one does
Hi, I'm migrating an aolserver site from one domain on a freebsd4.x system to another on apple Xserve 10.4. The old non-self signed certificate works in the new site, but the new one does not. During startup, aolserver reports certificate file is not readable or does not exist (see log lines below). The files *do* exist. Using identical filename and permissions, I was able to use the previous domain (still valid) certificate without errors. The certificate file is suspect, since the other certificate worked. Other things checked: Verified that the key file has the password removed. config.tcl params are using absolute file references. Suspecting there may be encoding issues with copy/pasting the new certificate, I tried transferring the certificate using various methods. The variations were tested where differences in the certificate appearance exists. Also, CA has supplied the certificates another way to confirm them. Key and cert files only contain ascii. Verified because following results in no errors: iconv -c -t ascii domain-name.crt.pem iconv -c -t ascii domain-name.key.pem Checking the certificates via openssl fails the same for both the domain cert that works and the new domain, so this has no diagnostic value, unless there is a way to get openssl verify to work: openssl verify -purpose sslserver -verbose certfile.pem (certificate info) error 20 at 0 depth lookup:unable to get local issuer certificate Also, the various CA self signed certificates fail when I check them this way: root# openssl verify -purpose any -verbose root-ca-crt.pem (CA info)... Secure Server Certification Authority error 18 at 0 depth lookup:self signed certificate OK Might some of the characters in the certificate get somehow pre-processed when loading in nsopenssl, such as with forward slashes or plus signs or some other character sequence etc? I found the error message in just one place in the nsopenssl code, but I lack the C skills to answer the question myself: http://cvs.sourceforge.net/viewcvs.py/aolserver/nsopenssl/sslcontext.c?rev=1.10only_with_tag=v3_0beta26view=markup What else should I check for? Thanks in advance, Torben Log lines: [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so' [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl: generating 512-bit temporary RSA key ... [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl: generating 1024-bit temporary RSA key ... [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): loading SSL context 'users' [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'users' ciphers loaded successfully [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'users' using SSLv2 protocol [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'users' using SSLv3 protocol [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'users' using TLSv1 protocol [04/Jan/2006:21:40:53][25144.2684415336][-main-] Debug: KeyFile = /usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.key.pem; CertFile = /usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.crt.pem [04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl (openacs-5.1.5): 'users' certificate file is not readable or does not exist [04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl (openacs-5.1.5): SSL context 'users' left uninitialized [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): loading SSL context 'client' [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'client' ciphers loaded successfully [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'client' using SSLv2 protocol [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'client' using SSLv3 protocol [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): 'client' using TLSv1 protocol [04/Jan/2006:21:40:53][25144.2684415336][-main-] Debug: KeyFile = /usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.key.pem; CertFile = /usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.crt2.pem [04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl (openacs-5.1.5): 'client' certificate file is not readable or does not exist [04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl (openacs-5.1.5): SSL context 'client' left uninitialized [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5): default SSL context for server is users [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: default server SSL context: users [04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl (openacs-5.1.5):
Re: [AOLSERVER] nsopenssl, new certificate not loading, yet old one does
btw, there is no change when commenting out settings in config.tcl to use utf-8 encoding (and restarting aolserver). Torben Brosten wrote: I'm migrating an aolserver site from one domain on a freebsd4.x system to another on apple Xserve 10.4. The old non-self signed certificate works in the new site, but the new one does not. ... Might some of the characters in the certificate get somehow pre-processed when loading in nsopenssl, such as with forward slashes or plus signs or some other character sequence etc? -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl, new certificate not loading, yet old one does
Thanks, Scott Dossy, Knowing that not readable means does not have permission to read made all the difference. Turned out to be permissions on the dir. Testing with the old cert didn't catch it, because I was using a different dir (certs2005 instead of certs2006). Thanks again. Happy new year! Torben. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl howto
Kevin, Here's a direct url to the config.tcl file: http://cvs.openacs.org/cvs/*checkout*/openacs-4/etc/config.tcl?rev=1.19.2.21 cheers, Torben On Feb 22, 2005, at 8:31 AM, Trenton Cameron wrote: http://openacs.org/doc/openacs-5-1/install-nsopenssl.html is a pretty good tutorial on howto install nsopenssl on aolserver Janine Sisk wrote: That's good for installation, but not so much for configuration. However, if you download the OpenACS tarball and grab the config file (etc/config.tcl, IIRC) it has a section in it for nsopenssl that will show you one way it can be done (I'm sure there are others). -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLserver facelift.
