Re: [AOLSERVER] nssock: server ready - resuming
On Tue, Jan 20, 2004 at 11:47:54AM +0200, Yuval Lieberman wrote: [20/Jan/2004:01:28:58][5962.4101][-conn1-] Notice: nssock: server ready - resuming I counted 2793 appearences in a log of 6 days. I don't know that that really means, but it's coming from SockReady() in aolserver/nssock/sock.cpp. BUT the other 2 sites running on AOLserver are not slow. Did you compare the config files of the slow and not-slow AOLservers? -- Andrew Piskorski [EMAIL PROTECTED] http://www.piskorski.com/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nssock: server ready - resuming
These messages mean that the server received a request, but there were no free connection threads to pass the request to, ie, all of your threads were busy. The naive solution is to increase MaxThreads, but this likely won't solve your problem. For example, if your machine is out of CPU, setting MaxThreads higher will only cause more processes to be waiting for CPU, and eventually you'll get this error again. Same thing if you have used all your IO capacity on the machine. If you have a special case, where your server threads are coordinating with other processes and it takes a long time, doing sleeps, or something else where the threads are waiting a lot and not consuming resources, then bumping MaxThreads might help. Jim Hi ! I'm using AOLserver/3.3.1+ad13 and it is very slow. We thought it was slow due to OACS4 that runs on it, but now I noticed the log is full with : [20/Jan/2004:01:28:58][5962.4101][-conn1-] Notice: nssock: server ready - resuming [20/Jan/2004:01:28:58][5962.6151][-conn3-] Notice: nssock: server ready - resuming [20/Jan/2004:01:28:58][5962.5126][-conn2-] Notice: nssock: server ready - resuming [20/Jan/2004:01:28:58][5962.4101][-conn1-] Notice: nssock: server ready - resuming [20/Jan/2004:01:28:58][5962.3076][-conn0-] Notice: nssock: server ready - resuming I counted 2793 appearences in a log of 6 days. The server is listening on port 8000 and is accessed by an apache server VirtualHost doing ProxyPass. (if that has anything to do with it). The server is quite busy - running 3 instances of ACS on AOLserver, some apache websites, zope, qmail, ftp etc. BUT the other 2 sites running on AOLserver are not slow. Does anybody have a tip or a clue about these nssock msgs? Thanks, Yuval. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] nsopenssl: sockclient: SERVER's CERT is NOT VALID message
Hi all, This SERVER's CERT is NOT VALID message appears in the error log whenever an ns_httpsget is used to contact a merchant gateway via ssl. Subsequently, the return from ns_httpsget fails. Could the failure be related even though peer-to-peer SSL does not require a recognized CA for this connection? If so, what is breaking? Any suggestions on how to track this down further? Thanks in advance, Torben server: FreeBSD 4.9-stable running aolserver3.4.2oacs1 certificate: from entrust (a recognized) CA. Netcat tests via http work without errors. The below (abridged) verbose log includes messages generated from setting: ns_param ServerTrace true ns_param SockServerTrace true ns_param SockClientTrace true Log shows startup and an early peer-to-peer SSL attempt. [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsmain: AOLserver/3.4.2 starting [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsmain: security info: uid=65534, euid=65534, gid=65534, egid=65534 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsmain: max files: FD_SETSIZE = 1024, rl_cur = 1024, rl_max = 0 ... [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/postgres.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: PostgreSQL loaded. [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: adp: mapped /*.adp [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nssock.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nslog.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nslog: opened '/var/www/openacs-4-6.log' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nssha1.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nscache.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nscache module version @VER@ [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsrewrite.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsxml.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsxml module starting [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so' [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: Module directory set by ModuleDir to /usr/local/www/service463/etc/certs [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerPeerVerify = 0 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerTrace = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerProtocols = SSLv2, SSLv3, TLSv1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv2 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv3 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using TLSv1 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerCADir = /usr/local/www/service463/etc/certs/ [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionCache = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionCacheId = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionTimeout = 300 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: ServerSessionCacheSize = 512 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerPeerVerify = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerPeerVerifyDepth = 3 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerTrace = 1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerProtocols = SSLv2, SSLv3, TLSv1 [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv2 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using SSLv3 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: Using TLSv1 protocol [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP [20/Jan/2004:11:29:54][93990.135335936][-main-] Notice: nsopenssl: SockServerCertFile =
