Re: Failed uploading file to Appache HTTP Server after using SSL
On Wed, Apr 26, 2006 at 01:12:50PM +0800, Ken Chen wrote: FYI. We had to choose to test that by using other versions and we found that the problem is resolved if we downgrade to 2.0.50. Was this an exhaustive search: 2.0.51 failed but 2.0.50 worked? That would be a little surprising: there aren't any regressions in 2.0.51 that I know of. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
I am not sure. The version I encountered problem is 2.0.55. On 4/26/06, Joe Orton [EMAIL PROTECTED] wrote: On Wed, Apr 26, 2006 at 01:12:50PM +0800, Ken Chen wrote: FYI. We had to choose to test that by using other versions and we found that the problem is resolved if we downgrade to 2.0.50. Was this an exhaustive search: 2.0.51 failed but 2.0.50 worked? That would be a little surprising: there aren't any regressions in 2.0.51 that I know of. joe -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
FYI. We had to choose to test that by using other versions and we found that the problem is resolved if we downgrade to 2.0.50. Ken On 4/22/06, Ken Chen [EMAIL PROTECTED] wrote: FYI. I have tried to test upload with Firefox. But it turns out that it fails too. Then, it might not be only a MSIE issue. On 4/22/06, Ken Chen [EMAIL PROTECTED] wrote: Hi, My colleague has helped to deploy the patch and the ssl vhost has been configured as follow: VirtualHost test:443 DocumentRoot /home/server/webpage ServerName 192.168.2.130:443 LogLevel debug ErrorLog logs/ssl-error_log CustomLog logs/ssl-access_log common BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ProxyPass /eservices http://localhost:8855/eservices ProxyPassReverse /eservices http://localhost:8855/eservices Alias /eservices-webpage/ /home/server/webpage/ SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile someCrt.crt SSLCertificateKeyFile someKey.key /VirtualHost But seems the problem remains: Page can't be displayed. I found no error in log (maybe I was not able to found). Here attached the log when I press upload to upload file. Ken On 4/21/06, Ken Chen [EMAIL PROTECTED] wrote: Joe, Do you mind telling me how to apply the patch? Type command as follow? patch -s .patch Do I need to stop the httpd server? or recompile or anything else? Thanks. On 4/21/06, Ken Chen [EMAIL PROTECTED] wrote: ic. Thanks so much. I will apply that patch and see what is going on later. On 4/21/06, Joe Orton [EMAIL PROTECTED] wrote: On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: Hi Joe, We are using 2.0.55 already. Is it already include that patch? No, it will be in 2.0.56 and later. But note this only applies if you are using a reverse proxy, and it only affects the application of the BrowserMatch statement - if you don't have the BrowserMatch, it has no effect. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- -- Ken Chen -- -- Ken Chen -- -- Ken Chen -- -- Ken Chen -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
On Fri, Apr 21, 2006 at 10:23:24AM +0800, Ken Chen wrote: Cliff, I have reset the timeout to 600, but the problem remains. I wonder whether it's the timeout problem because the problem appears immediately after presssing Upload! Sometimes the problem is Page can't be displayed; sometimes it is what I mentioned at the very beginning that file can't been uploaded. There are a few things you need to check if you're having problems with MSIE: 1) make sure you are using the shmcb session cache 2) make sure you have prevented use of persistent connections, with a statement like: BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 in the SSL vhost. 3) if you are using an SSL-HTTP reverse proxy, then (2) will not be taking effect properly, and you'll need to apply this patch: http://people.apache.org/~jorton/httpd-2.0.54-ssltrans.patch joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
Hi Joe, We are using 2.0.55 already. Is it already include that patch? Ken On 4/21/06, Joe Orton [EMAIL PROTECTED] wrote: On Fri, Apr 21, 2006 at 10:23:24AM +0800, Ken Chen wrote: Cliff, I have reset the timeout to 600, but the problem remains. I wonder whether it's the timeout problem because the problem appears immediately after presssing Upload! Sometimes the problem is Page can't be displayed; sometimes it is what I mentioned at the very beginning that file can't been uploaded. There are a few things you need to check if you're having problems with MSIE: 1) make sure you are using the shmcb session cache 2) make sure you have prevented use of persistent connections, with a statement like: BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 in the SSL vhost. 3) if you are using an SSL-HTTP reverse proxy, then (2) will not be taking effect properly, and you'll need to apply this patch: http://people.apache.org/~jorton/httpd-2.0.54-ssltrans.patch joe -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