There may be strategic reasons why AOL does not want to add value to AOLserver outside of existing functionality. For instance, new functionality may compete with AOL technology that has not been released. AOL could be at a disadvantage if it has to re-write other existing code to work with a significantly different AOLserver implementation, where new competition would not have that cost burden if starting with a fresh version of AOLserver. That does not stop a competitor from implementing entirely different (and newer) code, not based on AOLserver. Perhaps the way to reconcile this is to have two opensource AOLserver versions. One version meets the current project requirements (including AOL's internal ones). The other version has less restrictive requirements, thereby fostering the creativity and implementaton requirements of others in the community as technology (and it's uses) evolve. This alternate version would be in AOL's strategic interests for technology innovation and advancing the AOLserver platform. AOL could add parts of this version to the other version as it sees fit. Maybe make even numbered versions according to the strict AOL requirements, and odd numbered versions to the relaxed version? Torben Dossy wrote: Spend some time thinking about it, and when you have a better idea of what that something actually is, tell us all about it. We're all listening. Vlad Seryakov wrote: In my case something is: i feel that contributing into AOLServer project feels like asking permission from AOL, is AOL willing to accept or even consider whatever additions i am offering. In most case they will be rejected because of stability, direction, code style or pure messed up code. I understand that AOL pays core developers but i think this is what makes me feel this is not open-source project, this is AOL project with open sources. It is not bad and AOL benefits from this greatly, so many free QA/testers but still, AOLserver goes in the direction at least i do not agree with. I think AOLServer should not be pure webserver, just another webserver even running by AOL, still just another webserver, it has potential to be full-blown application server. I support my patches and develop different version of aolserver, allowing differnet protocols, for example HTTP or SIP over UDP, but i am sure AOL will not accept them, so i keep them to myself. There are many small improvements can be done and i 've done a lot of them, binder for example, many modules. They are public but still, core is what AOL provides. I am not saying the word fork, but it may happen. If you're being intentionally vague about what something is, and something refers to me and my leadership of this project, then please just say so. You are great project leader, no doubt, you just work for AOL, it is very noticable. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Perl on AOLServer
Brian, The compelling application i am investigating is SQL-Ledger. All presentation pages are embedded perl... nscgi works fine for this. It is part of the standard distribution. This is how it is configured in a local aolserver config file that runs SL: ns_section ns/server/${server}/module/nscgi ns_param map GET /sql-ledger/*.pl ${serverroot}/www/sql-ledger ns_param map POST /sql-ledger/*.pl ${serverroot}/www/sql-ledger ns_param Interps CGIinterps ns_section ns/interps/CGIinterps ns_param .pl /usr/bin/perl cheers, Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] memory leak in 4.0.9?
Dan, Janine, Locally, we have a 4.0.9b running sql-ledger (uses cgi-bin) with average 1000 requests per business day --apparently stable. %CPU %MEM VSZ RSS TT STAT STARTED TIME 0.0 12.4 196888 127888 ?? S31Oct04 52:50.88 luey# uname -a FreeBSD luey.client.comcast.net 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Tue May 25 22:47:12 GMT 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 from config.tcl: ns_param map GET /sql-ledger/*.pl ${serverroot}/www/sql-ledger ns_param map POST /sql-ledger/*.pl ${serverroot}/www/sql-ledger ns_param Interps CGIinterps ns_section ns/interps/CGIinterps ns_param .pl /usr/bin/perl hope this is useful, Torben Dan Chak wrote: Ever since I upgraded to AOLServer 4.0.9, after some extended period of time, my cgi-bin scripts stop working. It just happened again, and when I checked the logs, I saw: [13/Jan/2005:23:58:26][25953.4131597232][-conn:thebox::3906] Error: exec: ns_fork() failed: Cannot allocate memory I checked 'top' and it looked like AOLServer had grown to be some number of gigabytes. My physical RAM was starved, but there was still swap, so I'm not sure why ns_fork() failed. However, the deeper question is whether there is a memory leak involved here. I won't rule out the possibility that the leak is in my own tcl library code, but the problem only started after I upgraded from the 3.4.x series. So, are there any known leaks in 4.0.x? Or, do any memory profiling tools exist for the shared memory allocated by user tcl libraries? thanks, --dan dan chak web:http://www.chak.org -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] memory leak in 4.0.9?
