mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
Hi, mod_slotmem cannot work on windows by design. On windows we have two processes so the storage-grab/slotmem_grab will always fail because the inuse flag was already set in the parent, and since this is shared memory child will see it as used. On unixes fork is used so the inuse is set only once. Not sure how to solve this. Perhaps adding generation logic like we are doing for scoreboard. In any case until this gets resolved httpd is unusable on win32. Regards -- ^TM
Re: [VOTE] Bundle apr/apu with 2.4.x
[x] +1: Bundle apr/apu w/ Apache httpd 2.4.x [ ] +0: I don't care [ ] -1: Do not bundle apr/apu with Apache httpd 2.4.x
Re: mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
On Feb 3, 2012, at 4:25 AM, Mladen Turk wrote: Hi, mod_slotmem cannot work on windows by design. On windows we have two processes so the storage-grab/slotmem_grab will always fail because the inuse flag was already set in the parent, and since this is shared memory child will see it as used. On unixes fork is used so the inuse is set only once. I'm trying to understand this... how is this different from any of the other mpms which also have at least 2 processes?
Re: mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
Under Win32, do the 2 processes know which is which? On Feb 3, 2012, at 5:46 AM, Jim Jagielski wrote: On Feb 3, 2012, at 4:25 AM, Mladen Turk wrote: Hi, mod_slotmem cannot work on windows by design. On windows we have two processes so the storage-grab/slotmem_grab will always fail because the inuse flag was already set in the parent, and since this is shared memory child will see it as used. On unixes fork is used so the inuse is set only once. I'm trying to understand this... how is this different from any of the other mpms which also have at least 2 processes?
Re: mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
On 02/03/2012 11:46 AM, Jim Jagielski wrote: On Feb 3, 2012, at 4:25 AM, Mladen Turk wrote: Hi, mod_slotmem cannot work on windows by design. On windows we have two processes so the storage-grab/slotmem_grab will always fail because the inuse flag was already set in the parent, and since this is shared memory child will see it as used. On unixes fork is used so the inuse is set only once. I'm trying to understand this... how is this different from any of the other mpms which also have at least 2 processes? Right, seems that's not the reason for PR52402. Found the fix for it. The reason is the loop: while (s) { int i,j; proxy_balancer *balancer; sconf = s-module_config; conf = (proxy_server_conf *)ap_get_module_config(sconf, proxy_module); /* adding ... */ if (conf-bslot) { /* We already have shared memory storage created for this server_rec. * Skip second invocation because there are no more space left in * the shm so the storage-grab() will fail. */ s = s-next; continue; } Fixes the issue, although I'm not sure that's the correct solution. Shared memory id uses vhost name for key, and think it should use vhost:port combination instead. However I might be wrong and the upper patch is all that's needed if the balancer is shared between multiple server_rec's Regards -- ^TM
Re: [VOTE] Bundle apr/apu with 2.4.x
On 02 Feb 2012, at 8:20 PM, Jim Jagielski wrote: [ ] +1: Bundle apr/apu w/ Apache httpd 2.4.x [ ] +0: I don't care [X] -1: Do not bundle apr/apu with Apache httpd 2.4.x To be most specific, do what we're doing now. (ie separate -deps). Doing what we're doing now would be: [X] +1: Bundle apr/apu w/ Apache httpd 2.4.x Can you confirm that's how you'd vote? Ah, I interpreted it is a return to including it in the tarball. In that case, I move off the fence and still say Do not bundle. Either way, to build httpd you need APR to be present, which in turn means you need to download it separately, and it's far safer to download it from apr.apache.org than a copy from httpd.apache.org. Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
Re: mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
On Feb 3, 2012, at 8:03 AM, Mladen Turk wrote: Right, seems that's not the reason for PR52402. Found the fix for it. The reason is the loop: while (s) { int i,j; proxy_balancer *balancer; sconf = s-module_config; conf = (proxy_server_conf *)ap_get_module_config(sconf, proxy_module); /* adding ... */ if (conf-bslot) { /* We already have shared memory storage created for this server_rec. * Skip second invocation because there are no more space left in * the shm so the storage-grab() will fail. */ s = s-next; continue; } Fixes the issue, although I'm not sure that's the correct solution. Shared memory id uses vhost name for key, and think it should use vhost:port combination instead. However I might be wrong and the upper patch is all that's needed if the balancer is shared between multiple server_rec's THANKS! Let me look into this more... at 1st blush, the suggestion of vhost:port makes sense... maybe even scheme:vhost:port.
