Re: svn commit: r1897858 - in /httpd/httpd/trunk: ./ changes-entries/

[Rainer Jung]

Small typo below ...

Am 08.02.2022 um 12:04 schrieb yla...@apache.org:

Author: ylavic
Date: Tue Feb  8 11:04:49 2022
New Revision: 1897858

URL: http://svn.apache.org/viewvc?rev=1897858&view=rev
Log:
Sync CHANGES entries. [skip ci]

Removed:
 httpd/httpd/trunk/changes-entries/CoreDumpDirectory-freebsd11.txt
 httpd/httpd/trunk/changes-entries/ap_regex_thread_local.txt
 httpd/httpd/trunk/changes-entries/bz_65769.txt
 httpd/httpd/trunk/changes-entries/mod_dav_memory_regresssion.txt
 httpd/httpd/trunk/changes-entries/mod_md_status_memory.txt
 httpd/httpd/trunk/changes-entries/mod_tls_link_issue_with_rust_1_56.txt
 httpd/httpd/trunk/changes-entries/reqtimeout_mode_init.txt
Modified:
 httpd/httpd/trunk/CHANGES

Modified: httpd/httpd/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1897858&r1=1897857&r2=1897858&view=diff
==
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Feb  8 11:04:49 2022
@@ -1,6 +1,32 @@
   -*- coding: utf-8 -*-
  Changes with Apache 2.5.1
  
+  *) mod_md: the status description in MDomain's JSON, exposed in the

+ md-status handler (if configure) did sometimes not carry the correct
+ message when certificates needed renew.
+ [Stefan Eissing]
+
+  *) mod_tls: Fix a linkage issue with rustls when compiled
+ with rust 1.55, 1.56 or 1.57. This prevents the loading
+ of the module because of an undefined symbol: fmaf
+ See https://github.com/rustls/rustls-ffi/issues/133
+ [Christophe Jaillet]
+
+  *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
+ when an efficient TLS implementation is available. [Yann Ylavic]
+
+  *) mom_reqtimeout: Fix missing handshake= timeout enforcement.  [Yann Ylavic]


s/mom_/mod_/

Re: [VOTE] Release httpd-2.4.53-rc1 as httpd-2.4.53

[Rainer Jung]

Am 07.03.2022 um 16:55 schrieb Stefan Eissing:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.53-rc1 as 2.4.53:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 7559255a37adc5cb6f568ba224e435420f0a138cd9564162c9528b8ac08737b3 
*httpd-2.4.53-rc1.tar.gz
sha512: 
a7734e2fa35389678be74bbc18136eef482ff9daecc2c1ed9c2c5eb410182735a94ff6ad248d0d4b6266e90161f2f8052d4871f381723c996ace0412b0219961
 *httpd-2.4.53-rc1.tar.gz

The SVN candidate source is found at tags/2.4.53-rc1-candidate.

Kind Regards,
Stefan


Not a vote yet, just an observation: on SLES12 (gcc 4.8.3, glibc 2.19) 
and RHEL7 (gcc 4.8.2, glibc 2.19) with platform compilers, configure 
detects it wants to set -std=gnu11. During make I get a compilation error:


server/util.c:3183:1: error: unknown type name ‘_Thread_local’

The type "_Thread_local" comes from include/httpd.h:

  2438  #if defined(__cplusplus) && __cplusplus >= 201103L
  2439  #define AP_THREAD_LOCAL thread_local
  2440  #elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112
  2441  #define AP_THREAD_LOCAL _Thread_local

  2442  #elif defined(__GNUC__) /* works for clang too */
  2443  #define AP_THREAD_LOCAL __thread
  2444  #elif defined(WIN32) && defined(_MSC_VER)
  2445  #define AP_THREAD_LOCAL __declspec(thread)
  2446  #endif
  2447  #endif /* ndef AP_NO_THREAD_LOCAL */

It looks like the detection is broken?

Best regards,

Rainer

Re: [VOTE] Release httpd-2.4.53-rc1 as httpd-2.4.53

[Rainer Jung]

Am 08.03.2022 um 16:33 schrieb Rainer Jung:


Am 07.03.2022 um 16:55 schrieb Stefan Eissing:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.53-rc1 as 2.4.53:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 
7559255a37adc5cb6f568ba224e435420f0a138cd9564162c9528b8ac08737b3 
*httpd-2.4.53-rc1.tar.gz
sha512: 
a7734e2fa35389678be74bbc18136eef482ff9daecc2c1ed9c2c5eb410182735a94ff6ad248d0d4b6266e90161f2f8052d4871f381723c996ace0412b0219961 
*httpd-2.4.53-rc1.tar.gz


The SVN candidate source is found at tags/2.4.53-rc1-candidate.

Kind Regards,
Stefan


Not a vote yet, just an observation: on SLES12 (gcc 4.8.3, glibc 2.19) 
and RHEL7 (gcc 4.8.2, glibc 2.19) with platform compilers, configure 
detects it wants to set -std=gnu11. During make I get a compilation error:


server/util.c:3183:1: error: unknown type name ‘_Thread_local’

The type "_Thread_local" comes from include/httpd.h:

   2438  #if defined(__cplusplus) && __cplusplus >= 201103L
   2439  #define AP_THREAD_LOCAL thread_local
   2440  #elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112
   2441  #define AP_THREAD_LOCAL _Thread_local

   2442  #elif defined(__GNUC__) /* works for clang too */
   2443  #define AP_THREAD_LOCAL __thread
   2444  #elif defined(WIN32) && defined(_MSC_VER)
   2445  #define AP_THREAD_LOCAL __declspec(thread)
   2446  #endif
   2447  #endif /* ndef AP_NO_THREAD_LOCAL */

It looks like the detection is broken?


See also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203066

Re: [VOTE] Release httpd-2.4.53-rc1 as httpd-2.4.53

[Rainer Jung]

Am 08.03.2022 um 17:06 schrieb Ruediger Pluem:



On 3/8/22 4:38 PM, Rainer Jung wrote:

Am 08.03.2022 um 16:33 schrieb Rainer Jung:


Am 07.03.2022 um 16:55 schrieb Stefan Eissing:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.53-rc1 as 2.4.53:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 7559255a37adc5cb6f568ba224e435420f0a138cd9564162c9528b8ac08737b3 
*httpd-2.4.53-rc1.tar.gz
sha512:
a7734e2fa35389678be74bbc18136eef482ff9daecc2c1ed9c2c5eb410182735a94ff6ad248d0d4b6266e90161f2f8052d4871f381723c996ace0412b0219961
 *httpd-2.4.53-rc1.tar.gz


The SVN candidate source is found at tags/2.4.53-rc1-candidate.

Kind Regards,
Stefan


Not a vote yet, just an observation: on SLES12 (gcc 4.8.3, glibc 2.19) and 
RHEL7 (gcc 4.8.2, glibc 2.19) with platform
compilers, configure detects it wants to set -std=gnu11. During make I get a 
compilation error:

server/util.c:3183:1: error: unknown type name ‘_Thread_local’

The type "_Thread_local" comes from include/httpd.h:

    2438  #if defined(__cplusplus) && __cplusplus >= 201103L
    2439  #define AP_THREAD_LOCAL thread_local
    2440  #elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112
    2441  #define AP_THREAD_LOCAL _Thread_local

    2442  #elif defined(__GNUC__) /* works for clang too */
    2443  #define AP_THREAD_LOCAL __thread
    2444  #elif defined(WIN32) && defined(_MSC_VER)
    2445  #define AP_THREAD_LOCAL __declspec(thread)
    2446  #endif
    2447  #endif /* ndef AP_NO_THREAD_LOCAL */

It looks like the detection is broken?


See also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203066


Thanks for the pointer. Does the below fix it?

Index: include/httpd.h
===
--- include/httpd.h (revision 1898730)
+++ include/httpd.h (working copy)
@@ -2587,7 +2587,9 @@
   */
  #if defined(__cplusplus) && __cplusplus >= 201103L
  #define AP_THREAD_LOCAL thread_local
-#elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112
+#elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112 && \
+  (!defined(__GNUC__) || \
+  __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 9))
  #define AP_THREAD_LOCAL _Thread_local
  #elif defined(__GNUC__) /* works for clang too */
  #define AP_THREAD_LOCAL __thread


Regards

Rüdiger


Looks good to me from inspection. I already tested a similar but not as 
good patch. The next builds will pick up your one. Will report back in 
an hour or so, whether it works for me.