Locally, we have a 4.0.9b running sql-ledger (uses cgi-bin) with average 1000 requests per business day --apparently stable. %CPU %MEM VSZ RSS TT STAT STARTED TIME 0.0 12.4 196888 127888 ?? S31Oct04 52:50.88 I hope it's doing more than JUST serving CGI at 196MB -- otherwise, something is really wrong, or the server is way misconfigured. :-) oh..right. That includes serving an openacs site. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Hi Steve, Running openacs-4.6.3, aolserver 3.4.2 with the oacs modifications, and nsopenssl2.1a on freebsd 4 stable, we see the same errors, as well as: Error: nsopenssl: error -1/1 during SSL handshake without any problems reported from end-users. We reboot aolserver once a week which seems to help reduce the frequency of an occasional (less than 1/week) crypto error that causes aolserver to crash. From aolserver tuning page, RSS/VSZ is at about 93%. We use these tunning parameter values: stacksize [expr 32*8192] maxthreads 30 minthreads 30 maxconnections 80 They seem to cause a variety of errors in different browsers. I've been on the receiving end of one of these and in Mozilla it gave a popup message: Are you able to reproduce this error on demand? Or is it completely random? Is it possible that your mozilla error is the result of aolserver serving an image via http from an ssl connection? Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Fix to (known) nsopenssl issue
Dossy, is this patch supposed to work for 100% CPU util. cases where maxkeepalive is 0 in the config.tcl? ns_section ns/parameters ns_param maxkeepalive 0 Torben Dossy Shiobara wrote: I just updated SourceForge Bug #1012892: http://aolserver.com/sf/bug/1012892 Comment By: Dossy Shiobara (dossy) Date: 2004-08-24 16:09 I've gone through and cleaned up nsopenssl and am attaching the patch dated 20040824 to this ticket. This, coupled with the version-specific patches for AOLserver, should fix the 100% CPU utilization issue folks have been seeing. The root cause (from what I could tell) was that the connection was flagged for HTTP Keep-Alive, but in the case where the peer closed the connection (hit stop in the browser before the response was fully sent), the driver was returning the (dead) connection for keep-alive when it shouldn't have. Everyone who has been helping test and troubleshoot the nsopenssl issues, please grab the patch and test. With this patch, I'm no longer able to reproduce the problem that Bruno has reported. -- Dossy -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Dossy's nsopenssl 3 beta testing
Dossy Shiobara wrote: .. Janine and others: do you have SSLv2 in the list of protocols configured in your server context for the nsopenssl module? yes If you do have SSLv2 in the protocols list and are still seeing the problem, then I don't know what's wrong. Once I set up the certificate and key .pem files so that nsopenssl could load them, and added SSLv2 to the list, and configure the maxinput parameter correctly, I haven't been able to reproduce the error. hem. I Didn't have maxinput and recvwait configured for the /ssldriver Now those have been added, aolserver4.0.7 nsopenssl3b21 boots without crashing (usually during load of nssock.so). However, instability still exists with CPU demand excessive and often leading to a crash. For example, on this VM on a Dual-Xeon 2.4Ghz 4Gig ram server running freebsd-4.10-stable with 2 nsd: aolserver3.4.2 using nsopenssl2.x production on port 80/443: circa 2% cpu aolserver4.0.7 using nsopenssl3b21 testonly on port 8000/8443: circa 95% cpu duey# ps -auxww | grep aolserver nobody 20804 91.8 1.8 91288 75020 ?? RsJ 4:35AM 23:09.00 /usr/local/aolserver4.0.7/bin/nsd8x -t /var/lib/aolserver/service1/etc/config4.tcl -u nobody -g nobody -b w.x.y.z:8000,w.x.y.z:8443 (nsd) nobody 27056 0.4 6.0 255840 249272 ?? SsJ Tue06AM 67:45.57 /usr/local/aolserver3.4.2/bin/nsd8x -t /var/lib/aolserver/service1/etc/config.tcl -u nobody -g nobody duey# grep 'GET /' service1-4.0.7-error.log | wc -l 69 That's about 18 mainly ssl page requests in 20 min Some of the CPU is probably from having $debug true. Here's a repeat with $debug set false: Ha! It crashed on startup without error msg. Last line in error.log: [13/Aug/2004:05:34:46][26008.134533120][-main-] Notice: Loading packages/acs-tcl/tcl/utilities-init.tcl... Trying 1 more time.. listening on ports, no page requests yet on 4.0.7: duey# ps -auxww | grep aol nobody 35052 0.0 6.0 255840 249272 ?? SsJ Tue06AM 68:25.46 /usr/local/aolserver3.4.2/bin/nsd8x -t /var/lib/aolserver/service1/etc/config.tcl -u nobody -g nobody nobody 65412 0.0 0.7 37064 28948 ?? SsJ 5:58AM 1:46.86 /usr/local/aolserver4.0.7/bin/nsd8x -t /var/lib/aolserver/service1/etc/config4.tcl -u nobody -g nobody -b w.x.y.z:8000,w.x.y.z:8443 (nsd) a few mins and http+https page requests later: duey# ps -auxww | grep aol nobody 35052 0.0 6.0 255840 249300 ?? SsJ Tue06AM 68:38.59 /usr/local/aolserver3.4.2/bin/nsd8x -t /var/lib/aolserver/service1/etc/config.tcl -u nobody -g nobody nobody 65412 0.0 1.5 73888 60096 ?? SsJ 5:58AM 1:50.19 /usr/local/aolserver4.0.7/bin/nsd8x -t /var/lib/aolserver/service1/etc/config4.tcl -u nobody -g nobody -b w.x.y.z:8000,w.x.y.z:8443 (nsd) It is staying within optimal limits. I will try it on the LAN for awhile. Thanks, Dossy. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