Re: [AOLSERVER] nsopenssl: sockclient: SERVER's CERT is NOT VALID message
Why are you using the same file for both your Certificates and your list of CA Certificates to validate incoming certificates with? When a client passes you their certificate, nsopenssl uses the CA certificates in the CAFile to validate that client certificate. Based on what I see below, you're using your own certificate as if it were a CA certificate, which means you'll never be able to validate any certificates. SockServerCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockServerKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockServerCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockClientCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem Secondly, nsopenssl does not abort a connection because of invalid certs -- it just logs them. Your response to the invalid cert is your application's responsibility. The reason is that you might want to return a useful error page to the user or application on the other end; if you barf on the SSL handshake, the user gets whatever error page the browser generates because no content ever passes between the two. Based on your output here: 20/Jan/2004:12:26:49][93990.135948288][-conn1-] Notice: nsopenssl: sockclient: SERVER's CERT is NOT VALID [20/Jan/2004:12:26:51][93990.135948288][-conn1-] Notice: nsopenssl: trace: sockclient: SSL negotiation finished successfully; alert type = warning; alert desc = close notify [20/Jan/2004:12:26:51][93990.135948288][-conn1-] Notice: nsopenssl: trace: sockclient: SSL negotiation finished successfully; alert type = warning; alert desc = close notify [20/Jan/2004:12:26:51][93990.135948288][-conn1-] Error: Ns_PgExec: result status: 7 message: ERROR: ExecAppend: Fail to add null value in not null attribute transaction_id [20/Jan/2004:12:26:51][93990.135948288][-conn1-] Error: Wasn't able to do insert into ezic_gateway_result_log for transaction_id ; error was Database operation dml failed The SSL handshake completes successfully, meaning that you have established a good SSL connection. Your problem is the database operation. Without seeing the schema and code, can't really say much about that. /s. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] aolserver 3.4.2 configuration questions
Dear all, I've installed aoserver 3.4.2 on my freebsd 4.9 laptop for developing and testing some web applications I'm planning to create. The installation went ok and I can serve static pages. However, when I try to feed my system some .tcl pages under pageroot I get the whole page as text and not the results of the tcl statements I wrote. For instance, this little hello world tcl program doesn't appear as expected in the browser. hello.tcl ns_return 200 text/html html head titleTesting/title /head body pHello, world/p /body /html The output of this when I put the commands in a .tcl file under pageroot is: ns_return 200 text/html html head titleTesting/title /head body pHello, world/p /body /html I then tried something similar but the results were the same: ns_write HTTP/1.0 200 OK MIME-Version: 1.0 Content-Type: text/html ns_write html head titleTesting/title /head body pHello, world/p /body /html I also have a question regarding database access with the postgres driver. I have installed postgres 7.3.4 and it works fine. However, I wasn't able to find no postgres.so file in any directory on my system. I thought aolserver would install it somewhere and I could use that location to find it. What I did find was a /usr/local/lib/postgresql/plpgsql.so file, and I added it to db section, but I don't think this will do the trick:-) Here is my nsd configuration file: # $Header: /cvsroot/aolserver/aolserver/nsd/sample-config.tcl,v 1.2 2000/12/13 21:50:27 kriston Exp $ ns_log notice config.tcl: starting to read config file... # # Set some Tcl variables that are commonly used throughout this file. # set httpport 8000 set httpsport 8443 # The hostname and address should be set to actual values. set hostname localhost set address127.0.0.1 set servername server1 set serverdesc Server Name set homedir/home/rgilaard/ set bindir /usr/local/aolserver/bin/ set pageroot ${homedir}/servers/${servername}/pages/ set directoryfile index.adp,index.html,index.htm set ext [info sharedlibextension] # nsssl: Only loads if keyfile.pem and certfile.pem exist. #set sslmodule nsssl${ext} ;# Domestic 128-bit/1024-bit SSL. set sslmodule nsssle${ext} ;# Exportable 40-bit/512-bit SSL. set sslkeyfile ${homedir}/servers/${servername}/modules/nsssl/keyfile.pem set sslcertfile ${homedir}/servers/${servername}/modules/nsssl/certfile.pem # nscp: Uncomment the sample password and log in with nsadmin, password x, # type ns_crypt newpassword salt and