Re: mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
On 02/03/2012 02:45 PM, Jim Jagielski wrote: On Feb 3, 2012, at 8:03 AM, Mladen Turk wrote: Right, seems that's not the reason for PR52402. Found the fix for it. The reason is the loop: while (s) { int i,j; proxy_balancer *balancer; sconf = s-module_config; conf = (proxy_server_conf *)ap_get_module_config(sconf,proxy_module); /* adding ... */ if (conf-bslot) { /* We already have shared memory storage created for this server_rec. * Skip second invocation because there are no more space left in * the shm so the storage-grab() will fail. */ s = s-next; continue; } Fixes the issue, although I'm not sure that's the correct solution. Shared memory id uses vhost name for key, and think it should use vhost:port combination instead. However I might be wrong and the upper patch is all that's needed if the balancer is shared between multiple server_rec's THANKS! Let me look into this more... at 1st blush, the suggestion of vhost:port makes sense... maybe even scheme:vhost:port. Well actually I think that there could be multiple server_rec for which ap_get_module_config(s-module_config,proxy_module) will return the same proxy_server_conf. My patch will handle those cases (the PR52402 itself) Think I'll commit that cause regardless of anything trying to create already created shared memory is obvious error. Regards -- ^TM
Re: mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
On Fri, Feb 03, 2012 at 03:06:03PM +0100, Mladen Turk wrote: Well actually I think that there could be multiple server_rec for which ap_get_module_config(s-module_config,proxy_module) will return the same proxy_server_conf. My patch will handle those cases (the PR52402 itself) Think I'll commit that cause regardless of anything trying to create already created shared memory is obvious error. +1. thanks continue; -- === Jim Jagielski [|] j...@jagunet.com [|] http://www.jaguNET.com/ Great is the guilt of an unnecessary war ~ John Adams
Re: remove mod_heart* from 2.4?(was: 2.4.0 GA This week?)
On 01/03/2012 09:22 AM, Gregg L. Smith wrote: Since I have been the most vocal about this watchdog/hearmonitor/heartbeats on windows ... I should chime in. Is the issue still present and what the issue actually is. I have watchdog/hearmonitor/heartbeat working on windows using the current svn 2.4.x branch. If you can share some light what's broken I can try to fix that. Regards -- ^TM
Re: remove mod_heart* from 2.4?(was: 2.4.0 GA This week?)
On 1/3/2012 2:22 AM, Gregg L. Smith wrote: Since I have been the most vocal about this watchdog/hearmonitor/heartbeats on windows ... I should chime in. I can tell someone what each do (as far as I have seen). There are, minimal docvs on all but watchdog (which is required for a couple) ... but ... look at my emails in the past ... am hardly the one to write docs :) More to the point, what do they interact with? What convention or protocol are they implemented with? Let's start with the basics; what do they add to this MB's large tarball to benefit Joe User?