ic. Thanks so much. I will apply that patch and see what is going on later. On 4/21/06, Joe Orton [EMAIL PROTECTED] wrote: On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: Hi Joe, We are using 2.0.55 already. Is it already include that patch? No, it will be in 2.0.56 and later. But note this only applies if you are using a reverse proxy, and it only affects the application of the BrowserMatch statement - if you don't have the BrowserMatch, it has no effect. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
Joe, Do you mind telling me how to apply the patch? Type command as follow? patch -s .patch Do I need to stop the httpd server? or recompile or anything else? Thanks. On 4/21/06, Ken Chen [EMAIL PROTECTED] wrote: ic. Thanks so much. I will apply that patch and see what is going on later. On 4/21/06, Joe Orton [EMAIL PROTECTED] wrote: On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: Hi Joe, We are using 2.0.55 already. Is it already include that patch? No, it will be in 2.0.56 and later. But note this only applies if you are using a reverse proxy, and it only affects the application of the BrowserMatch statement - if you don't have the BrowserMatch, it has no effect. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- -- Ken Chen -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
FYI. I have tried to test upload with Firefox. But it turns out that it fails too. Then, it might not be only a MSIE issue. On 4/22/06, Ken Chen [EMAIL PROTECTED] wrote: Hi, My colleague has helped to deploy the patch and the ssl vhost has been configured as follow: VirtualHost test:443 DocumentRoot /home/server/webpage ServerName 192.168.2.130:443 LogLevel debug ErrorLog logs/ssl-error_log CustomLog logs/ssl-access_log common BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ProxyPass /eservices http://localhost:8855/eservices ProxyPassReverse /eservices http://localhost:8855/eservices Alias /eservices-webpage/ /home/server/webpage/ SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile someCrt.crt SSLCertificateKeyFile someKey.key /VirtualHost But seems the problem remains: Page can't be displayed. I found no error in log (maybe I was not able to found). Here attached the log when I press upload to upload file. Ken On 4/21/06, Ken Chen [EMAIL PROTECTED] wrote: Joe, Do you mind telling me how to apply the patch? Type command as follow? patch -s .patch Do I need to stop the httpd server? or recompile or anything else? Thanks. On 4/21/06, Ken Chen [EMAIL PROTECTED] wrote: ic. Thanks so much. I will apply that patch and see what is going on later. On 4/21/06, Joe Orton [EMAIL PROTECTED] wrote: On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: Hi Joe, We are using 2.0.55 already. Is it already include that patch? No, it will be in 2.0.56 and later. But note this only applies if you are using a reverse proxy, and it only affects the application of the BrowserMatch statement - if you don't have the BrowserMatch, it has no effect. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- -- Ken Chen -- -- Ken Chen -- -- Ken Chen -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
Hi, Cliff, The below is the error in ssl-error_log when I am trying to save a large image: [Thu Apr 20 16:55:36 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#81f94a8 [mem: 81f9640] [Thu Apr 20 16:55:36 2006] [info] (70007)The timeout specified has expired: SSL input filter read failed. [Thu Apr 20 16:55:36 2006] [debug] ssl_engine_kernel.c(1794): OpenSSL: Write: SSL negotiation finished successfully [Thu Apr 20 16:55:36 2006] [info] Connection to child 4 closed with standard shutdown(server 192.168.2.130:443, client 192.168.2.199) [Thu Apr 20 16:55:36 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#81df970 [mem: 81eaf30] [Thu Apr 20 16:55:36 2006] [info] (70007)The timeout specified has expired: SSL input filter read failed. [Thu Apr 20 16:55:36 2006] [debug] ssl_engine_kernel.c(1794): OpenSSL: Write: SSL negotiation finished successfully [Thu Apr 20 16:55:36 2006] [info] Connection to child 7 closed with standard shutdown(server 192.168.2.130:443, client 192.168.2.199) Ken On 4/19/06, Cliff Woolley [EMAIL PROTECTED] wrote: On 4/19/06, Ken Chen [EMAIL PROTECTED] wrote: Now seems when uploading big file has problem in ssl. When I upload a 3K image file, it's ok. But when I upload a 35K image file. It failed. Ah, I see. Is there any place to set the cache/buffer? Or I have to set SSLSessionCache and SSLSessionCacheTimeout? You should set the session cache anyway (failing to do so will result in a major drop in performance), but this should have no effect on the particular problem you're describing. By the way, I don't understand why to use openssl s_client and issue a GET request? I am uploading file. Isn't it a POST request? Can you have a brief sample how to test? It was unclear to me from your original message that *any* https was working, so I was trying to just give you the most basic test to try. I didn't realize you could upload small files successfully. Did you turn on the ssl debug log and look at the spot in the large file upload where it failed? --Cliff -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
On 4/20/06, Ken Chen [EMAIL PROTECTED] wrote: [Thu Apr 20 17:04:46 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/Oerror, 5 bytes expected to read on BIO#81d53d8 [mem: 81eeef8]Just like it sounds from the message, this error occurs when the call to SSL_read() in ssl_io_input_read() fails with the system returning an error of ETIMEUP. While of course it's possible that something is getting stuck somewhere and thus it is taking a really long time and subsequently times out, my first inclination is to say that your global Timeout value is simply set too low. See http://httpd.apache.org/docs/2.0/mod/core.html#timeoutWhat value do you have set there?
Re: Failed uploading file to Appache HTTP Server after using SSL
Cliff: It's been set as the default one: 300. I wonder how many I need to set, say possibly my application has the functionality of uploading attachment, max 2.5MB. I have tried to search everywhere for solution for the same problem (ssl_engine_io.c OpenSSL: I/O error). I surprisingly found that many people have ever encountered this (page can't be displayed) too, although mostly in IE 5. But it claims to set the session cache, KeepAlive, etc. FYI, I surprisingly found that sometimes, it's find after I clearing my IE's cache before connecting to app, maybe it's really related to the network speed and timeout setting? Anyway, thank you very much for your detail, kindly and prompt reply. I should try tomorrow when backing to work. =) Ken On 4/20/06, Cliff Woolley [EMAIL PROTECTED] wrote: On 4/20/06, Ken Chen [EMAIL PROTECTED] wrote: [Thu Apr 20 17:04:46 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#81d53d8 [mem: 81eeef8] Just like it sounds from the message, this error occurs when the call to SSL_read() in ssl_io_input_read() fails with the system returning an error of ETIMEUP. While of course it's possible that something is getting stuck somewhere and thus it is taking a really long time and subsequently times out, my first inclination is to say that your global Timeout value is simply set too low. See http://httpd.apache.org/docs/2.0/mod/core.html#timeout What value do you have set there? -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
Cliff, I have reset the timeout to 600, but the problem remains. I wonder whether it's the timeout problem because the problem appears immediately after presssing Upload! Sometimes the problem is Page can't be displayed; sometimes it is what I mentioned at the very beginning that file can't been uploaded. I found that the error I attached: [Thu Apr 20 17:00:54 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#81d9850 [mem: 81e6f20] [Thu Apr 20 17:00:54 2006] [info] (70007)The timeout specified has expired: SSL input filter read failed. IS logging everywhere from times to times in the ssl-error_log even the page for loading is loaded successfully. The strangest thing is sometimes nothing is logged in error log when uploading file. It just display Page can't be displayed. Seems ssl has done nothing. If really have to come down to recompile in maintainer mode and attache a debugger, would you please kindly advice and describe the brief guides on how to do this? I am not familiar with it. Thanks. Ken On 4/21/06, Cliff Woolley [EMAIL PROTECTED] wrote: On 4/20/06, Ken Chen [EMAIL PROTECTED] wrote: Anyway, thank you very much for your detail, kindly and prompt reply. I should try tomorrow when backing to work. =) Let me know what other details you find out. It might come down to having to recompile apache in maintainer mode and attach a debugger to figure out what's going on... -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