Two additional things I already saw, but which are non.critical:

- configure flag --with-pcre no longer accepts an external pcre 8 
installation directory. It seems in that case the flag must now point to 
the path of the pcre-config script instead.


- configure for APR in the dependency tarball still fails for me due to 
a bug in autoconf 2.71 used to create the configure script. That problem 
was already reported by me during another release vote. I replaced the 
changed three files in the bundled apr and apr-util with the earlier ones.


Thanks and regards,

Rainer

Re: [VOTE] Release httpd-2.4.53-rc1 as httpd-2.4.53

[Rainer Jung]

Am 08.03.2022 um 18:22 schrieb Rainer Jung:

Am 08.03.2022 um 17:06 schrieb Ruediger Pluem:



On 3/8/22 4:38 PM, Rainer Jung wrote:

Am 08.03.2022 um 16:33 schrieb Rainer Jung:


Am 07.03.2022 um 16:55 schrieb Stefan Eissing:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.53-rc1 as 2.4.53:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 
7559255a37adc5cb6f568ba224e435420f0a138cd9564162c9528b8ac08737b3 
*httpd-2.4.53-rc1.tar.gz

sha512:
a7734e2fa35389678be74bbc18136eef482ff9daecc2c1ed9c2c5eb410182735a94ff6ad248d0d4b6266e90161f2f8052d4871f381723c996ace0412b0219961 
*httpd-2.4.53-rc1.tar.gz



The SVN candidate source is found at tags/2.4.53-rc1-candidate.

Kind Regards,
Stefan


Not a vote yet, just an observation: on SLES12 (gcc 4.8.3, glibc 
2.19) and RHEL7 (gcc 4.8.2, glibc 2.19) with platform
compilers, configure detects it wants to set -std=gnu11. During make 
I get a compilation error:


server/util.c:3183:1: error: unknown type name ‘_Thread_local’

The type "_Thread_local" comes from include/httpd.h:

    2438  #if defined(__cplusplus) && __cplusplus >= 201103L
    2439  #define AP_THREAD_LOCAL thread_local
    2440  #elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112
    2441  #define AP_THREAD_LOCAL _Thread_local

    2442  #elif defined(__GNUC__) /* works for clang too */
    2443  #define AP_THREAD_LOCAL __thread
    2444  #elif defined(WIN32) && defined(_MSC_VER)
    2445  #define AP_THREAD_LOCAL __declspec(thread)
    2446  #endif
    2447  #endif /* ndef AP_NO_THREAD_LOCAL */

It looks like the detection is broken?


See also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203066


Thanks for the pointer. Does the below fix it?

Index: include/httpd.h
===
--- include/httpd.h    (revision 1898730)
+++ include/httpd.h    (working copy)
@@ -2587,7 +2587,9 @@
   */
  #if defined(__cplusplus) && __cplusplus >= 201103L
  #define AP_THREAD_LOCAL thread_local
-#elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112
+#elif defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112 && \
+  (!defined(__GNUC__) || \
+  __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 9))
  #define AP_THREAD_LOCAL _Thread_local
  #elif defined(__GNUC__) /* works for clang too */
  #define AP_THREAD_LOCAL __thread


Regards

Rüdiger


Looks good to me from inspection. I already tested a similar but not as 
good patch. The next builds will pick up your one. Will report back in 
an hour or so, whether it works for me.


Two additional things I already saw, but which are non.critical:

- configure flag --with-pcre no longer accepts an external pcre 8 
installation directory. It seems in that case the flag must now point to 
the path of the pcre-config script instead.


- configure for APR in the dependency tarball still fails for me due to 
a bug in autoconf 2.71 used to create the configure script. That problem 
was already reported by me during another release vote. I replaced the 
changed three files in the bundled apr and apr-util with the earlier ones.


Thanks and regards,

Rainer


You gcc 4.8 workaround for _Thread_local still looks good.

Solaris builds and all unit tests not yet done but compiles fine for all 
my Linuxes.


Thanks!

Rainer

Re: [VOTE] Release httpd-2.4.53-rc1 as httpd-2.4.53

[Rainer Jung]

Am 09.03.2022 um 08:37 schrieb Ruediger Pluem:



On 3/8/22 10:09 PM, Rainer Jung wrote:






You gcc 4.8 workaround for _Thread_local still looks good.

Solaris builds and all unit tests not yet done but compiles fine for all my 
Linuxes.

Thanks!


Thanks for testing. I committed to trunk as r1898771 to throw it into our CI. 
If we need to tweak it further we can do later.

BTW: Once we have a final patch the same needs to be done for APR trunk and APR 
1.8.x.


Interesting: I did also compile APR trunk in my httpd release 
preparations but didn't observe the failure. This probably was due to 
the fact, that our APR trunk configure does not decide to add 
-std=gnu11, so the test in the header file doesn't result in 
_Thread_local being used.


Of course it still makes sense to apply the same patch (and also to 
other APR branches containing the thread local code). Just wondering, 
whether the different handling of the"std" compiler flag for httpd and 
apr trunk is intentional.


Best regards,

Rainer

Re: [VOTE] Release httpd-2.4.53-rc1 as httpd-2.4.53

[Rainer Jung]

Am 09.03.2022 um 13:58 schrieb Ruediger Pluem:



On 3/9/22 11:34 AM, Rainer Jung wrote:

Am 09.03.2022 um 08:37 schrieb Ruediger Pluem:



On 3/8/22 10:09 PM, Rainer Jung wrote:






You gcc 4.8 workaround for _Thread_local still looks good.

Solaris builds and all unit tests not yet done but compiles fine for all my 
Linuxes.

Thanks!


Thanks for testing. I committed to trunk as r1898771 to throw it into our CI. 
If we need to tweak it further we can do later.

BTW: Once we have a final patch the same needs to be done for APR trunk and APR 
1.8.x.


Interesting: I did also compile APR trunk in my httpd release preparations but 
didn't observe the failure. This probably was due
to the fact, that our APR trunk configure does not decide to add -std=gnu11, so 
the test in the header file doesn't result in
_Thread_local being used.

Of course it still makes sense to apply the same patch (and also to other APR 
branches containing the thread local code). Just
wondering, whether the different handling of the"std" compiler flag for httpd 
and apr trunk is intentional.



Weird. I don't see -std=gnu11 added at all to my httpd build on RedHat 8.

gcc --version
gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-4)
autoconf --version
autoconf (GNU Autoconf) 2.69

But I have tested the patch and get AP_THREAD_LOCAL set to _Thread_local as it 
should.


Good. Concerning RHEL 8: I see the flag there neither due to:

RHEl7 :
checking for gcc -specs=/shared/build/autobuild/specs/specs.rhel7 option 
to enable C11 features... -std=gnu11


RHEL 8:
checking for gcc -specs=/shared/build/autobuild/specs/specs.rhel8 option 
to enable C11 features... none needed


The check for C11 was introduced in autoconf 2.70 as a new feature of 
"AC_PROG_CC", which we have in configure.in for httpd and for APR.


The observed behavioral difference between httpd configure and (my) APR 
trunk configure is due to the fact, that I generated my APR trunk 
configure with autoconf 2.69, so the check does not run there. But it 
would, once configure would be regenerated with modern autoconf. So 
indeed the thread local detection fix should go in APR as well.


Thanks and regards,

Rainer

About our autoconf problems

[Rainer Jung]

First thanks to Stefan for downgrading his release system. It is a good 
workaround for the observed problems.


Since downgrades are not a long term solution, here's the status info to 
avoid confusion.


We observed two problems that had to do with using a recent autoconf 
version (2.70 an above) during releasing:


- bundled APR configure broken (ongoing)

This is already fixed by adjusting one of our autoconf macros in APR 
1.7.x and trunk (I think not in 1.6.x). But we didn't have an APR 
release since a long time, so the deps tarball for httpd still contains 
the latest but unfixed APR version. Once we will have a new APR release 
und bundle that, this autoconf problem will be gone and the latest 
autoconf should again be fine.