Re: mod_slotmem and mod_proxy_balancer/others on win32 (PR52402)
On 2/3/2012 4:46 AM, Jim Jagielski wrote: On Feb 3, 2012, at 4:25 AM, Mladen Turk wrote: Hi, mod_slotmem cannot work on windows by design. On windows we have two processes so the storage-grab/slotmem_grab will always fail because the inuse flag was already set in the parent, and since this is shared memory child will see it as used. On unixes fork is used so the inuse is set only once. I'm trying to understand this... how is this different from any of the other mpms which also have at least 2 processes? CreateProcess() ... fork()
Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
On 2/2/2012 1:02 PM, Daniel Ruggeri wrote: Since this happens with every attempt to start, I suspect it has nothing to do with the new directive and more to do with something I did on the openssl build. I was, indeed, doing something stupid. A build with openssl 1.0.0g replicates the behavior of 0.9.8g in that it fails when SSLProxyMachineCertificateChainFile is enabled. The annoying part is that (due to the error I get when running in dbx) I can get no useful information in a debug session from Solaris. ... so I've switched to RHEL and gdb and have interesting information. Under Linux, I get this error on init: [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device API `chil' [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852 error:81067064:CHIL engine:HWCRHK_INIT:already loaded [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981 error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed This only happens when SSLProxyMachineCertificateChainFile is set With some quick debugging I see that the hwcrhk_finish DOES NOT get called during ssl_cleanup_pre_config... but DOES get called when the directive has been removed. To me, it looks like httpd has not registered the engine for cleanup, but that certainly shouldn't be impacted by this patch. It seems something in the process of loading the store is complicating things. I'll continue poking around, but pointers are certainly appreciated. -- Daniel Ruggeri
Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
On 03/02/2012 17:45, Daniel Ruggeri wrote: On 2/2/2012 1:02 PM, Daniel Ruggeri wrote: Since this happens with every attempt to start, I suspect it has nothing to do with the new directive and more to do with something I did on the openssl build. I was, indeed, doing something stupid. A build with openssl 1.0.0g replicates the behavior of 0.9.8g in that it fails when SSLProxyMachineCertificateChainFile is enabled. The annoying part is that (due to the error I get when running in dbx) I can get no useful information in a debug session from Solaris. ... so I've switched to RHEL and gdb and have interesting information. Under Linux, I get this error on init: [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device API `chil' [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852 error:81067064:CHIL engine:HWCRHK_INIT:already loaded [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981 error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed This only happens when SSLProxyMachineCertificateChainFile is set With some quick debugging I see that the hwcrhk_finish DOES NOT get called during ssl_cleanup_pre_config... but DOES get called when the directive has been removed. To me, it looks like httpd has not registered the engine for cleanup, but that certainly shouldn't be impacted by this patch. It seems something in the process of loading the store is complicating things. I'll continue poking around, but pointers are certainly appreciated. Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which make use of it. So there is a possibility that the some chain verification leaves a reference to an RSA key which prevents the ENGINE from closing down completely. In engines/e_chil.c try commenting out the line containing ERR_load_HWCRHK_strings(). Only side effect of doing that is you will only get numerical error codes and not error strings. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: [PATCH] trunk/2.4 core output filter is broken