I don't know, Nate, but I made these errors go away by changing the order of the ns_section definitions to the order described at: http://aolserver.com/docs/admin/config-detailed.html hth Torben Nathaniel Haggard wrote: Binding to port 8443 using the same setup that I mentioned in my first email fixes the problems I was having with too many log entries of this nature: 07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 Why would port number matter? Nate On Mon, 9 Aug 2004 16:56:06 -0600, Nathaniel Haggard [EMAIL PROTECTED] wrote: nsopenssl is using openssl 0.9.6b, is that a problem? openssl3.0beta21 with aolserver4.0.7 gives similar results. The server actually crashed even more frequently but that might be due to traffic. Nate On Mon, 9 Aug 2004 10:21:01 -0600, Nathaniel Haggard [EMAIL PROTECTED] wrote: aolserver is binding to the ssl port. It is prebinding to port 443 (-b 0.0.0.0:80,0.0.0.0:443) [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' certificate and key loaded successfully [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' failed to load CA certificate file '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca-client.crt' [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): 'users' CA certificate file is not readable or does not exist The server crashed (and restarted because it's running from inittab) 4 times in the 20 minutes I had it running. Like Janine reported there was no explanation for the crash in the error.log; it just crasehd. Nate On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten [EMAIL PROTECTED] wrote: Nate, Is aolserver binding to the ssl port? I get an identical error when something is prebound to the ssl port and so aolserver fails to bind to it. A failed to listen on.. address already in use error shows up in the logfile just after server reports listening on same port, ie. during server startup. Torben ps. this is my 3rd attempt at posting this message. Hopefully this time there are no glitches. Sorry if this is a duplicate message. Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] ad_conn url cuts off after th #
Tracy, Try replacing # with %23 That works here (for aolserver). Tracy Adams wrote: And in my case, the # stays in the URL: Here is my URL: http://learning.coachville.com/dotlrn/clubs/coachingfundamentalsbacktobasics /coachingfundamentalsbacktobasics2/file-storage/view/class_3001:_fundamental _coaching_proficiency_#1:_crafts_collaborative_relationships/Overview?file_i d=4317 Note the #1. Tracy -Original Message- From: Tracy Adams [mailto:[EMAIL PROTECTED] Sent: Saturday, August 07, 2004 1:59 AM To: 'AOLserver Discussion' Subject: RE: [AOLSERVER] ad_conn url cuts off after th # Interesting clue. When I got to a non-aolserver site, the # remains. For example, go to http://list.auctions.shopping.yahoo.com/[EMAIL PROTECTED] amd the # remains. So I don't think the browser just cuts it off. But when I go to an AOLServer site, the # does disappear. So perhaps AOLServer is doing something - a redirect? Tracy -Original Message- From: AOLserver Discussion [mailto:[EMAIL PROTECTED] On Behalf Of Wojciech Kocjan Sent: Saturday, August 07, 2004 1:31 AM To: [EMAIL PROTECTED] Subject: Re: [AOLSERVER] ad_conn url cuts off after th # Tracy Adams wrote: Any idea how to reference the COMPLETE URL? The # is cut by the browser. [EMAIL PROTECTED]:~$ netcat -l -p 8080 195.82.181.6 GET /test/a HTTP/1.1 Host: dq.pl:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.5) Gecko/20031007 MultiZilla/1.6.3.0d Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Language: pl,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive This is the url I entered in the browser. http://dq.pl:8080/test/a#b -- WK -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
Nate, Is aolserver binding to the ssl port? I get a similar error when something is prebound to the port and so cannot bind to the port. A failed to listen on.. address already in use error shows up in the logfile just after server reports listening on same port, ie. during server startup. Torben Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
Nate, Is aolserver binding to the ssl port? I get an identical error when something is prebound to the ssl port and so aolserver fails to bind to it. A failed to listen on.. address already in use error shows up in the logfile just after server reports listening on same port, ie. during server startup. Torben ps. this is my 3rd attempt at posting this message. Hopefully this time there are no glitches. Sorry if this is a duplicate message. Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl crash