- thread local detection broken in httpd.h (fixed)

This is not a configure time problem, but a compile time problem. But it 
is still related to configure, because since autoconf 2.70 our call to 
AC_PROG_CC also checks whether the compiler support C11. For some gcc 
versions, eg. 4.8.x, this leads in "-std=gnu11" being added to the 
compiler flags. This in combination with httpd.h in 2.4.53-rc1 lead to a 
compile time failure. That problem is now fixed by making httpd.h more 
robust, so fir that problem the downgrade is no longer needed.


Thanks and regards,

Rainer

Support JSON output in mod_status and mod_info

[Rainer Jung]

I am thinking about adding a JSON output format to mod_status and 
mod_info as an option controlled by a query string parameter.


Since writing simple data structures from these modules is much simpler 
than parsing and processing a JSON structure, I would expect it to be 
based on simple ap_rputs() and ap_rprintf() like we already use it for 
auto (text) and HTML output. IMHO no need for a JSON library just for 
this use case.


Of course, this will slightly bloat the code with "if" statements and 
roughly double the amount of ap_rputs() and ap_rprintf().


For mod_status this probably means introduction of a new AP_STATUS_JSON 
value, so that in theory other modules could in the future update their 
status extensions with JSON support. In the meantime it might mean, that 
if a modules extends mod_status output, the result when asking for JSON 
output is no valid JSON (mix between mod_status JSON and mod_something 
providing HTML or text). For our own modules, especially mod_proxy, this 
can of course be fixed (and I will fix this). For mod_info, we do not 
have such an extension problem wrt. 3rd-party modules.


Any comments up-front before I try to prototype this?

Thanks and regards,

Rainer

Re: Support JSON output in mod_status and mod_info

[Rainer Jung]

Am 28.03.2022 um 15:24 schrieb Stefan Eissing:




Am 28.03.2022 um 14:28 schrieb Rainer Jung :


I am thinking about adding a JSON output format to mod_status and mod_info as 
an option controlled by a query string parameter.

Since writing simple data structures from these modules is much simpler than 
parsing and processing a JSON structure, I would expect it to be based on 
simple ap_rputs() and ap_rprintf() like we already use it for auto (text) and 
HTML output. IMHO no need for a JSON library just for this use case.

Of course, this will slightly bloat the code with "if" statements and roughly 
double the amount of ap_rputs() and ap_rprintf().

For mod_status this probably means introduction of a new AP_STATUS_JSON value, 
so that in theory other modules could in the future update their status 
extensions with JSON support. In the meantime it might mean, that if a modules 
extends mod_status output, the result when asking for JSON output is no valid 
JSON (mix between mod_status JSON and mod_something providing HTML or text). 
For our own modules, especially mod_proxy, this can of course be fixed (and I 
will fix this). For mod_info, we do not have such an extension problem wrt. 
3rd-party modules.

Any comments up-front before I try to prototype this?


+1 (a big one)

Suggestion: we could add an additional `status_hook` like `status_json_hook` so 
that existing one do not get confused?


Doh, of course, haven't thought about this degree of freedom. Makes 
sense. Need to think how to make that new registration future feature 
proof, so that we don't need a new hook for every new status feature 
which is output incompatible.


Thanks and regards,

Rainer

Current status of mod_h2 test suite?

[Rainer Jung]

I try to make the mod_h2 test suite run for me. Some difficulties are 
expected due to my non-standard setup, but the first test that seems to 
fail in a way I am not directly blaming myself is


fuzz header
 * on http://test.example.org:12345: super-long...--- gen/expect_431 
2022-04-05 13:25:40.081886486 +0200

+++ gen/result  2022-04-05 13:25:40.138887222 +0200
@@ -1,2 +1,2 @@
---> 0:1 GET / -> 431 0
+--> 0:1 GET / -> 431 273
 0/0/1/0/0 (2/3/4/5/0xx)

It seems the test expects 0 body bytes but the web server sends:

2.0//EN">\n\n431 Request Header Fields Too 
Large\n\nRequest Header Fields Too 
Large\nThe server refused this request because\nthe request 
header fields are too large.\n\n


which doesn't look like an error. So is this test broken? Is the general 
expectation, that other fuzzing tests will succeed?


Thanks for the test suite anyways. All tests before that first fuzzing 
test work.


Best regards,

Rainer

Re: Current status of mod_h2 test suite?

[Rainer Jung]

Hi Stefan,

Am 05.04.2022 um 13:49 schrieb Stefan Eissing:

Which test suite, the one in trunk or the one from github? Both work best 
against the respective source.


the test suite in

https://svn.apache.org/repos/asf/httpd/test/mod_h2/trunk

Which one would you recommend to test http2 in a 2.4.x release (candidate)?

Thanks and regards,

Rainer


Am 05.04.2022 um 13:47 schrieb Rainer Jung :

I try to make the mod_h2 test suite run for me. Some difficulties are expected 
due to my non-standard setup, but the first test that seems to fail in a way I 
am not directly blaming myself is

fuzz header
* on http://test.example.org:12345: super-long...--- gen/expect_431 2022-04-05 
13:25:40.081886486 +0200
+++ gen/result  2022-04-05 13:25:40.138887222 +0200
@@ -1,2 +1,2 @@
---> 0:1 GET / -> 431 0
+--> 0:1 GET / -> 431 273
0/0/1/0/0 (2/3/4/5/0xx)

It seems the test expects 0 body bytes but the web server sends:

\n\n431 Request Header Fields Too 
Large\n\nRequest Header Fields Too Large\nThe server refused this request because\nthe request 
header fields are too large.\n\n

which doesn't look like an error. So is this test broken? Is the general 
expectation, that other fuzzing tests will succeed?

Thanks for the test suite anyways. All tests before that first fuzzing test 
work.

Best regards,

Rainer

Re: Current status of mod_h2 test suite?

[Rainer Jung]

Thaks, will switch to that one. Should have reembered it ...

Am 05.04.2022 um 14:04 schrieb Stefan Eissing:




Am 05.04.2022 um 14:01 schrieb Rainer Jung :

Hi Stefan,

Am 05.04.2022 um 13:49 schrieb Stefan Eissing:

Which test suite, the one in trunk or the one from github? Both work best 
against the respective source.


the test suite in

https://svn.apache.org/repos/asf/httpd/test/mod_h2/trunk


Oh, forgot about that one. Should remove it.


Which one would you recommend to test http2 in a 2.4.x release (candidate)?


The one in ^/httpd/httpd/branches/2.4.x/test/modules/http2

This is the one (and the corresponding in trunk) that also runs as part of our 
travis CI.

There is a README.pytest in test with some advice to set it up and use.

Kind Regards,
Stefan



Thanks and regards,

Rainer


Am 05.04.2022 um 13:47 schrieb Rainer Jung :

I try to make the mod_h2 test suite run for me. Some difficulties are expected 
due to my non-standard setup, but the first test that seems to fail in a way I 
am not directly blaming myself is

fuzz header
* on http://test.example.org:12345: super-long...--- gen/expect_431 2022-04-05 
13:25:40.081886486 +0200
+++ gen/result  2022-04-05 13:25:40.138887222 +0200
@@ -1,2 +1,2 @@
---> 0:1 GET / -> 431 0
+--> 0:1 GET / -> 431 273
0/0/1/0/0 (2/3/4/5/0xx)

It seems the test expects 0 body bytes but the web server sends:

\n\n431 Request Header Fields Too 
Large\n\nRequest Header Fields Too Large\nThe server refused this request because\nthe request 
header fields are too large.\n\n

which doesn't look like an error. So is this test broken? Is the general 
expectation, that other fuzzing tests will succeed?

Thanks for the test suite anyways. All tests before that first fuzzing test 
work.

Best regards,

Rainer

Adding a2md to httpd sources?