Hi Cliff, Thanks for your advice. Now seems when uploading big file has problem in ssl. When I upload a 3K image file, it's ok. But when I upload a 35K image file. It failed. Is there any place to set the cache/buffer? Or I have to set SSLSessionCache and SSLSessionCacheTimeout? By the way, I don't understand why to use openssl s_client and issue a GET request? I am uploading file. Isn't it a POST request? Can you have a brief sample how to test? Thanks in advance. Ken On 4/18/06, Cliff Woolley [EMAIL PROTECTED] wrote: On 4/18/06, Ken Chen [EMAIL PROTECTED] wrote: 1. If users access our server via https:// through the web server, it fails to upload. Backend source encountered NullPointerException when accessing the FileItem requested. 2. But if users access our server via http://... through the web server, there is no that problem. Hence I think there should be something wrong with the request parsing through https. Any advice/clue to check where or how to solve it is greatly appreciated. Thanks in advance. A couple of suggestions: (1) turn on debug logging in mod_ssl... this will give you a byte-by-byte dump of the SSL transaction in the log file. (2) try connecting to your https server with openssl s_client and then issuing a GET request by hand. That can often be instructive. --Cliff -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
On 4/19/06, Ken Chen [EMAIL PROTECTED] wrote: Now seems when uploading big file has problem in ssl.When I upload a3K image file, it's ok.But when I upload a 35K image file.Itfailed.Ah, I see. Is there any place to set the cache/buffer?Or I have to setSSLSessionCache and SSLSessionCacheTimeout?You should set the session cache anyway (failing to do so will result in a major drop in performance), but this should have no effect on the particular problem you're describing. By the way, I don't understand why to use openssl s_client and issue aGET request?I am uploading file.Isn't it a POST request?Can you have a brief sample how to test?It was unclear to me from your original message that *any* https was working, so I was trying to just give you the most basic test to try. I didn't realize you could upload small files successfully. Did you turn on the ssl debug log and look at the spot in the large file upload where it failed?--Cliff
Failed uploading file to Appache HTTP Server after using SSL
Hi all, I have setup a SunOne App server in linux and Apache HTTP Server with Open SSL for users to access it. When access the application and try to upload a file in one functionality module of the application, some problems encountered: 1. If users access our server via https:// through the web server, it fails to upload. Backend source encountered NullPointerException when accessing the FileItem requested. 2. But if users access our server via http://... through the web server, there is no that problem. Hence I think there should be something wrong with the request parsing through https. Any advice/clue to check where or how to solve it is greatly appreciated. Thanks in advance. Apache ver: Server version: Apache/2.0.55 Server built: Apr 6 2006 11:33:34 -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
On 4/18/06, Ken Chen [EMAIL PROTECTED] wrote: 1.If users access our server via https:// through the webserver, it fails to upload.Backend source encounteredNullPointerException when accessing the FileItem requested.2.But if users access our server via http://... through the web server, there is no that problem.Hence I think there should be something wrong with the request parsing through https.Any advice/clue to check where or how to solve it is greatlyappreciated. Thanks in advance. A couple of suggestions: (1) turn on debug logging in mod_ssl... this will give you a byte-by-byte dump of the SSL transaction in the log file. (2) try connecting to your https server with openssl s_client and then issuing a GET request by hand. That can often be instructive. --Cliff
