Re: 2.4.3x regression w/SSL vhost configs
Am 19.04.2018 um 17:55 schrieb David Zuelke: > I hate to break this to you, and I do not want to discredit the > amazing work all the contributors here are doing, but httpd 2.4 is of > miserable, miserable quality when it comes to breaks and regressions. > > I maintain the PHP/Apache/Nginx infrastructure at Heroku, and I was > able to use the following httpd releases only in the last ~2.5 years: > > - 2.4.16 > - 2.4.18 > - 2.4.20 > - 2.4.29 > -2.4.33 2.4.29 was a official release 2.4.33 was a official release 30, 31, 32 never was a release, the where at voting, regressions where fund and fixed - so the gap 29-33 is as explected because a RC either get released 1:1 or not at all please review your numbers with the list-archive of rejected RC's it's just bike-shedding if 30,31,32 should not have existed at all and have been a 30RC1, 30RC2, 30RC3 -> 30GA but you where not supposed to use 30, 31, 32 at all for anything than testing and report regressions
Re: TLSv1.3
Am 02.04.2018 um 20:56 schrieb Helmut K. C. Tessarek: > On 2018-03-29 04:16, Stefan Eissing wrote: >> Besides, except for data center setups, Apache will be used *only* >> with https: (and http: redirects to https:) very, very soon. That >> shifts the average expertise of an admin setting up a https: site. > > This statement makes me a bit nervous. Are you saying that there won't > be a way to use Apache with http anymore? no, it's just an opinion based on the Chrome will penalty non-https in general (bseides: the ACME challenge is happy with a automatic rediect to https even if it's a self-signed certificate) that opinion completly ignores setups where the load-balancer does tls-offloading/caching and has a dediacted connection in a seperated network to the backend servers which are http-only forever the load-balancer can be http://trafficserver.apache.org/ as example which also does HTTP2-over-TLS for the client while the backend connection is also HTTP/1.1 forever - in that case mod_h2/mod_md are not part of the game and even mpm_prefork stays untouched
Re: TLSv1.3
Am 29.03.2018 um 11:41 schrieb Yann Ylavic: > On Thu, Mar 29, 2018 at 11:39 AM, Yann Ylavicwrote: >> On Thu, Mar 29, 2018 at 10:16 AM, Stefan Eissing >> wrote: >>> >>> Along the gist of your proposal, I think I'll expand "SSLCipherSuite" >>> to take more than 1 argument and look for optional prefixes to the >>> suite strings given, so one could do >>> >>> # as before, applies to all TLS protocols <=TLSv1.2 SSLCipherSuite >>> XXX:YY:-AASSD:DSDS >>> >>> # Set ciphers for TLSv1.3, does not replace the previous line >>> SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 >>> >>> So, the directive becomes: >>> >>> SSLCipherSuite [ ProtocolClass ] Cipher-String >>> >>> where ProtocolClass is: >>> SSL (default) all TLS/SSL Protocols <= TLSv1.2 >>> TLSv1.3 TLS version 1.3 >> >> Looks good to me. >> I wonder if it's not applicable to TLSv1.2 already, there is a number >> of ciphers available to 1.2 only (with openssl < 1.1). > > (e.g. GCMs, CHACHA+POLYs, SHA-2s ...) FWIW: 30 minutes before the start of this thread i got this copy per jabber - so it's an openssl issue at all that ghey just don't parse out the TLS1.3 related ones from SSLCipherSuite and so that is a completly new bahvior breaking the sort of abstraction that i shouldn't know about TLS 1.0/1.1/1.2/1.3 at all in consumer code __ upgrading to next openssl-1.1.1 could break your prod if you're using a forced cipher list because handshake will fail regardless the tls protocol version if you don't specify a cipher valid for TLSv1.3 in your cipher list. https://github.com/openssl/openssl/issues/5057 https://github.com/openssl/openssl/issues/5065 Openssl's team doesn't seem to consider this as an issue FYI OpenSSL did a 180 on this, they are implemented a new API call to set TLSv1.3 ciphers and enable them by default: https://github.com/mattcaswell/openssl/commit/d93e832a82087a5f9bcf7d93ed7ae21bc6c1fed0 https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html Split configuration of TLSv1.3 ciphers from older ciphers With the current mechanism, old cipher strings that used to work in 1.1.0, may inadvertently disable all TLSv1.3 ciphersuites causing connections to fail. This is confusing for users. In reality TLSv1.3 are quite different to older ciphers. They are much simpler and there are only a small number of them so, arguably, they don't need the same level of control that the older ciphers have. This change splits the configuration of TLSv1.3 ciphers from older ones. By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable them through your existing config. Fixes #5359
Re: Fix for ab defect
Am 05.03.2018 um 15:48 schrieb Yann Ylavic: I meant that before the patch, "ab" already succeeded for (e.g.) https://localhost/ or https://192.168.x.x/ that is if the connect is quick enough to not trigger the bug (though it's not necessarily the case in local networks either). This is probably why we didn't notice it on manual testing, "ab"-ing external/wan/google servers is not that usual... FWIW - i noticed the bug on every single https request on the local machine, google.com was only for a reproducer Concurrency Level: 1 Requests per second:311.85 [#/sec] (mean)