[Rainer Jung]

Hi there,

during my experiments with the nice pytest based test suite against 
2.4.x I noticed, that many mod_md tests need "a2md". The sources for 
this commandline tool ar in Stefan's GitHub repos for mod_md, but not 
inside the httpd 2.4.x source tree.


I have not really checked, what a2md exactly does, but was wondering, 
how much sense it would make to add it to 2.4.x as another support binary?


From the man page:

The a2md utility can be used to configure and update managed domains 
with the mod_md module for Apache HTTP Server. Managed Domains are 
virtual hosts which automatically obtain and renew TLS certificates from 
an ACME server.


Is it ready for prime time? Would it interact with a custom build of 
httpd (layout might differ from distros)? What's the expectation?


Thanks and regards,

Rainer

Re: Adding a2md to httpd sources?

[Rainer Jung]

Thanks for all feedback. So no need to integrate.

Note that the 2.4.x pytest suite still makes heavy use of it when 
testing mod_md.


Thanks and regards,

Rainer

Am 08.04.2022 um 10:24 schrieb Steffen:


Agree no need for it anymore.

Ps.
You wrote:
I have not yet heard any questions or feedback from anyone about it….If I 
remember correctly, no one was around to make the cmake and Windows builds for 
it.

I had given feedback and was able to build it on windows in 2017. In the 
beginning some crashes, but Stefan solved.



Op 8 apr. 2022 om 09:14 heeft Stefan Eissing  het volgende 
geschreven:



Am 07.04.2022 um 13:04 schrieb Rainer Jung :

Hi there,

during my experiments with the nice pytest based test suite against 2.4.x I noticed, that 
many mod_md tests need "a2md". The sources for this commandline tool ar in 
Stefan's GitHub repos for mod_md, but not inside the httpd 2.4.x source tree.

I have not really checked, what a2md exactly does, but was wondering, how much 
sense it would make to add it to 2.4.x as another support binary?

 From the man page:

The a2md utility can be used to configure and update managed domains with the 
mod_md module for Apache HTTP Server. Managed Domains are virtual hosts which 
automatically obtain and renew TLS certificates from an ACME server.

Is it ready for prime time? Would it interact with a custom build of httpd 
(layout might differ from distros)? What's the expectation?


Some distros, who package from the github repro, seem to include a2md, but I 
have not yet heard any questions or feedback from anyone about it. We excluded 
it in the httpd build as, if I remember correctly, no one was around to make 
the cmake and Windows builds for it.

Looking back, I do not see the need to a2md any longer. All can and should be 
configured in httpd's config files and information readout is available via the 
common status handlers and mod_md's own JSON status handler.

Kind Regards,
Stefan



Thanks and regards,

Rainer

pytest: test_101_ssl_reneg.py with OpenSSL 3.0.2 triggers error in TestBuffering.test_h2_712_03

[Rainer Jung]

Hi all,

at the end of the test runs in the pytest suite, 
TestBuffering.test_h2_712_03 checks for warnings or errors logged in the 
httpd error log. None are allowed, but test


test_101_ssl_reneg.py

[ssl:error] [pid 15298:tid 140040420189952] SSL Library Error: 
error:0AC1:SSL routines::no shared cipher -- Too restrictive 
SSLCipherSuite or using DSA server certificate?
[ssl:error] [pid 15298:tid 140040411797248] SSL Library Error: 
error:0AC7:SSL routines::peer did not return a certificate -- No CAs 
known to server for verification?
[ssl:error] [pid 15299:tid 140040378226432] SSL Library Error: 
error:0AC7:SSL routines::peer did not return a certificate -- No CAs 
known to server for verification?
[ssl:error] [pid 15299:tid 140040369833728] SSL Library Error: 
error:0AC1:SSL routines::no shared cipher -- Too restrictive 
SSLCipherSuite or using DSA server certificate?


This is with OpenSSL 3.0.2. It does not happen with OpenSSL 1.1.1n 
(server and curl, but the nghttp2 commandline tools always using 3.0.2).


I added time stamps, so I think the relevant tests, that produce the 
messages are:


24.04.2022 10:07:50.347236 
test/modules/http2/test_101_ssl_reneg.py::TestSslRenegotiation::test_h2_101_03 
PASSED:


[Sun Apr 24 10:07:50.337861 2022] [ssl:error] [pid 9912:tid 
139900498208512] SSL Library Error: error:0AC1:SSL routines::no 
shared cipher -- Too restrictive SSLCipherSuite or using DSA server 
certificate?


24.04.2022 10:07:50.459491 
test/modules/http2/test_101_ssl_reneg.py::TestSslRenegotiation::test_h2_101_04 
PASSED:


[Sun Apr 24 10:07:50.451743 2022] [ssl:error] [pid 9912:tid 
139900506601216] SSL Library Error: error:0AC7:SSL routines::peer 
did not return a certificate -- No CAs known to server for verification?


24.04.2022 10:07:50.580942 
test/modules/http2/test_101_ssl_reneg.py::TestSslRenegotiation::test_h2_101_05 
PASSED:


[Sun Apr 24 10:07:50.572229 2022] [ssl:error] [pid 9911:tid 
139900473030400] SSL Library Error: error:0AC7:SSL routines::peer 
did not return a certificate -- No CAs known to server for verification?


24.04.2022 10:07:50.862277 
test/modules/http2/test_102_require.py::TestRequire::test_h2_102_01 PASSED:


[Sun Apr 24 10:07:50.853262 2022] [ssl:error] [pid 9912:tid 
139900389103360] SSL Library Error: error:0AC1:SSL routines::no 
shared cipher -- Too restrictive SSLCipherSuite or using DSA server 
certificate?


I haven't thought about how to fix this, first wanted to make it known.

Thanks and regards,

Rainer

Re: pytest: test_101_ssl_reneg.py with OpenSSL 3.0.2 triggers error in TestBuffering.test_h2_712_03

[Rainer Jung]

Cool, thanks for the pointer. Will report back!

Am 24.04.2022 um 22:29 schrieb Stefan Eissing:

Hi Rainer,

there is a list of patterns and APLOGNOs that are allowed to happen. In the 
http2 tests, those are defined in env.py, lines 88-97.

If we get new ones with openssl 3.0.2, we need to add them there. Could you 
give this a shot?

Kind Regards,

Stefan


Am 24.04.2022 um 22:03 schrieb Rainer Jung :

Hi all,

at the end of the test runs in the pytest suite, TestBuffering.test_h2_712_03 
checks for warnings or errors logged in the httpd error log. None are allowed, 
but test

test_101_ssl_reneg.py

[ssl:error] [pid 15298:tid 140040420189952] SSL Library Error: 
error:0AC1:SSL routines::no shared cipher -- Too restrictive SSLCipherSuite 
or using DSA server certificate?
[ssl:error] [pid 15298:tid 140040411797248] SSL Library Error: 
error:0AC7:SSL routines::peer did not return a certificate -- No CAs known 
to server for verification?
[ssl:error] [pid 15299:tid 140040378226432] SSL Library Error: 
error:0AC7:SSL routines::peer did not return a certificate -- No CAs known 
to server for verification?
[ssl:error] [pid 15299:tid 140040369833728] SSL Library Error: 
error:0AC1:SSL routines::no shared cipher -- Too restrictive SSLCipherSuite 
or using DSA server certificate?

This is with OpenSSL 3.0.2. It does not happen with OpenSSL 1.1.1n (server and 
curl, but the nghttp2 commandline tools always using 3.0.2).

I added time stamps, so I think the relevant tests, that produce the messages 
are:

24.04.2022 10:07:50.347236 
test/modules/http2/test_101_ssl_reneg.py::TestSslRenegotiation::test_h2_101_03 
PASSED:

[Sun Apr 24 10:07:50.337861 2022] [ssl:error] [pid 9912:tid 139900498208512] 
SSL Library Error: error:0AC1:SSL routines::no shared cipher -- Too 
restrictive SSLCipherSuite or using DSA server certificate?

24.04.2022 10:07:50.459491 
test/modules/http2/test_101_ssl_reneg.py::TestSslRenegotiation::test_h2_101_04 
PASSED:

[Sun Apr 24 10:07:50.451743 2022] [ssl:error] [pid 9912:tid 139900506601216] 
SSL Library Error: error:0AC7:SSL routines::peer did not return a 
certificate -- No CAs known to server for verification?