put the encrypted string below. set nscp_port set nscp_addr 127.0.0.1 set nscp_user #set nscp_user nsadmin:t2GqvvaiIUbF2: ;# sample user=nsadmin, pw=x. # # Global server parameters # ns_section ns/parameters ns_param home$homedir ns_param debug false # # Thread library (nsthread) parameters # ns_section ns/threads ns_param mutexmeter true ;# measure lock contention #ns_param stacksize [expr 128*1024] ;# Per-thread stack size. # # MIME types. # # Note: AOLserver already has an exhaustive list of MIME types, but in # case something is missing you can add it here. # ns_section ns/mimetypes ns_param default */* ;# MIME type for unknown extension. ns_param noextension */* ;# MIME type for missing extension. #ns_param .xls application/vnd.ms-excel # # Server-level configuration # # There is only one server in AOLserver, but this is helpful when multiple # servers share the same configuration file. This file assumes that only # one server is in use so it is set at the top in the server Tcl variable. # Other host-specific values are set up above as Tcl variables, too. # ns_section ns/servers ns_param $servername $serverdesc # # Server parameters # ns_section ns/server/${servername} ns_param directoryfile $directoryfile ns_param pageroot$pageroot ns_param globalstats true ;# Enable built-in statistics. ns_param urlstatstrue ;# Enable URL statistics. ns_param maxurlstats 1000 ;# Max number of URL's to do stats on. ns_param enabletclpages true ;# Parse *.tcl files in pageroot. # # Scaling and Tuning Options # # Note: These values aren't necessarily the defaults. # #ns_param connsperthread 0 ;# Normally there's one conn per thread #ns_param flushcontentfalse ;# Flush all data before returning #ns_param maxconnections 100 ;# Max connections to put on queue #ns_param maxdropped 0 ;# Shut down if dropping too many conns #ns_param maxthreads 20;# Tune this to scale your server #ns_param minthreads 0 ;# Tune this to scale your server #ns_param threadtimeout 120 ;# Idle threads die at this rate # Directory listings -- use
Re: [AOLSERVER] aolserver 3.4.2 configuration questions
On the running .tcl pages part (there are others who can comment better on your postgres questions); Try looking at what shows up in the server log file. This file will either be flowing to standard-out, or to the configured 'serverlog' path (defaults to $homedir/log/server.log; you've specified homedir == /home/rgilaard/). You should see a 'Notice: tcl: enabling .tcl pages' message near the start confirming that .tcl pages have been correctly enabled. Also, there may be something else going awry, which could be identified by entries in this log, perhaps associated with trying to service the .tcl page request. Dino Vliet wrote on 1/20/2004, 11:00 AM: Dear all, I've installed aoserver 3.4.2 on my freebsd 4.9 laptop for developing and testing some web applications I'm planning to create. The installation went ok and I can serve static pages. However, when I try to feed my system some .tcl pages under pageroot I get the whole page as text and not the results of the tcl statements I wrote. For instance, this little hello world tcl program doesn't appear as expected in the browser. hello.tcl ns_return 200 text/html html head titleTesting/title /head body pHello, world/p /body /html The output of this when I put the commands in a .tcl file under pageroot is: ns_return 200 text/html html head titleTesting/title /head body pHello, world/p /body /html I then tried something similar but the results were the same: ns_write HTTP/1.0 200 OK MIME-Version: 1.0 Content-Type: text/html ns_write html head titleTesting/title /head body pHello, world/p /body /html I also have a question regarding database access with the postgres driver. I have installed postgres 7.3.4 and it works fine. However, I wasn't able to find no postgres.so file in any directory on my system. I thought aolserver would install it somewhere and I could use that location to find it. What I did find was a /usr/local/lib/postgresql/plpgsql.so file, and I added it to db section, but I don't think this will do the trick:-) Here is my nsd configuration file: # $Header: /cvsroot/aolserver/aolserver/nsd/sample-config.tcl,v 1.2 2000/12/13 21:50:27 kriston Exp $ ns_log notice config.tcl: starting to read config file... # # Set some Tcl variables that are commonly used throughout this file. # set httpport 8000 set httpsport 8443 # The hostname and address should be set to actual values. set hostname localhost set address127.0.0.1 set servername server1 set serverdesc Server Name set homedir/home/rgilaard/ set bindir /usr/local/aolserver/bin/ set pageroot ${homedir}/servers/${servername}/pages/ set directoryfile index.adp,index.html,index.htm set ext [info sharedlibextension] # nsssl: Only loads if keyfile.pem and certfile.pem exist. #set sslmodule nsssl${ext} ;# Domestic 128-bit/1024-bit SSL. set sslmodule nsssle${ext} ;# Exportable 40-bit/512-bit SSL. set sslkeyfile ${homedir}/servers/${servername}/modules/nsssl/keyfile.pem set sslcertfile ${homedir}/servers/${servername}/modules/nsssl/certfile.pem # nscp: Uncomment the sample password and log in with nsadmin, password x, # type ns_crypt newpassword salt and put the encrypted string below. set nscp_port set nscp_addr 127.0.0.1 set nscp_user #set nscp_user nsadmin:t2GqvvaiIUbF2: ;# sample user=nsadmin, pw=x. # # Global