Re: 2.4.3x regression w/SSL vhost configs

Am 19.04.2018 um 17:55 schrieb David Zuelke: > I hate to break this to you, and I do not want to discredit the > amazing work all the contributors here are doing, but httpd 2.4 is of > miserable, miserable quality when it comes to breaks and regressions. > > I maintain the PHP/Apache/Nginx

Re: 2.4.3x regression w/SSL vhost configs

Thanks to everyone who followed through :) For completion, I pushed this to trunk in r1829513 though arguably we could/should accept some behavioural change here in 2.5. No strong opinion on this really. 2.4 backport also proposed. It bugs me to be left with the "surprising" behaviour of

Re: 2.4.3x regression w/SSL vhost configs

On 04/13/2018 01:11 PM, Joe Orton wrote: > On Thu, Apr 12, 2018 at 09:38:46PM +0200, Ruediger Pluem wrote: >> On 04/12/2018 09:28 AM, Joe Orton wrote: > I was trying to convince myself whether mySrvConfig(r->server) is going > to change between 2.4.29 and .33+patch in this case, and I think it

Re: 2.4.3x regression w/SSL vhost configs

> Am 14.04.2018 um 16:51 schrieb Daniel Ruggeri : > > This is a pretty valid reason to consider 2.5. However, I'm not convinced > trunk has fixed the funky things referred to in this thread either. Chicken and egg. I am willing to work for a 2.5+ https: configuration

Re: 2.4.3x regression w/SSL vhost configs

This is a pretty valid reason to consider 2.5. However, I'm not convinced trunk has fixed the funky things referred to in this thread either. -- Daniel Ruggeri On April 14, 2018 2:16:04 AM CDT, Stefan Eissing wrote: > >> Am 13.04.2018 um 16:00 schrieb Joe Orton

Re: 2.4.3x regression w/SSL vhost configs

> Am 13.04.2018 um 16:00 schrieb Joe Orton : > > It annoys me now that the "protocol" argument to "Listen" is really > quite ill-defined. "https" is not even really a protocol, more a URL > scheme, and I can't see it documented that enables SSLEngine anywhere. > We also

Re: 2.4.3x regression w/SSL vhost configs

On Fri, Apr 13, 2018 at 01:55:40PM +0200, Yann Ylavic wrote: > At runtime, *with SNI*, when ssl_callback_ServerNameIndication() gets > called and ap_vhost_iterate_given_conn()::ssl_find_vhost() reaches the > second nvh (beta, with no SSL) corresponding to the SNI, we do > SSL_set_SSL_CTX to switch

Re: 2.4.3x regression w/SSL vhost configs

On Fri, Apr 13, 2018 at 1:11 PM, Joe Orton wrote: > > TL;DR: > 1. my head hurts > 2. I think my patch is OK > > Anyone read this far? Yep, I was about to write almost the same long one too :) One thing to add maybe. At runtime, *with SNI*, when

Re: 2.4.3x regression w/SSL vhost configs

Nice journey! You speak of this patch some messages ago: Index: modules/ssl/ssl_engine_init.c === --- modules/ssl/ssl_engine_init.c (revision 1828914) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -261,7 +261,8 @@

Re: 2.4.3x regression w/SSL vhost configs

On Thu, Apr 12, 2018 at 09:38:46PM +0200, Ruediger Pluem wrote: > On 04/12/2018 09:28 AM, Joe Orton wrote: > > But logged is: > > > > ::1 - - [12/Apr/2018:08:11:12 +0100] "GET /agag HTTP/1.1" 404 12 HTTPS=on > > SNI=localhost.localdomain > > 127.0.0.1 - - [12/Apr/2018:08:11:15 +0100] "GET /agag

Re: 2.4.3x regression w/SSL vhost configs

On 04/12/2018 09:28 AM, Joe Orton wrote: > On Wed, Apr 11, 2018 at 10:24:23PM +0200, Yann Ylavic wrote: >> On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton wrote: >>> Yes, exactly - and for affected configs the defining feature is the >>> absence of SSL* in the second vhost. The

Re: 2.4.3x regression w/SSL vhost configs

> Am 12.04.2018 um 12:49 schrieb Yann Ylavic : > > On Thu, Apr 12, 2018 at 11:34 AM, Stefan Eissing > wrote: >> >> >>> Am 12.04.2018 um 11:23 schrieb Yann Ylavic : >>> >>> Hi Stefan, >>> >>> On Thu, Apr 12, 2018 at

Re: 2.4.3x regression w/SSL vhost configs

On Thu, Apr 12, 2018 at 11:34 AM, Stefan Eissing wrote: > > >> Am 12.04.2018 um 11:23 schrieb Yann Ylavic : >> >> Hi Stefan, >> >> On Thu, Apr 12, 2018 at 11:09 AM, Stefan Eissing >> wrote: >>> Am 11.04.2018