24.04.2022 10:07:50.580942 
test/modules/http2/test_101_ssl_reneg.py::TestSslRenegotiation::test_h2_101_05 
PASSED:

[Sun Apr 24 10:07:50.572229 2022] [ssl:error] [pid 9911:tid 139900473030400] 
SSL Library Error: error:0AC7:SSL routines::peer did not return a 
certificate -- No CAs known to server for verification?

24.04.2022 10:07:50.862277 
test/modules/http2/test_102_require.py::TestRequire::test_h2_102_01 PASSED:

[Sun Apr 24 10:07:50.853262 2022] [ssl:error] [pid 9912:tid 139900389103360] 
SSL Library Error: error:0AC1:SSL routines::no shared cipher -- Too 
restrictive SSLCipherSuite or using DSA server certificate?

I haven't thought about how to fix this, first wanted to make it known.

Thanks and regards,

Rainer

Re: mod_dumpio and per-dir loglevel

[Rainer Jung]

Am 10.05.2022 um 16:23 schrieb Eric Covener:

I was looking at making some tests run more quietly, but mod_dumpio
uses ap_log_cerror even though it always has a ap_filter_t when it's
doing its real work.

While this would still leave some early logging (pre-location walk)
w/o the per-dir loglevel set yet, it would kick in by the time bodies
are read/written.

Can anyone anticipate any issue/concern here with using ap_log_rerror?


Probably not what you are asking, but mod_dumpio in a (reverse) proxy 
context can log the front connection and the back connection. Maybe 
something to be aware of when switching from connection to request.


Best regards,

Rainer

Re: travis CI failing in 2.4.x

[Rainer Jung]

Not yet a full explanation but:

- the build fails due to "The job exceeded the maximum log length, and 
has been terminated." shortly before line 30.000


- the difference to the succeeeding "Linux Ubuntu Focal, ASan" is, that 
the ErrorLog of the run is not part of this log output handled by Travis.


- the lines you saw look pretty normal to me (depending on the modules 
we build). And it is not the exact same line repeating, but just the 
same type of line for every request executed during the tests.


I guess, the build configs differ, so that travis handled the ErrorLog 
differently?


Best regards,

Rainer

Re: travis CI failing in 2.4.x

[Rainer Jung]

Forget the below. The real error was already detected by others and 
25.000 lines higher in the console output:


t/modules/heartbeat.t (Wstat: 0 Tests: 1 Failed: 1)

  Failed test:  1

Files=141, Tests=7232, 130 wallclock secs ( 2.85 usr  0.26 sys + 47.35 
cusr 10.50 csys = 60.96 CPU)


Result: FAIL

Failed 1/141 test programs. 1/7232 subtests failed.

...

Am 17.05.2022 um 15:24 schrieb Rainer Jung:

Not yet a full explanation but:

- the build fails due to "The job exceeded the maximum log length, and 
has been terminated." shortly before line 30.000


- the difference to the succeeeding "Linux Ubuntu Focal, ASan" is, that 
the ErrorLog of the run is not part of this log output handled by Travis.


- the lines you saw look pretty normal to me (depending on the modules 
we build). And it is not the exact same line repeating, but just the 
same type of line for every request executed during the tests.


I guess, the build configs differ, so that travis handled the ErrorLog 
differently?


Best regards,

Rainer

Re: svn commit: r1901009 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS changes-entries/md_acme_failover.txt changes-entries/mod_proxy_log_backend_port.txt modules/http2/h2_mplx.c modules/http2/h2_v

[Rainer Jung]

Hi Jim,

it looks like the unrelated file 
changes-entries/mod_proxy_log_backend_port.txt was removed by accident 
during this commit? I don't see its contents already in CHANGES.


I had not yet used the make target "update-changes" when applying the 
backend port patch, so the changes-entries file was left for final 
CHANGES consolidation in purpose. I will add it back soon.


Best regards,

Rainer

Am 17.05.2022 um 20:17 schrieb j...@apache.org:

Author: jim
Date: Tue May 17 18:17:44 2022
New Revision: 1901009

URL: http://svn.apache.org/viewvc?rev=1901009&view=rev
Log:
Merge r from trunk:

Submitted by: icing, rpluem, ylavic
Reviewed by: jim

Github: closes #317

Removed:
 httpd/httpd/branches/2.4.x/changes-entries/md_acme_failover.txt
 httpd/httpd/branches/2.4.x/changes-entries/mod_proxy_log_backend_port.txt

...

Re: release anyone?

[Rainer Jung]

Am 25.05.2022 um 14:15 schrieb Stefan Eissing:

Anyone feeling release vibes in the air?

it's been a good 2.5 months and some things have accumulated.
Maybe the start of June would be a good target?


+1 and thanks!

Rainer

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Rainer Jung]

Am 06.06.2022 um 16:25 schrieb Stefan Eissing:

Here we go again! Sorry for the repeats, but that is why we build candidates, 
right?

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.


+1 to release and thanks a bunch for RM!

The full range of unit tests is still running, but enough have completed 
for a vote.


I actually used rc2 plus the one "#if" patch which got included in rc3 
to build and test, but also did the simple release checks for rc3.


! KEYS maybe missing (see other mail)
- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas

Built on

- Solaris 10 Sparc as 32 Bit Binaries
- SLES 11+12+15 (64 Bits)
- RHEL 6+7+8 (64 Bits)

For all platforms built

- with default (shared) and static modules
  (Solaris only shared modules)
- with module set reallyall
- using --enable-load-all-modules

- using libraries
  - APR/APU
- bundled deps tarball
- 1.7.0/1.6.1
- 1.6.5/1.6.1
- 1.7.x(r1901250)/1.7.x(r1901250) with libxml2
- 1.7.x(r1901250)/1.7.x(r1901250) with expat
- 1.6.x(r1898636)/1.6.x(r1901250)
- trunk(r1901250) with libxml2
- trunk(r1901250) with expat
  - OpenSSL 3.0.3, 1.1.1o, 1.1.1,
1.0.2u, 1.0.2, 0.9.8zh, 0.9.8b
  - expat 2.4.8
  - pcre 10.39, sometimes 10.40
  - lua 5.4.4 (compiled with LUA_COMPAT_MODULE)
  - libxml2 2.9.14
  - libnghttp2 1.47.0
  - brotli 1.0.9
  - curl 7.83.1
  - jansson 2.14
  - libldap 2.6.2 (2.5.7 with OpenSSL 1.1.1,
   2.4.59 with OpenSSL 1.0.2*,
   2.4.52 with OpenSSL 0.9.8*)
  - on Solaris also platform ldap library

- in total 96 builds per platform, 60 on Solaris

- Tool chain:
- platform gcc except on Solaris
  (gcc 9.3.0 Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  - on Solaris additionally -mpcu=v9, -D_XOPEN_SOURCE,
-D_XOPEN_SOURCE_EXTENDED=1, -D__EXTENSIONS__
and -D_XPG6

All 636 builds succeeded.

- compiler warnings:

  - only on Solaris (GCC 9.3.0):
srclib/apr/locks/unix/proc_mutex.c:979:49: warning: 
'mutex_proc_pthread_cond_methods' defined but not used 
[-Wunused-const-variable=]


  - deprecation warnings when building against OpenSSL 3.0.0, see other 
thread


Tested for

- SLES 11+12+15
- RHEL 6+7+8
- Solaris 10 Sparc
- MPMs prefork, worker, event
- log level trace8
- Perl client bundle build against OpenSSL 3.0.0, ,
  1.1.1g plus patches, 1.1.0l, 1.0.2u and 0.9.8zh

Every OpenSSL version in the client tested with every OpenSSL version in 
the server. 15 unit test runs (3 MPMS x 5 OpenSSL clients) per server build.

About 2.400 unit test runs are done, most for shared module builds.