Scott Goodwin, FYI, Here is another 'assertion md_c[1] == md_count[1] failed:' with similar conditions that caused server to crash. (domain and ip numbers filtered) I suspect triggered from an http post from a search form in a https connection.. Torben n.n.n.n - - [10/May/2004:19:44:32 +] GET /register/index?return_url=https%3a%2f%2fdomain%2enet%2faccounthttp_id=0user_session_id=1814 HTTP/1.1 200 4675 http://www.domain.net/gift-certificate-order; Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7b) Gecko/20040502 n.n.n.m - - [10/May/2004:19:44:33 +] GET /category-browse?category_id=5 HTTP/1.1 200 18075 http://domain.net/?usca%5fp=t; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) n.n.n.o - - [10/May/2004:19:44:34 +] POST /product-search HTTP/1.1 302 390 http://domain.com/index.html; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; .NET CLR 1.1.4322) [10/May/2004:19:44:31][92412.146191360][-conn2-] Notice: Huh? redirecting: https://domain.net/register/index?return_url=https%3a%2f%2fdomain%2enet%2faccounthttp_id=0user_session_id=1814 [10/May/2004:19:44:32][92412.146209792][-conn4-] Notice: Security: 1084218272 sec_generate_session_id_cookie setting 730158, 0. [10/May/2004:19:44:34][92412.146207744][-conn3-] Notice: Security: 1084218274 sec_generate_session_id_cookie setting 720057, 0. [10/May/2004:19:44:34][92412.146207744][-conn3-] Notice: Huh? redirecting: http://domain.net/product-search?usca%5fp=tcategory%5fid=17search%5ftext=small%20alphanumeric%20value [10/May/2004:19:44:37][92412.146207744][-conn3-] Notice: Security: 1084218277 sec_generate_session_id_cookie setting 720058, 0. assertion md_c[1] == md_count[1] failed: file /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rand/md_rand.c, line 312 other info: FreeBSD, 4.10-PRERELEASE #5 i386 aolserver 3.4.2 ssl logs from a startup: [10/May/2004:20:01:11][97527.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so' [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: ServerPeerVerify = 0 [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: ServerTrace = 0 [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: ServerProtocols = SSLv2, SSLv3, TLSv1 [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: Using SSLv2 protocol [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: Using SSLv3 protocol [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: Using TLSv1 protocol [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: ServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: ServerCertFile = /usr/local/www/openacs-4.6.3/etc/certs.crt.pem [10/May/2004:20:01:11][97527.135335936][-main-] Notice: nsopenssl: ServerKeyFile = /usr/local/www/openacs-4.6.3/etc/certs.key.pem [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: ServerCAFile = /usr/local/www/openacs-4.6.3/etc/certs/ca.pem [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: ServerCADir = /usr/local/www/openacs-4.6.3/etc/certs/ca [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: CA certificate file does not exist [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: CA certificate directory does not exist [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: ServerSessionCache = 1 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: ServerSessionCacheId = 1 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: ServerSessionTimeout = 300 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: ServerSessionCacheSize = 512 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerPeerVerify = 1 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerPeerVerifyDepth = 3 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerTrace = 0 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerProtocols = SSLv2, SSLv3, TLSv1 [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: Using SSLv2 protocol [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: Using SSLv3 protocol [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: Using TLSv1 protocol [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerCertFile = /usr/local/www/openacs-4.6.3/etc/certs.crt.pem [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerKeyFile = /usr/local/www/openacs-4.6.3/etc/certs.key.pem [10/May/2004:20:01:12][97527.135335936][-main-] Notice: nsopenssl: SockServerCAFile = /usr/local/www/openacs-4.6.3/etc/certs/internal_ca.pem [10/May/2004:20:01:12][97527.135335936][-main-]
[AOLSERVER] error reading opensslNNN: Unknown error: (large integer)