On Thursday 02 February 2012, William A. Rowe Jr. wrote: On 2/2/2012 8:36 AM, Jim Jagielski wrote: bb == NULL ?? Looking at his attached screen scrape; no. Which leaves with something like e == NULL or a broken bb. The former :-( Gregg, please add this or try the attached patch which is against current trunk and includes all fixes so far. Thanks in advance. --- a/server/mpm/winnt/child.c +++ b/server/mpm/winnt/child.c @@ -743,11 +743,10 @@ apr_status_t winnt_insert_network_bucket(conn_rec *c, apr_bucket *e; winnt_conn_ctx_t *context = ap_get_module_config(c-conn_config, mpm_winnt_module); -if (context == NULL) +if (context == NULL || (e = context-overlapped.Pointer) == NULL) return DECLINED; /* seed the brigade with AcceptEx read heap bucket */ -e = context-overlapped.Pointer; APR_BRIGADE_INSERT_HEAD(bb, e); /* also seed the brigade with the client socket. */ e = apr_bucket_socket_create(socket, c-bucket_alloc); diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 3d6547d..faf24fe 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -390,12 +390,14 @@ * ap_core_ctx_get_bb(), move core_net rec definition * to http_core.h * 20120201.0 (2.5.0-dev) Bump MODULE_MAGIC_COOKIE to AP25! + * 20120203.0 (2.5.0-dev) Remove ap_create_core_ctx(), ap_core_ctx_get_bb(); + * add insert_network_bucket hook */ #define MODULE_MAGIC_COOKIE 0x41503235UL /* AP25 */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20120201 +#define MODULE_MAGIC_NUMBER_MAJOR 20120203 #endif #define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ diff --git a/include/http_core.h b/include/http_core.h index 9332e2e..1cfd182 100644 --- a/include/http_core.h +++ b/include/http_core.h @@ -704,24 +704,17 @@ typedef struct core_net_rec { } core_net_rec; /** - * Allocate and fill the core_ctx_t for the core input filter, but don't - * create a bucket with the input socket. - * Normally this is done automatically when the core input filter is called - * for the first time, but MPMs or protocol modules that need to do special - * socket setup can call this function to do the initialization earlier. - * They must add the input socket bucket to the core input filter's bucket - * brigade, see ap_core_ctx_get_bb(). - * @param c The conn_rec of the connection - * @return The core_ctx_t to be stored in core_net_rec-in_ctx - */ -AP_DECLARE(core_ctx_t *) ap_create_core_ctx(conn_rec *c); - -/** - * Accessor for the core input filter's bucket brigade - * @param c The core_ctx_t to get the brigade from - * @return The bucket brigade - */ -AP_DECLARE(apr_bucket_brigade *) ap_core_ctx_get_bb(core_ctx_t *ctx); + * Insert the network bucket into the core input filter's input brigade. + * This hook is intended for MPMs or protocol modules that need to do special + * socket setup. + * @param c The connection + * @param bb The brigade to insert the bucket into + * @param socket The socket to put into a bucket + * @return DECLINED if the current function does not handle this connection, + * APR_SUCCESS or an error otherwise. + */ +AP_DECLARE_HOOK(apr_status_t, insert_network_bucket, +(conn_rec *c, apr_bucket_brigade *bb, apr_socket_t *socket)) /* -- * diff --git a/server/core.c b/server/core.c index eb8147b..e05534b 100644 --- a/server/core.c +++ b/server/core.c @@ -82,12 +82,18 @@ APR_HOOK_STRUCT( APR_HOOK_LINK(get_mgmt_items) +APR_HOOK_LINK(insert_network_bucket) ) AP_IMPLEMENT_HOOK_RUN_ALL(int, get_mgmt_items, (apr_pool_t *p, const char *val, apr_hash_t *ht), (p, val, ht), OK, DECLINED) +AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t, insert_network_bucket, +(conn_rec *c, apr_bucket_brigade *bb, + apr_socket_t *socket), +(c, bb, socket), DECLINED) + /* Server core module... This module provides support for really basic * server operations, including options and commands which control the * operation of other modules. Consider this the bureaucracy module. @@ -4729,6 +4735,15 @@ AP_DECLARE(apr_uint32_t) ap_random_pick(apr_uint32_t min, apr_uint32_t max) return number; } +static apr_status_t core_insert_network_bucket(conn_rec *c, + apr_bucket_brigade *bb, + apr_socket_t *socket) +{ +apr_bucket *e = apr_bucket_socket_create(socket, c-bucket_alloc); +APR_BRIGADE_INSERT_TAIL(bb, e); +return APR_SUCCESS; +} + static void core_dump_config(apr_pool_t *p, server_rec *s) { core_server_config *sconf = ap_get_core_module_config(s-module_config); @@ -4803,6 +4818,8
Re: remove mod_heart* from 2.4?(was: 2.4.0 GA This week?)
Mladen, It is fixed, r1210449 did the trick. Once that extra Win32 pid check was removed, the watchdog takes steps, heatbeat beats heartmonitor monitors. I thought I confirmed this back then, sorry if I didn't. Regards, Gregg On 2/3/2012 6:45 AM, Mladen Turk wrote: On 01/03/2012 09:22 AM, Gregg L. Smith wrote: Since I have been the most vocal about this watchdog/hearmonitor/heartbeats on windows ... I should chime in. Is the issue still present and what the issue actually is. I have watchdog/hearmonitor/heartbeat working on windows using the current svn 2.4.x branch. If you can share some light what's broken I can try to fix that. Regards
Re: remove mod_heart* from 2.4?(was: 2.4.0 GA This week?)
