On 2018-10-18 07:12, Rainer Jung wrote:
Am 17.10.2018 um 13:41 schrieb Daniel Ruggeri:
Hi, all;
With the fix for detected OpenSSL 1.1.1 issues now backported to
2.4.x, I would like to tag the next version of our venerable server
soon.
I have already successfully completed the test suite against my
"latest sources" docker environment and am watching for any smoke
detected in [1]. Feeling good about this one :-)
How about roughly 24 hours from now?
[1]
https://lists.apache.org/thread.html/48de97bd66ceabcf84a3719b36cd69274cb8c4b64d68c46696beb906@<dev.httpd.apache.org>
In the meantime most of my tests finished. The two small mod_ssl
patches applied this morning were not part of the testing but seem
simple enough to understand and should pose no risk.
My testing showed:
- t/ssl/ocsp.t fails in test 2 and 3 (lines 43 and 49) when the server
is build using OpenSSL 0.9.8zh:
Can't connect to localhost:8535 (SSL connect attempt failed because of
handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure)
SSL connect attempt failed because of handshake problems
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure at
/shared/build/dev/httpd/install/Bundle-ApacheTest/20180911-0.9.8zh-1/rhel7.x86_64/lib/perl5/LWP/Protocol/http.pm
line 50.
I don't know whether that is expected for old OpenSSL, so can not
judge on criticality.
- t/modules/http2.t fails when the server is build using OpenSSL
0.9.8zh with the "Bad plan. You planned 52 tests..." message
indicating, that h2 using TLS does not work. It happens on all
platforms, but not if the client also uses OpenSSL 0.9.8zh.
I don't know whether that is expected for old OpenSSL, so can not
judge on criticality.
- only once out of 68 runs on Solaris failure in t/modules/cgi.t test
54 in line 232. There log contents are checked and the file system is
on NFS. Might be, that this is a timing issue in the test. Not a
show-stopper for me.
- only once out of 68 runs on Solaris failure in t/ssl/proxy.t test
106 in line 131. /eat_post responds with a proxy error (502) instead
of 200 with the posted content length as the response body. Need to
investigate but would also say not a show-stopper, because only on
Solaris and only once.
- some crashes on Solaris when building the server statically linked.
Only with event MPM and looks like always at the end of a process
lifetime, typically during shutdown. Maybe a problem with duplicate
OpenSSL unloading/cleanup (apr-util plus mod_ssl). I think its a known
problem, but no fix yet available. Since it should not happen to
processes which are in use I would say it is more of an annoyance and
not a show-stopper.
Regards,
Rainer
Thank you so much for the thorough testing. I see that the H2 failure
case makes sense based on feedback. I also suspect there is a strong
lead on the ocsp case. I'm also pleased to see the backports have
already made it into 2.4.x so I think we're good to go.
--
Daniel Ruggeri