Some local adjustments to tests were used:

- t/modules/buffer.t: removing huge buffer tests
  -my $bigsize = 10;
  +my $bigsize = 5;

The following test failures were seen:

a t/modules/buffer.t line 37
  Test 4 (411 times), test 8 (217 times) and 12 (18 times)
  Not a regression
  Only on RHEL 6, SLES 11 and Solaris 10.

b Various tests in t/modules/cgi.t, mostly lines 195 and 223,
  sometimes line 167 and 252
  Not a regression
  Only on Solaris and once on RHEL 6
  110 failed test runs (out of 120 on Solaris)
  Test checks log contents. Could be false positive due to
  logs written to NFS.

c t/modules/sed.t line 37 test 3
  91 times Solaris 10, 12 times RHEL 9, 6 times SLES 11
  At least two cases I checked were
  "(12)Cannot allocate memory" (Linux) resp.
  "(12)Not enough space:" (Solaris).

d A couple of tests fail for OpenSSL 0.9.8 based server
  when tested with a OpenSSL 3.0.0 based client:
  - t/modules/proxy_websockets_ssl.t
  - t/protocol/echo.t
  - t/security/CVE-2005-2700.t
  - t/security/CVE-2009-3555.t
  - t/ssl/basicauth.t
  - t/ssl/env.t
  - t/ssl/extlookup.t
  - t/ssl/fakeauth.t
  - t/ssl/headers.t
  - t/ssl/ocsp.t
  - t/ssl/pr12355.t
  - t/ssl/pr43738.t
  - t/ssl/proxy.t
  - t/ssl/require.t
  - t/ssl/varlookup.t
  - t/ssl/verify.t
  That might be expected due to the behavior of the 3.0
  default security level (not investigated)


Regards,

Rainer

> The computed digests of the tarball up for vote are:
> sha256: 
c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
*httpd-2.4.54-rc3.tar.gz
> sha512: 
e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd 
*httpd-2.4.54-rc3.tar.gz

>
> The SVN candidate source is found at tags/2.4.54-rc3-candidate.
>
> Kind Regards,
> Stefan

Re: svn commit: r1901514 - in /httpd/test/framework/trunk: README t/conf/extra.conf.in t/modules/sed.t

[Rainer Jung]

I wonder, what the following test is expected to test? I can't really 
make it work reliably here. Sometimes I get an ENOMEM on the server, 
sometimes it takes a long time and much CPU, sometimes the client gets a 
596 AnyEvent::HTTP error and sometimes it runs ok.


Am 01.06.2022 um 15:03 schrieb cove...@apache.org:

Modified: httpd/test/framework/trunk/t/modules/sed.t
URL: 
http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/modules/sed.t?rev=1901514&r1=1901513&r2=1901514&view=diff
==
--- httpd/test/framework/trunk/t/modules/sed.t (original)
+++ httpd/test/framework/trunk/t/modules/sed.t Wed Jun  1 13:03:08 2022
@@ -5,29 +5,44 @@ use Apache::Test;
  use Apache::TestRequest;
  use Apache::TestUtil;
  
+# Hack to allow streaming of data in/out of mod_echo

+use LWP::Protocol::AnyEvent::http;
+
  my @ts = (
 # see t/conf/extra.conf.in
-   { url => "/apache/sed/out-foo/foobar.html", content => 'barbar', msg => "sed output 
filter", code => 200 },
-   { url => "/apache/sed-echo/echo.html", content => 'barbar', msg => "sed input filter", code 
=> 200, body=>"foobar" }
+   { url => "/apache/sed/out-foo/foobar.html", content => 'barbar', msg => "sed output 
filter", code => '200' },
+   # error after status sent
+   { url => "/apache/sed-echo/out-foo-grow/foobar.html", content => "", msg => "sed output filter too 
large", code => '200', body=>"foo" x (8192*1024), resplen=>0},


I found no  other body size, that made it reliable, so therefore I am 
wondering, what it would test in an ideal world.


Thanks and regards,

Rainer

Re: svn commit: r1902117 - /httpd/httpd/trunk/modules/cluster/mod_heartmonitor.c

[Rainer Jung]

Am 21.06.2022 um 07:38 schrieb Ruediger Pluem:



On 6/20/22 10:54 PM, rj...@apache.org wrote:

Author: rjung
Date: Mon Jun 20 20:54:14 2022
New Revision: 1902117

URL: http://svn.apache.org/viewvc?rev=1902117&view=rev
Log:
*) mod_heartmonitor: Allow "HeartbeatMaxServers 0"
to use file based storage instead of slotmem.
Needed after setting HeartbeatMaxServers default
to the documented value 10 in 2.4.54.
[Jérôme Billira

Modified:
 httpd/httpd/trunk/modules/cluster/mod_heartmonitor.c

Modified: httpd/httpd/trunk/modules/cluster/mod_heartmonitor.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/cluster/mod_heartmonitor.c?rev=1902117&r1=1902116&r2=1902117&view=diff
==
--- httpd/httpd/trunk/modules/cluster/mod_heartmonitor.c (original)
+++ httpd/httpd/trunk/modules/cluster/mod_heartmonitor.c Mon Jun 20 20:54:14 
2022
@@ -892,8 +892,9 @@ static const char *cmd_hm_maxworkers(cmd
  }
  
  maxworkers = atoi(data);

-if (maxworkers <= 10)
-return "HeartbeatMaxServers: Should be bigger than 10";
+if (maxworkers != 0 && maxworkers <= 10)


Shouldn't this be < 10, such that you can set the default value via 
HeartbeatMaxServers.
It seems strange that this can't be done. Furthermore <= 10 does not match the 
error message below.


Oups, thank you! Hopefully fixed in r1902130


+return "HeartbeatMaxServers: Should be 0 for file storage, "
+   "or greater or equal than 10 for slotmem";


Shouldn't this be documented in the documentation as well that '0' has a 
special meaning and that 1-9 are not allowed?


Done in r1902132 + r1902133

I hope I understood the correct conditions for using flat-file storage.

Best regards,

Rainer

pytest for 2.4.x: crashes in mod_md during child shutdown

[Rainer Jung]

Hi there,

I ran the pytest suite on SLES 12+15 and RHEL 7+8 for 2.4.54 plus 
OpenSSL 1.1.1p. Ran it for event, worker and prefork and with OpenSSL 
1.1.1 and 3.0 in the client.


I observe sporadic segmentation faults on all of those platforms and for 
all MPMs and all OpenSSL versions in the client.


The crashes are not especially frequent and I only have backtraces on 
one platform (RHEL 8). There the pattern seems to be consistently:


- only two threads shown, also for event and worker

- one thread is in various stacks underneath clean_child_exit()

- the other thread is somewhere below

md_reg_renew()
run_renew()
acme_renew()
...

- it looks like things have already been deinitialized by the thread in 
clean_child_exit() when mod_md gets a renew job from mod_watchdog.


Before I investigate further: is there already an expectation, that 
mod_watchdog should not dispatch a job after shutdown has started and 
vice versa shutdown should wait for a running mod_watchdog job at least 
some time? Or that mod_md should not execute on such a job after 
shutdown has started?


It is probably a niche experience, but I got 20 segfaults in roughly 48 
pytest suite runs.


Test for httpd using OpenSSL 3.0.4 on the server side will run later today.

Best regards,

Rainer

mod_proxy_http2 setting Transfer-Encoding chunked for a GET request

[Rainer Jung]

Hi all,

today I stumbled into an unexpected request denial by a rule in the 
mod_security Core Rule Set 3. It denies requests without body, that have 
Transfer-Encoding chunked set.


When I send a normal GET request, without body, no Transfer-Encoding and 
no Content-Length, to httpd and proxy it via mod_proxy_http2 to the same 
server, the proxied request gets "Transfer-Encoding: chunked" added by 
mod_proxy_http2 and is then denied by mod_security on the receiving 
side. No such addition when using mod_proxy_http.


It seems to me, that "Transfer-Encoding: chunked" is not allowed for 
http/2 (due to its always streaming behavior), and at least it is 
unexpected for a GET or HEAD request.


Any chance we can get rid of it when proxying a request, that has no 
body and doesn't bring the header by its own?


Should I open a PR in our bugzilla, or on the mod_h2 Github repos?

