Re: 2.4.3x regression w/SSL vhost configs

2018-04-19 Thread li...@rhsoft.net 


Am 19.04.2018 um 17:55 schrieb David Zuelke:
> I hate to break this to you, and I do not want to discredit the
> amazing work all the contributors here are doing, but httpd 2.4 is of
> miserable, miserable quality when it comes to breaks and regressions.
> 
> I maintain the PHP/Apache/Nginx infrastructure at Heroku, and I was
> able to use the following httpd releases only in the last ~2.5 years:
> 
> - 2.4.16
> - 2.4.18
> - 2.4.20
> - 2.4.29
>  -2.4.33

2.4.29 was a official release
2.4.33 was a official release

30, 31, 32 never was a release, the where at voting, regressions where
fund and fixed - so the gap 29-33 is as explected because a RC either
get released 1:1 or not at all

please review your numbers with the list-archive of rejected RC's

it's just bike-shedding if 30,31,32 should not have existed at all and
have been a 30RC1, 30RC2, 30RC3 -> 30GA but you where not supposed to
use 30, 31, 32 at all for anything than testing and report regressions

Re: TLSv1.3

2018-04-02 Thread li...@rhsoft.net 

Am 02.04.2018 um 20:56 schrieb Helmut K. C. Tessarek:
> On 2018-03-29 04:16, Stefan Eissing wrote:
>> Besides, except for data center setups, Apache will be used *only*
>> with https: (and http: redirects to https:) very, very soon. That
>> shifts the average expertise of an admin setting up a https: site.
> 
> This statement makes me a bit nervous. Are you saying that there won't
> be a way to use Apache with http anymore?

no, it's just an opinion based on the Chrome will penalty non-https in
general (bseides: the ACME challenge is happy with a automatic rediect
to https even if it's a self-signed certificate)

that opinion completly ignores setups where the load-balancer does
tls-offloading/caching and has a dediacted connection in a seperated
network to the backend servers which are http-only forever

the load-balancer can be http://trafficserver.apache.org/ as example
which also does HTTP2-over-TLS for the client while the backend
connection is also HTTP/1.1 forever - in that case mod_h2/mod_md are not
part of the game and even mpm_prefork stays untouched

Re: TLSv1.3

2018-03-29 Thread li...@rhsoft.net 


Am 29.03.2018 um 11:41 schrieb Yann Ylavic:
> On Thu, Mar 29, 2018 at 11:39 AM, Yann Ylavic  wrote:
>> On Thu, Mar 29, 2018 at 10:16 AM, Stefan Eissing
>>  wrote:
>>>
>>> Along the gist of your proposal, I think I'll expand "SSLCipherSuite"
>>> to take more than 1 argument and look for optional prefixes to the
>>> suite strings given, so one could do
>>>
>>> # as before, applies to all TLS protocols <=TLSv1.2 SSLCipherSuite
>>> XXX:YY:-AASSD:DSDS
>>>
>>> # Set ciphers for TLSv1.3, does not replace the previous line
>>> SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
>>>
>>> So, the directive becomes:
>>>
>>> SSLCipherSuite [ ProtocolClass ] Cipher-String
>>>
>>> where ProtocolClass is:
>>>   SSL   (default) all TLS/SSL Protocols <= TLSv1.2
>>>   TLSv1.3   TLS version 1.3
>>
>> Looks good to me.
>> I wonder if it's not applicable to TLSv1.2 already, there is a number
>> of ciphers available to 1.2 only (with openssl < 1.1).
> 
> (e.g. GCMs, CHACHA+POLYs, SHA-2s ...)
FWIW: 30 minutes before the start of this thread i got this copy
per jabber - so it's an openssl issue at all that ghey just don't parse
out the TLS1.3 related ones from SSLCipherSuite and so that is a
completly new bahvior breaking the sort of abstraction that i shouldn't
know about TLS 1.0/1.1/1.2/1.3 at all in consumer code