server parameters # ns_section ns/parameters ns_param home$homedir ns_param debug false # # Thread library (nsthread) parameters # ns_section ns/threads ns_param mutexmeter true ;# measure lock contention #ns_param stacksize [expr 128*1024] ;# Per-thread stack size. # # MIME types. # # Note: AOLserver already has an exhaustive list of MIME types, but in # case something is missing you can add it here. # ns_section ns/mimetypes ns_param default */* ;# MIME type for unknown extension. ns_param noextension */* ;# MIME type for missing extension. #ns_param .xls application/vnd.ms-excel # # Server-level configuration # # There is only one server in AOLserver, but this is helpful when multiple # servers share the same configuration file. This file assumes that only # one server is in use so it is set at the top in the server Tcl variable. # Other host-specific values are set up above as Tcl variables, too. # ns_section ns/servers ns_param $servername $serverdesc # # Server parameters # ns_section ns/server/${servername} ns_param
Re: [AOLSERVER] nsopenssl: sockclient: SERVER's CERT is NOT VALID message
Thanks, Scott. Why are you using the same file for both your Certificates and your list of CA Certificates to validate incoming certificates with? This variation of the configuration is the most recent, and most disparate (pun intended). =) I cannot find docs on how to configure the openssl (*CAFile and *CADir) parameters (usually leaving their values as CA/CA.pem). Is there a section in the docs somewhere that relates to this? Are these only used with peer-to-peer server connections that require a valid CA? Torben When a client passes you their certificate, nsopenssl uses the CA certificates in the CAFile to validate that client certificate. Based on what I see below, you're using your own certificate as if it were a CA certificate, which means you'll never be able to validate any certificates. SockServerCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockServerKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockServerCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockClientCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem Secondly, nsopenssl does not abort a connection because of invalid certs -- it just logs them. Your response to the invalid cert is your application's responsibility. The reason is that you might want to return a useful error page to the user or application on the other end; if you barf on the SSL handshake, the user gets whatever error page the browser generates because no content ever passes between the two. ... The SSL handshake completes successfully, meaning that you have established a good SSL connection. Your problem is the database operation. Without seeing the schema and code, can't really say much about that. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl: sockclient: SERVER's CERT is NOT VALID message
Use the CAFile param -- ignore the CADir param. Simply take all the CA certificates you have that you want to use to validate peer certificates with and concatenate them together into one file. The CA certificates have to be in PEM format. You only use them when you have PeerVerify set and you actually want to validate the peer's certificate(s). I probably don't have anything in the current docs about how to configure this yet. /s. On Jan 20, 2004, at 4:43 PM, Torben Brosten wrote: Thanks, Scott. Why are you using the same file for both your Certificates and your list of CA Certificates to validate incoming certificates with? This variation of the configuration is the most recent, and most disparate (pun intended). =) I cannot find docs on how to configure the openssl (*CAFile and *CADir) parameters (usually leaving their values as CA/CA.pem). Is there a section in the docs somewhere that relates to this? Are these only used with peer-to-peer server connections that require a valid CA? Torben When a client passes you their certificate, nsopenssl uses the CA certificates in the CAFile to validate that client certificate. Based on what I see below, you're using your own certificate as if it were a CA certificate, which means you'll never be able to validate any certificates. SockServerCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockServerKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockServerCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientCertFile = /usr/local/www/service463/etc/certs/dekka.crt.pem SockClientKeyFile = /usr/local/www/service463/etc/certs/dekka.key.pem SockClientCAFile = /usr/local/www/service463/etc/certs/dekka.crt.pem Secondly, nsopenssl does not abort a connection because of invalid certs -- it just logs them. Your response to the invalid cert is your application's responsibility. The reason is that you might want to return a useful error page to the user or application on the other end; if you barf on the SSL handshake, the user gets whatever error page the browser generates because no content ever passes between the two. ... The SSL handshake completes successfully, meaning that you have established a good SSL connection. Your problem is the database operation. Without seeing the schema and code, can't really say much about that. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to [EMAIL PROTECTED] with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.