Thanks and best regards,

Rainer

Re: mod_proxy_http2 setting Transfer-Encoding chunked for a GET request

[Rainer Jung]

Hi Stefan,

the PR is:

https://bz.apache.org/bugzilla/show_bug.cgi?id=66282

Let me know, in case you can not reproduce it, or I should test something!

Best regards,

Rainer

Escaping double quotation marks in the error log

[Rainer Jung]

Hi there,

I looked at our escaping functions for logs due to the need of doing 
JSON logging. In principle one can output JSON by using appropriate log 
format definitions in the httpd config. Most special characters in JSON 
are already properly escaped in our output.


But there is one important difference between the escaping of access log 
items and of error log items. The escaping function for the access log 
also escapes double quotation marks as \", the one for the error log 
does not (ap_escape_errorlog_item). It contains the comment "no need for 
this in error log". This is true all the way since the time the escaping 
was introduced at all.


I wonder, whether there is a real necessity for not escaping double 
quotation marks in the error log?


Note, that I am not talking about markup that appears in the definition 
of the ErrorLogFormat itself. This is "just" about double quotation 
marks showing up in the error message itself (or logged headers, env 
vars or notes).


Unfortunately the use of ap_escape_errorlog_item() is buried deep down 
in the code levels and accessing virtual host config seems not possible, 
not even in the callers of ap_escape_errorlog_item().


If there's no other nice idea, I wonder whether:

- it would be OK, to escape double quotation marks as \" in the error 
log for trunk


- add a global config item to do this as well for 2.4.x (default off)

What do you think? Or did you find a better solution for error log json 
logging?


Best regards,

Rainer

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Rainer Jung]

Not a showstopper, but: srclib/apr/configure was again generated with 
autoconf 2.70+ (2.71). This triggers a bug which is fixed in APR 1.7.x 
head, but the fix has not been released as there was not APR release vor 
almost 4 years now.


Since the bundled APR/APU are not actually part of the release, for me 
this is not a show stopper. I just wanted to note the defect in case 
others are wondering, why the bundled APR can not be build using configure.


Technical details:

configure: error: could not determine the string function for int64_t

It comes from defining some things once in conftest.c and again in the 
included confdefs.h.


Some pointers:

https://github.com/apache/apr/pull/25
https://github.com/apache/apr/commit/a15958a37a06f71c42c690278f9c958b93b7ee20
https://github.com/apache/apr/commit/e0197912a5438b3836ce2e76371f01e289d82931

https://www.mail-archive.com/bug-autoconf@gnu.org/msg04695.html

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97998

Best regards,

Rainer

Am 10.01.23 um 14:40 schrieb Eric Covener:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
*httpd-2.4.55-rc1.tar.gz
sha512: 
ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
*httpd-2.4.55-rc1.tar.gz

The SVN candidate source is found at tags/2.4.55-rc1-candidate.

Current pytest failures

[Rainer Jung]

Hi there,

I currently get three consistent pytest failures:


A) FAILED modules/http2/test_202_trailer.py::TestTrailers::test_h2_202_03b

Response code is 500 and trace 8 server log shows:

- we see the right request

[Wed Mar 08 22:03:35.699234 2023] [aptest:info] [pid 4606:tid 
140645737559808] [remote 127.0.0.1:50490] test[test_h2_202_03b]: POST 
//echohd.py?name=X HTTP/2.0
[Wed Mar 08 22:03:35.699247 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(436): [remote 127.0.0.1:50490] Headers 
received from client:
[Wed Mar 08 22:03:35.699254 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(440): [remote 127.0.0.1:50490]   Accept: */*
[Wed Mar 08 22:03:35.699259 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(440): [remote 127.0.0.1:50490] 
Accept-Encoding: gzip, deflate
[Wed Mar 08 22:03:35.699264 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(440): [remote 127.0.0.1:50490] 
User-Agent: nghttp2/1.52.0
[Wed Mar 08 22:03:35.699268 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(440): [remote 127.0.0.1:50490] 
Content-Length: 119
[Wed Mar 08 22:03:35.699273 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(440): [remote 127.0.0.1:50490]   Host: 
127.0.0.1:5001
[Wed Mar 08 22:03:35.699277 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(440): [remote 127.0.0.1:50490] 
Ap-Test-Name: test_h2_202_03b
[Wed Mar 08 22:03:35.699282 2023] [http:trace4] [pid 4606:tid 
140645737559808] http_request.c(440): [remote 127.0.0.1:50490]   X: 3b


[Wed Mar 08 22:03:35.699425 2023] [authz_core:debug] [pid 4606:tid 
140645737559808] mod_authz_core.c(818): [remote 127.0.0.1:50490] 
AH01626: authorization result of Require all granted: granted
[Wed Mar 08 22:03:35.699440 2023] [authz_core:debug] [pid 4606:tid 
140645737559808] mod_authz_core.c(818): [remote 127.0.0.1:50490] 
AH01626: authorization result of : granted
[Wed Mar 08 22:03:35.699446 2023] [core:trace3] [pid 4606:tid 
140645737559808] request.c(362): [remote 127.0.0.1:50490] request 
authorized without authentication by access_checker_ex hook: /echohd.py


We get the right response from the python CGI script:

[Wed Mar 08 22:03:35.784148 2023] [cgid:trace4] [pid 4606:tid 
140645737559808] util_script.c(576): [remote 127.0.0.1:50490] Headers 
from script 'echohd.py':
[Wed Mar 08 22:03:35.784206 2023] [cgid:trace4] [pid 4606:tid 
140645737559808] util_script.c(577): [remote 127.0.0.1:50490]   Status: 200
[Wed Mar 08 22:03:35.784219 2023] [cgid:trace1] [pid 4606:tid 
140645737559808] util_script.c(658): [remote 127.0.0.1:50490] Status 
line from script 'echohd.py': 200
[Wed Mar 08 22:03:35.784234 2023] [cgid:trace4] [pid 4606:tid 
140645737559808] util_script.c(577): [remote 127.0.0.1:50490] 
Content-Type: text/plain
[Wed Mar 08 22:03:35.784255 2023] [filter:trace4] [pid 4606:tid 
140645737559808] mod_filter.c(169): [remote 127.0.0.1:50490] 
Content-Type 'text/plain' ...
[Wed Mar 08 22:03:35.784268 2023] [filter:trace4] [pid 4606:tid 
140645737559808] mod_filter.c(181): [remote 127.0.0.1:50490] ... did not 
match 'text/html'
[Wed Mar 08 22:03:35.784278 2023] [filter:trace4] [pid 4606:tid 
140645737559808] mod_filter.c(175): [remote 127.0.0.1:50490] ... matched 
'text/plain'


deflate compression wants to kick in (no idea whether that's part of the 
problem)


[Wed Mar 08 22:03:35.784288 2023] [filter:trace2] [pid 4606:tid 
140645737559808] mod_filter.c(188): [remote 127.0.0.1:50490] 
Content-Type condition for 'deflate' matched


and now a connection reset!

[Wed Mar 08 22:03:35.788364 2023] [cgid:trace1] [pid 4606:tid 
140645737559808] mod_cgid.c(1686): (104)Connection reset by peer: 
[remote 127.0.0.1:50490] Failed to flush CGI output to client


and another request for that URL comes in:

[Wed Mar 08 22:03:35.788486 2023] [ssl:debug] [pid 4606:tid 
140645737559808] ssl_engine_kernel.c(422): [remote 127.0.0.1:50490] 
AH02034: Subsequent (No.2) HTTPS request received for child 0 (server 
cgi.tests.httpd.apache.org:443)
[Wed Mar 08 22:03:35.788500 2023] [aptest:info] [pid 4606:tid 
140645737559808] [remote 127.0.0.1:50490] test[test_h2_202_03b]: POST 
//echohd.py?name=X HTTP/2.0


And now we send the 500 code, probably due to the connection reset

[Wed Mar 08 22:03:35.788676 2023] [http2:debug] [pid 4606:tid 
140645720774400] h2_stream.c(1537): [client 127.0.0.1:50490] AH03073: 
h2_stream(4606-0-13,HALF_CLOSED_REMOTE): submit response 500


The access log also shows two of these requests:

127.0.0.1 - - [08/Mar/2023:22:03:35 +0100] "POST //echohd.py?name=X 
HTTP/2.0" 500 678 "-" "nghttp2/1.52.0" 1
127.0.0.1 - - [08/Mar/2023:22:03:35 +0100] "POST //echohd.py?name=X 
HTTP/2.0" 200 0 "-" "nghttp2/1.52.0" 1


And in the trace 8 error log except for the "Subsequent (No.2) HTTPS 
request received" I don't see where this would get a code 200 as 
indicated in the access log.