On 2/3/2012 9:35 AM, William A. Rowe Jr. wrote: On 1/3/2012 2:22 AM, Gregg L. Smith wrote: Since I have been the most vocal about this watchdog/hearmonitor/heartbeats on windows ... I should chime in. I can tell someone what each do (as far as I have seen). There are, minimal docvs on all but watchdog (which is required for a couple) ... but ... look at my emails in the past ... am hardly the one to write docs :) More to the point, what do they interact with? What convention or protocol are they implemented with? Let's start with the basics; what do they add to this MB's large tarball to benefit Joe User? a way of monitoring a cluster of servers and opening another way of balancing the load (lb_meathod_byheartbeat). This is what I see when I look at the bundle.
Re: [PATCH] trunk/2.4 core output filter is broken
On Thursday 02 February 2012, Joe Orton wrote: The combination of APR_SUCCESS and DECLINED is unusual; an int return value with OK/DECLINED? Input and output filters should return an apr_status_t. So, if the hook does not return an apr_status_t, core_input_filter() would have to invent some apr_status_t value, which is bad. And I think the general principle that return code 'int' means HTTP_* error code should be kept. But I agree that DECLINED == -1 is not a good idea, because it could in theory collide with another APR_E* code. Should we define an AP_STATUS_DECLINED or something in the APR_OS_START_USERERR range? Or simply change the definition of DECLINED to be in the APR_OS_START_USERERR range? APR_OS_START_USERERR is 12, so there should be no danger of a collision with HTTP_*. It would require a major MMN bump, but making core_output_filter_ctx_t and core_ctx_t private is an API change, anyway.
mod_proxy_fcgi and EAGAIN (hacking)
Here is what I am testing: I am using (currently one) mod_proxy_fcgi member in a balancer to php-fpm. I have already run into some issues with fcgi:// as a balancer member as described in http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%3CB0DADBC2-5154-4C37-93B5-D38B834BE571%40riggs.me%3E. So, I have applied a small patch to httpd and php to get around these issues. Everything has been working perfectly, but we noticed that some uploads fail with a 503. (We could upload a 181KB file but not 182KB.) I spent considerable time debugging and tracing the issue. I finally tracked this down to send_data() in mod_proxy_fcgi. While looping over the calls to apr_socket_sendv(), it would make 23 successful calls of 8200 bytes followed by a partial send and then receive EAGAIN. Because this is not APR_SUCCESS, it breaks the loop in the next line and returns a 503. Since it received EAGAIN, I just brute-forced it to not break the loop on EAGAIN, but what is the correct fix? Is there something wrong in my setup? Is it a bug? Should send_data() be handling EAGAIN and continue the loop up to a timeout? Your thoughts are appreciated. - Jim My brute-force hack: --- mod_proxy_fcgi.c.orig 2012-02-03 13:23:09.132232659 -0600 +++ mod_proxy_fcgi.c2012-02-03 13:25:19.794906516 -0600 @@ -188,7 +188,7 @@ while (to_write) { apr_size_t n = 0; rv = apr_socket_sendv(s, vec + offset, nvec - offset, n); -if (rv != APR_SUCCESS) { +if ((rv != APR_SUCCESS) !APR_STATUS_IS_EAGAIN(rv)) { break; } if (n 0) {
Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
Remember the CHIL engine cleanup was fixed to prevent a dangling cleanup function pointer... I forget which OpenSSL version got that fix but in any case RH only recently backported it. I'm sure I didn't test with any proxy config at the time. S. -- Sander Temme san...@temme.net Sent from my phone On Feb 3, 2012, at 1:27 PM, Dr Stephen Henson shen...