__

upgrading to next openssl-1.1.1 could break your prod if you're using a
forced cipher list because handshake will fail regardless the tls
protocol version if you don't specify a cipher valid for TLSv1.3 in your
cipher list.

https://github.com/openssl/openssl/issues/5057
https://github.com/openssl/openssl/issues/5065

Openssl's team doesn't seem to consider this as an issue

FYI OpenSSL did a 180 on this, they are implemented a new API call to
set TLSv1.3 ciphers and enable them by default:

https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

Split configuration of TLSv1.3 ciphers from older ciphers

With the current mechanism, old cipher strings that used to work in 1.1.0,
may inadvertently disable all TLSv1.3 ciphersuites causing connections to
fail. This is confusing for users.

In reality TLSv1.3 are quite different to older ciphers. They are much
simpler and there are only a small number of them so, arguably, they don't
need the same level of control that the older ciphers have.

This change splits the configuration of TLSv1.3 ciphers from older ones.
By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable
them through your existing config.

Fixes #5359

Re: Fix for ab defect

2018-03-05 Thread li...@rhsoft.net 



Am 05.03.2018 um 15:48 schrieb Yann Ylavic:

I meant that before the patch, "ab" already succeeded for (e.g.)
https://localhost/ or https://192.168.x.x/ that is if the connect is
quick enough to not trigger the bug (though it's not necessarily the
case in local networks either).
This is probably why we didn't notice it on manual testing, "ab"-ing
external/wan/google servers is not that usual...


FWIW - i noticed the bug on every single https request on the local 
machine, google.com was only for a reproducer


Concurrency Level:  1
Requests per second:311.85 [#/sec] (mean)

Re: [VOTE] Release httpd-2.4.31

2018-03-04 Thread li...@rhsoft.net 


Am 04.03.2018 um 20:33 schrieb Yann Ylavic:

On Sun, Mar 4, 2018 at 8:27 PM, li...@rhsoft.net <li...@rhsoft.net> wrote:


that patchfile is unuseable for rpmbuild

+ echo 'Patch #4 (httpd-2.4.x-ab-nonblock_length.patch):'
Patch #4 (httpd-2.4.x-ab-nonblock_length.patch):
+ /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0
can't find file to patch at input line 5


It requires -p0 (instead of -p1).
Nevermind, does the attached one work?


confirmed, thanks

[root@testserver:~]$ rpm -q httpd
httpd-2.4.31-2.0.fc27.20180304.rh.sandybridge.x86_64

[root@testserver:~]$ ab -c 1 -n 10 https://www.google.com/
This is ApacheBench, Version 2.3 <$Revision: 1814468 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.google.com (be patient).done


Server Software:
Server Hostname:www.google.com
Server Port:443
SSL/TLS Protocol:   TLSv1.2,ECDHE-ECDSA-CHACHA20-POLY1305,256,256
TLS Server Name:www.google.com

Document Path:  /
Document Length:269 bytes

Concurrency Level:  1
Time taken for tests:   1.202 seconds
Complete requests:  10
Failed requests:0
Non-2xx responses:  10
Total transferred:  6700 bytes
HTML transferred:   2690 bytes
Requests per second:8.32 [#/sec] (mean)
Time per request:   120.213 [ms] (mean)
Time per request:   120.213 [ms] (mean, across all concurrent requests)
Transfer rate:  5.44 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:   81   95  13.5 90 119
Processing:19   25   7.1 21  40
Waiting:   19   24   7.2 21  40
Total:103  120  17.0114 159

Percentage of the requests served within a certain time (ms)
  50%114
  66%119
  75%126
  80%137
  90%159
  95%159
  98%159
  99%159
 100%159 (longest request)

Re: [VOTE] Release httpd-2.4.31

2018-03-04 Thread li...@rhsoft.net 



Am 04.03.2018 um 20:24 schrieb Yann Ylavic:

On Sat, Mar 3, 2018 at 10:51 PM, Yann Ylavic <ylavic@gmail.com> wrote:

On Sat, Mar 3, 2018 at 6:40 PM, li...@rhsoft.net <li...@rhsoft.net> wrote:


-1

"ab" no longer can benchmark https urls, same build-spec and environment
(Fedora 26 and 27)


Hmm, looks like 2.4 is missing http://svn.apache.org/r1580928 (second hunk).