This is essentially cross posted at: http://openacs.org/forums/message-view?message_id=158383 What is the meaning of this Unknown error[1] from using ns_httpsget with openssl (running openacs 4.6.3)? What is the nature of it? How is it resolved? Here's how I'm using it (on freebsd stable, aolserver3.4.2oacs1): from authorize-gateway/tcl/authorize-gateway-procs.tcl: if {[catch {set response [ns_httpsget $full_url 30 0 $header]} error_message]} { Related observation. I get a request error: can't read response : no such variable.. when I place this following line directly after the above line: ns_log Notice The response is: [value_if_exists $response] I have read the thread at: http://www.mail-archive.com/[EMAIL PROTECTED]/msg06033.html but do not see how it was resolved --if it was. If not, is it possible to bypass using ns_httpsget with openssl? Some example variations of the error message: error reading openssl253: Unknown error: 175547536 error reading openssl233: Unknown error: 175550432 error reading openssl221: Unknown error: 182587232 error reading openssl206: Unknown error: 175170816 error reading openssl83: Unknown error: 167534432 error reading openssl55: Unknown error: 187695504 error reading openssl101: Unknown error: 177231376 Thanks in advance, Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] error reading opensslNNN: Unknown error: (large integer)
Scott Goodwin wrote: If ns_httpsget generated the error, then $response never got set. I suspect your connection is failing in the SSL handshake portion. Check obvious things like are you connecting to the correct IP and Port, is that port running SSL, etc. You didn't specify what version of nsopenssl you're running. freebsd 4.9-stable aolserver3.4.2 (version correction) nsopenssl 2.1a openacs4.6.3 history: the server crashed a day ago, with the following error in the last line of error.log (after a series of intermittent, but increasing openssl unknown errors): assertion md_c[1] == md_count[1] failed: file /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rand/md_rand.c, line 312 I found this url: http://lists.freebsd.org/pipermail/freebsd-bugs/2003-April/000362.html ..rebuilt with a slightly different set of CFLAGS, since -DOPENSSL_THREADS appears to have been replaced by -DOPENSSL_THREAD_DEFINES Here's an abbreviated test response to the connecting IP/PORT: openssl s_client -connect secure.ezic.com:1402 CONNECTED(0006) depth=0 /C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network Operations/CN=secure.ezic.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network Operations/CN=secure.ezic.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network Operations/CN=secure.ezic.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network Operations/CN=secure.ezic.com i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/[EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- .4P2Xrup9LRhyR50+ciOBA0s6v4GHJmHdrCs+RwT0Jwcsq1Qo6a/nbcJHtBzJG+Y= -END CERTIFICATE- subject=/C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network Operations/CN=secure.ezic.com issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/[EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 959 bytes and written 332 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DES-CBC3-SHA Session-ID: 40157CFCFBCF833C44F89265105436E14AB0A3CAFD0D774E9C7A9F3D1EE206D3 Session-ID-ctx: Master-Key: ... Key-Arg : None Start Time: 1075150076 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- read:errno=0 Thanks for your assistance. Any other suggestions appreciated. Torben On Jan 26, 2004, at 7:39 AM, Torben Brosten wrote: This is essentially cross posted at: http://openacs.org/forums/message-view?message_id=158383 What is the meaning of this Unknown error[1] from using ns_httpsget with openssl (running openacs 4.6.3)? What is the nature of it? How is it resolved? Here's how I'm using it (on freebsd stable, aolserver3.4.2oacs1): from authorize-gateway/tcl/authorize-gateway-procs.tcl: if {[catch {set response [ns_httpsget $full_url 30 0 $header]} error_message]} { Related observation. I get a request error: can't read response : no such variable.. when I place this following line directly after the above line: ns_log Notice The response is: [value_if_exists $response] I have read the thread at: http://www.mail-archive.com/[EMAIL PROTECTED]/msg06033.html but do not see how it was resolved --if it was. If not, is it possible to bypass using ns_httpsget with openssl? Some example variations of the error message: error reading openssl253: Unknown error: 175547536 error reading openssl233: Unknown error: 175550432 error reading openssl221: Unknown error: 182587232 error reading openssl206: Unknown error: 175170816 error reading openssl83: Unknown error: 167534432 error reading openssl55: Unknown error: 187695504 error reading openssl101: Unknown error: 177231376 Thanks in advance, Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] nsopenssl: sockclient: SERVER's CERT is NOT VALID message