@opensslfoundation.com wrote: On 03/02/2012 17:45, Daniel Ruggeri wrote: On 2/2/2012 1:02 PM, Daniel Ruggeri wrote: Since this happens with every attempt to start, I suspect it has nothing to do with the new directive and more to do with something I did on the openssl build. I was, indeed, doing something stupid. A build with openssl 1.0.0g replicates the behavior of 0.9.8g in that it fails when SSLProxyMachineCertificateChainFile is enabled. The annoying part is that (due to the error I get when running in dbx) I can get no useful information in a debug session from Solaris. ... so I've switched to RHEL and gdb and have interesting information. Under Linux, I get this error on init: [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device API `chil' [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852 error:81067064:CHIL engine:HWCRHK_INIT:already loaded [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981 error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed This only happens when SSLProxyMachineCertificateChainFile is set With some quick debugging I see that the hwcrhk_finish DOES NOT get called during ssl_cleanup_pre_config... but DOES get called when the directive has been removed. To me, it looks like httpd has not registered the engine for cleanup, but that certainly shouldn't be impacted by this patch. It seems something in the process of loading the store is complicating things. I'll continue poking around, but pointers are certainly appreciated. Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which make use of it. So there is a possibility that the some chain verification leaves a reference to an RSA key which prevents the ENGINE from closing down completely. In engines/e_chil.c try commenting out the line containing ERR_load_HWCRHK_strings(). Only side effect of doing that is you will only get numerical error codes and not error strings. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: [VOTE] Bundle apr/apu with 2.4.x
On Thursday 02 February 2012, Jim Jagielski wrote: [ ] +1: Bundle apr/apu w/ Apache httpd 2.4.x [ ] +0: I don't care [X] -1: Do not bundle apr/apu with Apache httpd 2.4.x Provided that the --with-included-apr mechanism stays and the docs say download apr-x.y.tar.gz and extract to srclib/apr, download apr-util- y.z.tar.gz and extract to srclib/apr-util. I don't think that this would be a significant problem for users. Having to do the full configure/make/make install dance would be a different issue.
Re: remove mod_heart* from 2.4?(was: 2.4.0 GA This week?)
On 03.02.2012 19:51, Gregg Smith wrote: On 2/3/2012 9:35 AM, William A. Rowe Jr. wrote: On 1/3/2012 2:22 AM, Gregg L. Smith wrote: Since I have been the most vocal about this watchdog/hearmonitor/heartbeats on windows ... I should chime in. I can tell someone what each do (as far as I have seen). There are, minimal docvs on all but watchdog (which is required for a couple) ... but ... look at my emails in the past ... am hardly the one to write docs :) More to the point, what do they interact with? What convention or protocol are they implemented with? Let's start with the basics; what do they add to this MB's large tarball to benefit Joe User? a way of monitoring a cluster of servers and opening another way of balancing the load (lb_meathod_byheartbeat). This is what I see when I look at the bundle. And some basic docs have been added in the meantime. Rainer
Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
On 2/3/2012 12:27 PM, Dr Stephen Henson wrote: Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which make use of it. So there is a possibility that the some chain verification leaves a reference to an RSA key which prevents the ENGINE from closing down completely. In engines/e_chil.c try commenting out the line containing ERR_load_HWCRHK_strings(). Only side effect of doing that is you will only get numerical error codes and not error strings. Steve. I will try that on Monday. This is a good tip, though, and gives me an avenue to explore! Thanks! On 2/3/2012 1:41 PM, Sander Temme wrote: Remember the CHIL engine cleanup was fixed to prevent a dangling cleanup function pointer... I forget which OpenSSL version got that fix but in any case RH only recently backported it. I'm sure I didn't test with any proxy config at the time. Correct,sir. I am compiling and packaging for three platforms from the latest sources available - I do all of my testing with two-way proxy authentication. This recent test was openssl 1.0.0g but the behavior is observed also in 0.9.8t. I am certain that this is an issue only when using SSLProxyMachineCertificateChainFile (currently in trunk and proposed for backport in 2.2) with an engine. -- Daniel Ruggeri
Re: remove mod_heart* from 2.4?(was: 2.4.0 GA This week?)