Re: [VOTE] Release httpd-2.4.31
Am 04.03.2018 um 20:33 schrieb Yann Ylavic: On Sun, Mar 4, 2018 at 8:27 PM, li...@rhsoft.net <li...@rhsoft.net> wrote: that patchfile is unuseable for rpmbuild + echo 'Patch #4 (httpd-2.4.x-ab-nonblock_length.patch):' Patch #4 (httpd-2.4.x-ab-nonblock_length.patch): + /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 can't find file to patch at input line 5 It requires -p0 (instead of -p1). Nevermind, does the attached one work? confirmed, thanks [root@testserver:~]$ rpm -q httpd httpd-2.4.31-2.0.fc27.20180304.rh.sandybridge.x86_64 [root@testserver:~]$ ab -c 1 -n 10 https://www.google.com/ This is ApacheBench, Version 2.3 <$Revision: 1814468 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking www.google.com (be patient).done Server Software: Server Hostname:www.google.com Server Port:443 SSL/TLS Protocol: TLSv1.2,ECDHE-ECDSA-CHACHA20-POLY1305,256,256 TLS Server Name:www.google.com Document Path: / Document Length:269 bytes Concurrency Level: 1 Time taken for tests: 1.202 seconds Complete requests: 10 Failed requests:0 Non-2xx responses: 10 Total transferred: 6700 bytes HTML transferred: 2690 bytes Requests per second:8.32 [#/sec] (mean) Time per request: 120.213 [ms] (mean) Time per request: 120.213 [ms] (mean, across all concurrent requests) Transfer rate: 5.44 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 81 95 13.5 90 119 Processing:19 25 7.1 21 40 Waiting: 19 24 7.2 21 40 Total:103 120 17.0114 159 Percentage of the requests served within a certain time (ms) 50%114 66%119 75%126 80%137 90%159 95%159 98%159 99%159 100%159 (longest request)
Re: [VOTE] Release httpd-2.4.31
Am 04.03.2018 um 20:24 schrieb Yann Ylavic: On Sat, Mar 3, 2018 at 10:51 PM, Yann Ylavic <ylavic@gmail.com> wrote: On Sat, Mar 3, 2018 at 6:40 PM, li...@rhsoft.net <li...@rhsoft.net> wrote: -1 "ab" no longer can benchmark https urls, same build-spec and environment (Fedora 26 and 27) Hmm, looks like 2.4 is missing http://svn.apache.org/r1580928 (second hunk). Does it work for you with this patch (on top of 2.4.31): http://home.apache.org/~ylavic/patches/httpd-2.4.x-ab-nonblock_length.patch ? Thanks for testing (if possible) that pacthfile is unuseable for rpmbuild + echo 'Patch #4 (httpd-2.4.x-ab-nonblock_length.patch):' Patch #4 (httpd-2.4.x-ab-nonblock_length.patch): + /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 can't find file to patch at input line 5 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -- |Index: CHANGES |=== |--- CHANGES(revision 1825829) |+++ CHANGES(working copy) --
Re: [VOTE] Release httpd-2.4.31
Am 03.03.2018 um 16:56 schrieb Daniel Ruggeri: Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next few days to release this candidate tarball as 2.4.31: [ ] +1: It’s not just good, it’s good enough! [ ] +0: Let’s have a talk… [ ] -1: There’s trouble in paradise. Here’s what’s wrong -1 "ab" no longer can benchmark https urls, same build-spec and environment (Fedora 26 and 27) ___ 2.4.31: ab -c 1 -n 10 https://www.google.com/ This is ApacheBench, Version 2.3 <$Revision: 1814468 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking www.google.com (be patient)...SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection SSL write failed - closing connection ..done Server Software: Server Hostname:www.google.com Server Port:443 SSL/TLS Protocol: TLSv1.2,ECDHE-ECDSA-CHACHA20-POLY1305,256,256 TLS Server Name:www.google.com Document Path: / Document Length:Variable Concurrency Level: 1 Time taken for tests: 0.462 seconds Complete requests: 10 Failed requests:0 Total transferred: 0 bytes HTML transferred: 0 bytes Requests per second:21.66 [#/sec] (mean) Time per request: 46.175 [ms] (mean) Time per request: 46.175 [ms] (mean, across all concurrent requests) Transfer rate: 0.00 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 45 46 0.5 46 47 Processing: 00 0.0 0 0 Waiting:00 0.0 0 0 Total: 46 46 0.6 46 47 Percentage of the requests served within a certain time (ms) 50% 46 66% 46 75% 46 80% 47 90% 47 95% 47 98% 47 99% 47 100% 47 (longest request) ___ 2.4.29: ab -c 1 -n 10 https://www.google.com/ This is ApacheBench, Version 2.3 <$Revision: 1807734 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking www.google.com (be patient).done Server Software: Server Hostname:www.google.com Server Port:443 SSL/TLS Protocol: TLSv1.2,ECDHE-ECDSA-CHACHA20-POLY1305,256,256 TLS Server Name:www.google.com Document Path: / Document Length:Variable Concurrency Level: 1 Time taken for tests: 0.594 seconds Complete requests: 10 Failed requests:0 Non-2xx responses: 10 Total transferred: 6696 bytes HTML transferred: 2688 bytes Requests per second:16.82 [#/sec] (mean) Time per request: 59.447 [ms] (mean) Time per request: 59.447 [ms] (mean, across all concurrent requests) Transfer rate: 11.00 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 46 46 0.3 46 46 Processing:13 13 0.9 13 15 Waiting: 13 13 0.9 13 15 Total: 58 59 1.0 59 61 Percentage of the requests served within a certain time (ms) 50% 59 66% 59 75% 60 80% 61 90% 61 95% 61 98% 61 99% 61 100% 61 (longest request)