Does it work for you with this patch (on top of 2.4.31):
   http://home.apache.org/~ylavic/patches/httpd-2.4.x-ab-nonblock_length.patch
?

Thanks for testing (if possible)


that pacthfile is unuseable for rpmbuild

+ echo 'Patch #4 (httpd-2.4.x-ab-nonblock_length.patch):'
Patch #4 (httpd-2.4.x-ab-nonblock_length.patch):
+ /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0
can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|Index: CHANGES
|===
|--- CHANGES(revision 1825829)
|+++ CHANGES(working copy)
--

Re: [VOTE] Release httpd-2.4.31

2018-03-03 Thread li...@rhsoft.net 



Am 03.03.2018 um 16:56 schrieb Daniel Ruggeri:

    Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this 
candidate tarball as 2.4.31:


[ ] +1: It’s not just good, it’s good enough!

[ ] +0: Let’s have a talk…

[ ] -1: There’s trouble in paradise. Here’s what’s wrong


-1

"ab" no longer can benchmark https urls, same build-spec and environment 
(Fedora 26 and 27)

___

2.4.31:

ab -c 1 -n 10 https://www.google.com/
This is ApacheBench, Version 2.3 <$Revision: 1814468 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.google.com (be patient)...SSL write failed - closing 
connection

SSL write failed - closing connection
SSL write failed - closing connection
SSL write failed - closing connection
SSL write failed - closing connection
SSL write failed - closing connection
SSL write failed - closing connection
SSL write failed - closing connection
SSL write failed - closing connection
SSL write failed - closing connection
..done


Server Software:
Server Hostname:www.google.com
Server Port:443
SSL/TLS Protocol:   TLSv1.2,ECDHE-ECDSA-CHACHA20-POLY1305,256,256
TLS Server Name:www.google.com

Document Path:  /
Document Length:Variable

Concurrency Level:  1
Time taken for tests:   0.462 seconds
Complete requests:  10
Failed requests:0
Total transferred:  0 bytes
HTML transferred:   0 bytes
Requests per second:21.66 [#/sec] (mean)
Time per request:   46.175 [ms] (mean)
Time per request:   46.175 [ms] (mean, across all concurrent requests)
Transfer rate:  0.00 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:   45   46   0.5 46  47
Processing: 00   0.0  0   0
Waiting:00   0.0  0   0
Total: 46   46   0.6 46  47

Percentage of the requests served within a certain time (ms)
  50% 46
  66% 46
  75% 46
  80% 47
  90% 47
  95% 47
  98% 47
  99% 47
 100% 47 (longest request)

___

2.4.29:

ab -c 1 -n 10 https://www.google.com/
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.google.com (be patient).done


Server Software:
Server Hostname:www.google.com
Server Port:443
SSL/TLS Protocol:   TLSv1.2,ECDHE-ECDSA-CHACHA20-POLY1305,256,256
TLS Server Name:www.google.com

Document Path:  /
Document Length:Variable

Concurrency Level:  1
Time taken for tests:   0.594 seconds
Complete requests:  10
Failed requests:0
Non-2xx responses:  10
Total transferred:  6696 bytes
HTML transferred:   2688 bytes
Requests per second:16.82 [#/sec] (mean)
Time per request:   59.447 [ms] (mean)
Time per request:   59.447 [ms] (mean, across all concurrent requests)
Transfer rate:  11.00 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:   46   46   0.3 46  46
Processing:13   13   0.9 13  15
Waiting:   13   13   0.9 13  15
Total: 58   59   1.0 59  61

Percentage of the requests served within a certain time (ms)
  50% 59
  66% 59
  75% 60
  80% 61
  90% 61
  95% 61
  98% 61
  99% 61
 100% 61 (longest request)