Hi all, This SERVER's CERT is NOT VALID message appears in the error log whenever an ns_httpsget is used to contact a merchant gateway via ssl. Subsequently, the return from ns_httpsget fails. Could the failure be related even though peer-to-peer SSL does not require a recognized CA for this connection? If so, what is breaking? Any suggestions on how to track this down further? Thanks in advance, Torben server: FreeBSD 4.9-stable running aolserver3.4.2oacs1 certificate: from entrust (a recognized) CA. Netcat tests via http work without errors. The below (abridged) verbose log includes messages generated from setting: ns_param ServerTrace true ns_param SockServerTrace true ns_param SockClientTrace true Log shows startup and an early peer-to-peer SSL attempt. [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsmain: AOLserver/3.4.2 starting [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsmain: security info: uid=65534, euid=65534, gid=65534, egid=65534 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsmain: max files: FD_SETSIZE = 1024, rl_cur = 1024, rl_max = 0 ... [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/postgres.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: PostgreSQL loaded. [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: adp: mapped /*.adp [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nssock.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nslog.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nslog: opened '/var/www/openacs-4-6.log' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nssha1.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nscache.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nscache module version @VER@ [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsrewrite.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsxml.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsxml module starting [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: Module directory set by ModuleDir to /usr/local/www/service463/etc/certs [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerPeerVerify = 0 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerTrace = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerProtocols = SSLv2, SSLv3, TLSv1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv2 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv3 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using TLSv1 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCADir = /usr/local/www/service463/etc/certs/ [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionCache = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionCacheId = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionTimeout = 300 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionCacheSize = 512 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerPeerVerify = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerPeerVerifyDepth = 3 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerTrace = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerProtocols = SSLv2, SSLv3, TLSv1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv2 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv3 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using TLSv1 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerCertFile =
Re: [AOLSERVER] nsopenssl: sockclient: SERVER's CERT is NOT VALID message
Thanks, Scott. Why are you using the same file for both your Certificates and your list of CA Certificates to validate incoming certificates with? This variation of the configuration is the most recent, and most disparate (pun intended). =) I cannot find docs on how to configure the openssl (*CAFile and *CADir) parameters (usually leaving their values as CA/CA.pem). Is there a section in the docs somewhere that relates to this? Are these only used with peer-to-peer server connections that require a valid CA? Torben When a client passes you their certificate, nsopenssl uses the CA certificates in the CAFile to validate that client certificate. Based on what I see below, you're using your own certificate as if it were a CA certificate, which means you'll never be able to validate any certificates. SockServerCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockServerKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockServerCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockClientCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem Secondly, nsopenssl does not abort a connection because of invalid certs -- it just logs them. Your response to the invalid cert is your application's responsibility. The reason is that you might want to return a useful error page to the user or application on the other end; if you barf on the SSL handshake, the user gets whatever error page the browser generates because no content ever passes between the two. ... The SSL handshake completes successfully, meaning that you have established a good SSL connection. Your problem is the database operation. Without seeing the schema and code, can't really say much about that. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.