Re: 2.4.3x regression w/SSL vhost configs

> Am 12.04.2018 um 11:23 schrieb Yann Ylavic : > > Hi Stefan, > > On Thu, Apr 12, 2018 at 11:09 AM, Stefan Eissing > wrote: >> >>> Am 11.04.2018 um 22:24 schrieb Yann Ylavic : >>> >>> On Wed, Apr 11, 2018 at 7:54 PM,

Re: 2.4.3x regression w/SSL vhost configs

Hi Stefan, On Thu, Apr 12, 2018 at 11:09 AM, Stefan Eissing wrote: > >> Am 11.04.2018 um 22:24 schrieb Yann Ylavic : >> >> On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton wrote: >>> >>> Is mod_md expected to work for vhosts

Re: 2.4.3x regression w/SSL vhost configs

> Am 11.04.2018 um 22:24 schrieb Yann Ylavic : > > On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton wrote: >> On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote: >>> On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic wrote: On

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 10:24:23PM +0200, Yann Ylavic wrote: > On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton wrote: > > Yes, exactly - and for affected configs the defining feature is the > > absence of SSL* in the second vhost. The non-SSL config still takes > > effect as

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton wrote: > On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote: >> On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic wrote: >> > On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton wrote: >> >> Like

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 01:37:22PM -0400, Eric Covener wrote: > On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic wrote: > > On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton wrote: > >> Like this? Is this likely to break some other currently-working config? > >> >

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 1:07 PM, Yann Ylavic wrote: > On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton wrote: >> Like this? Is this likely to break some other currently-working config? >> >> Index: modules/ssl/ssl_engine_init.c >>

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 7:03 PM, Joe Orton wrote: > Like this? Is this likely to break some other currently-working config? > > Index: modules/ssl/ssl_engine_init.c > === > --- modules/ssl/ssl_engine_init.c

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 6:41 PM, Joe Orton wrote: > On Wed, Apr 11, 2018 at 05:49:47PM +0200, Yann Ylavic wrote: >> I agree... to both Stefan's and your points of view here :p > > YOU FENCE SITTER! :) :D > > I feel like it should be possible to restore the old behaviour

Re: 2.4.3x regression w/SSL vhost configs

Like this? Is this likely to break some other currently-working config? Index: modules/ssl/ssl_engine_init.c === --- modules/ssl/ssl_engine_init.c (revision 1828914) +++ modules/ssl/ssl_engine_init.c (working copy) @@

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 05:49:47PM +0200, Yann Ylavic wrote: > I agree... to both Stefan's and your points of view here :p YOU FENCE SITTER! :) > We can hardly break existing configurations, even if they rely on a > bug (our bug...). > But another user (or the same!) may open a bug when her/his

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 5:49 PM, Yann Ylavic wrote: > Maybe we need a global EXEC_ON_READ setting (before any vhost) to > control/ignore AP_MODULE_FLAG_ALWAYS_MERGE? Something like the attached possibly... Index: include/http_config.h

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 4:56 PM, Joe Orton wrote: > On Wed, Apr 11, 2018 at 02:10:27PM +0200, Stefan Eissing wrote: >> What we fixed here is a bug, plain and simple. And if installations rely >> on a bug, they might break on an update. Seems unavoidable. >> >> Nowhere is this

Re: 2.4.3x regression w/SSL vhost configs

On Wed, Apr 11, 2018 at 02:10:27PM +0200, Stefan Eissing wrote: > What we fixed here is a bug, plain and simple. And if installations rely > on a bug, they might break on an update. Seems unavoidable. > > Nowhere is this "a certificate is visible in other vhosts if it is configured > in the >

Re: 2.4.3x regression w/SSL vhost configs

> Am 11.04.2018 um 13:57 schrieb Joe Orton : > > Thanks for the responses, Stefan. I understand this a bit better now, > but it still seems very clearly like a regression. > > On Wed, Apr 11, 2018 at 10:28:05AM +0200, Stefan Eissing wrote: >> Additional example of the

Re: 2.4.3x regression w/SSL vhost configs

Thanks for the responses, Stefan. I understand this a bit better now, but it still seems very clearly like a regression. On Wed, Apr 11, 2018 at 10:28:05AM +0200, Stefan Eissing wrote: > Additional example of the brokeness. If you add > a SSL directive to the 2nd vhost in your example > -

Re: 2.4.3x regression w/SSL vhost configs

Additional example of the brokeness. If you add a SSL directive to the 2nd vhost in your example - without the new MERGE feature: > Am 10.04.2018 um 18:22 schrieb Joe Orton : > > Listen 443 https > > > ServerName www.example.com:443 > SSLCertificateFile ... > > > >

Re: 2.4.3x regression w/SSL vhost configs

> Am 10.04.2018 um 18:22 schrieb Joe Orton : > > I don't quite understand the new AP_MODULE_FLAG_ALWAYS_MERGE logic so > I'm struggling to debug this, but I've had a couple of reports that > configurations like: > > Listen 443 https > > > ServerName www.example.com:443