On 2/3/2012 12:51 PM, Gregg Smith wrote: On 2/3/2012 9:35 AM, William A. Rowe Jr. wrote: On 1/3/2012 2:22 AM, Gregg L. Smith wrote: Since I have been the most vocal about this watchdog/hearmonitor/heartbeats on windows ... I should chime in. I can tell someone what each do (as far as I have seen). There are, minimal docvs on all but watchdog (which is required for a couple) ... but ... look at my emails in the past ... am hardly the one to write docs :) More to the point, what do they interact with? What convention or protocol are they implemented with? Let's start with the basics; what do they add to this MB's large tarball to benefit Joe User? a way of monitoring a cluster of servers and opening another way of balancing the load (lb_meathod_byheartbeat). This is what I see when I look at the bundle. With what external mechanisms that exist today? Over what protocol? In use today by mod_proxy_balancer? I'll review the docs myself next week when I come up for air, but what I don't want to do is ship something a typical user can't directly take advantage of without third party modules.
Re: remove mod_heart* from 2.4?(was: 2.4.0 GA This week?)
On 02/04/2012 12:27 AM, William A. Rowe Jr. wrote: On 2/3/2012 12:51 PM, Gregg Smith wrote: a way of monitoring a cluster of servers and opening another way of balancing the load (lb_meathod_byheartbeat). This is what I see when I look at the bundle. With what external mechanisms that exist today? Over what protocol? In use today by mod_proxy_balancer? The protocol allows to exchange heartbeat info between multiple httpd instances and as such is irrelevant. Although could be made public so that other app servers can post their status to heartmonitor allowing to add/remove group members when they go on/off line (at least that's the idea). I'll review the docs myself next week when I come up for air, but what I don't want to do is ship something a typical user can't directly take advantage of without third party modules. No third party modules is needed. You need frontend httpd and bunch of backend httpd+php or something like that. Regards -- ^TM
Re: [PATCH] trunk/2.4 core output filter is broken
On 2/3/2012 10:43 AM, Stefan Fritsch wrote: On Thursday 02 February 2012, William A. Rowe Jr. wrote: On 2/2/2012 8:36 AM, Jim Jagielski wrote: bb == NULL ?? Looking at his attached screen scrape; no. Which leaves with something like e == NULL or a broken bb. The former :-( Gregg, please add this or try the attached patch which is against current trunk and includes all fixes so far. Thanks in advance. --- a/server/mpm/winnt/child.c +++ b/server/mpm/winnt/child.c @@ -743,11 +743,10 @@ apr_status_t winnt_insert_network_bucket(conn_rec *c, apr_bucket *e; winnt_conn_ctx_t *context = ap_get_module_config(c-conn_config, mpm_winnt_module); -if (context == NULL) +if (context == NULL || (e = context-overlapped.Pointer) == NULL) return DECLINED; /* seed the brigade with AcceptEx read heap bucket */ -e = context-overlapped.Pointer; APR_BRIGADE_INSERT_HEAD(bb, e); /* also seed the brigade with the client socket. */ e = apr_bucket_socket_create(socket, c-bucket_alloc); Stefan, This fixes the crash, thanks.
Re: OpenSSL configuration and mod_ssl
On 02.02.2012 15:13, Dr Stephen Henson wrote: So perhaps: int SSL_CTX_set_config_string(SSL_CTX *ctx, const char *name, const char *value); Where the values of name can expand over time. I'm more in favor of this one - i.e., allow configuration through key-value pairs (you could do that with the other variant by stuffing them into a single string, but then there's the question of what separator to use etc.) I'm not completely sure that this could be handled by the mod_ssl configuration routines, perhaps someone could comment on that? Similar to the parameter handling in directives like Define or SetEnv, I think. SSLSetOpenSSLOption e.g.? int SSL_CTX_config(SSL_CTX *ctx, const char *config_name); Where config_name is a named configuration option in the OpenSSL configuration file. This has the substantial advantage that there would then be one configuration file format used by all OpenSSL applications. The disadvantage is that it would look nothing like the existing Apache configuration format. Maybe mod_ssl could offer both - a directive for configuring via key-value pairs for simple cases, and a config file based way for complex setups. (In some way, it's what PHP currently does with the php_value/php_admin_value directives and php.ini.) BTW: I would like to see SSL_set_config_string(), too - for those mod_ssl options which can be set on a per-directory basis. Kaspar