Client side log:

execute: nghttp --header=host: cgi.tests.httpd.apache.org:5

Re: Current pytest failures

[Rainer Jung]

Thanks for the tip. I already did the "run only one test case" and I 
fixed the LogLevel in test.conf to include trace8. So I guess there will 
not be any additional CGI logging available. But good to know the "-vvv".


Thanks and regards,

Rainer

Am 09.03.23 um 09:33 schrieb Stefan Eissing via dev:

One tip, if you call "pytest -vvv -k test_h2_202_03b", it will run just that test and 
raise LogLevel for several "interesting" modules.

The error log in test/gen/apache/logs/error_log will then show just that one 
test case. It's a convenient way to get more information without meddling with 
the test case configs.

The list of modules for which the log level is raised on "-vvv" is found in 
test/modules/http2/env.py:73

self.add_httpd_log_modules(["http2", "proxy_http2", "h2test", "proxy", 
"proxy_http"])

we can add "cgi" or others if those are of interest.

Re: Current pytest failures

[Rainer Jung]

I will see how to extract the test case out of pytest to be able to run 
it standalone and vary the protocol. But the connection reset plus 
second request might also be nghttp specific. I will also try running 
nghttp from remote and sniff to double check the connection reset plus 
second request.


Thanks and  regards,

Rainer

Am 09.03.23 um 09:19 schrieb Ruediger Pluem:



On 3/8/23 10:44 PM, Rainer Jung wrote:

Hi there,

I currently get three consistent pytest failures:


Do A) and B) work if you do the requests via HTTP/1.1?

Regards

Rüdiger

Re: Current pytest failures

[Rainer Jung]

OK, I can test in a standalone situation now.

The problem goes away, once I use curl, even with h2.

The problem also goes away, once I disable deflate compression for the 
response. But curl and nghttp behave different: nghttp hangs after 
receiving the response body (no deflate), curl normally terminates. 
nghttp does not hang if I call some normal production site.


Will investigate further.

Thanks and regards,

Rainer

Re: Current pytest failures

[Rainer Jung]

Puzzle partially solved: once I add "--header 'content-type: 
application/x-www-form-urlencoded'" to the nghttp call, the problem 
seems fixed - with and without deflate. No more hang, no more status 
500, no double requests. I still don't know, which side is influenced, 
nghttp or http, so I am still not sure, whether the odd behavior without 
the header is a bug.


Am 09.03.23 um 11:03 schrieb Rainer Jung:

OK, I can test in a standalone situation now.

The problem goes away, once I use curl, even with h2.

The problem also goes away, once I disable deflate compression for the 
response. But curl and nghttp behave different: nghttp hangs after 
receiving the response body (no deflate), curl normally terminates. 
nghttp does not hang if I call some normal production site.


Will investigate further.

Thanks and regards,

Rainer

Re: Current pytest failures

[Rainer Jung]

Am 09.03.23 um 11:29 schrieb Stefan Eissing via dev:




Am 09.03.2023 um 11:22 schrieb Rainer Jung :

Puzzle partially solved: once I add "--header 'content-type: 
application/x-www-form-urlencoded'" to the nghttp call, the problem seems fixed - 
with and without deflate. No more hang, no more status 500, no double requests. I still 
don't know, which side is influenced, nghttp or http, so I am still not sure, whether the 
odd behavior without the header is a bug.


Hmm, never seen that. Is this a current nghttp? Normally, calling "nghttp 
--data=file" will do all that.

I think, since it stabilizes the test, please add the forced content-type 
header to the test suite. It should do no harm (famous last words),


Will do. It happens with nghttp 1.34.0 and recent 1.52.0. I took the 
header from my curl, which automatically adds it, but I think the right 
header is


Content-Type: multipart/form-data; boundary=DSAJKcd9876

That one is explicitly added in pyhttpd/nghttp.py in function 
upload_file, but not in post_name.


Skimming through the code for nghttp, it seems it dows add 
content-length (if not forbidden by a commandline flag), but I didn't 
find an explicit mentioning of content-type.


Best regards,

Rainer

Re: [VOTE] Switch read/write repository from Subversion to Git

[Rainer Jung]

Am 04.05.23 um 10:34 schrieb Ruediger Pluem:

This is a formal vote on whether we should move our read/write repository from 
Subversion to Git.
This means that our latest read/write repository will be no longer available 
via svn.apache.org. It
will be available via Git at https://gitbox.apache.org/repos/asf/httpd-site.git 
and https://github.com/apache/httpd.git.
Github also offers the possibility to use a Subversion client:
https://docs.github.com/en/get-started/working-with-subversion-on-github/support-for-subversion-clients


[X]: Move the read/write repository from Subversion to Git and leverage the 
features of Github (for now Actions and PR).
[ ]: Move the read/write repository from Subversion to Git, but I don't want to 
work with Github and I will only work with
  what gitbox.apache.org offers.
[ ]: Leave everything as is.


Thanks and regards,

Rainer

Re: svn commit: r1909606 - /httpd/httpd/trunk/modules/generators/mod_status.c

[Rainer Jung]

Oups and thanks!

Am 04.05.23 um 12:30 schrieb yla...@apache.org:

Author: ylavic
Date: Thu May  4 10:30:25 2023
New Revision: 1909606

URL: http://svn.apache.org/viewvc?rev=1909606&view=rev
Log:
Follow up to r1909429: Fix scope/block syntax.

Modified:
 httpd/httpd/trunk/modules/generators/mod_status.c

Modified: httpd/httpd/trunk/modules/generators/mod_status.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?rev=1909606&r1=1909605&r2=1909606&view=diff
==
--- httpd/httpd/trunk/modules/generators/mod_status.c (original)
+++ httpd/httpd/trunk/modules/generators/mod_status.c Thu May  4 10:30:25 2023
@@ -348,9 +348,9 @@ static int status_handler(request_rec *r
  else if (res != SERVER_DEAD &&
   res != SERVER_STARTING &&
   res != SERVER_IDLE_KILL) {
-if (res == SERVER_GRACEFUL)
+if (res == SERVER_GRACEFUL) {
  graceful++;
-if (is_async) {
+if (is_async)
  thread_graceful_buffer[i]++;
  } else {
  busy++;

mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"

[Rainer Jung]

Hi there,

OpenSSL 3 flags some abortive shutdowns as an error different to what 
1.1.1 did. This results in info log output in httpd:


[Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] 
SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading
[Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] 
[client 1.2.3.4:54790] AH01998: Connection closed to child 215 with 
abortive shutdown (server myserver:443)


Some background is given in

  https://github.com/openssl/openssl/issues/18866

They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to 
suppress this. Some other software now sets it with SSL_CTX_set_options():


- nginx

https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa

- PHP

https://github.com/php/php-src/pull/8558/commits/55be0f489e390d28892a07c32d45a404c62fc9f2

I suggest to adopt it, ie. set it if the option is available.

WDYT?

Best regards,

Rainer

Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"

[Rainer Jung]

Am 30.08.23 um 13:50 schrieb Stefan Eissing via dev:




Am 30.08.2023 um 13:21 schrieb Rainer Jung :

Hi there,

OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1 
did. This results in info log output in httpd:

[Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL 
Library Error: error:0A000126:SSL routines::unexpected eof while reading
[Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737] [client 
1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive shutdown 
(server myserver:443)

Some background is given in

  https://github.com/openssl/openssl/issues/18866

They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to suppress 
this. Some other software now sets it with SSL_CTX_set_options():

- nginx

https://github.com/nginx/nginx/commit/5155845ce4453a07d60e2ce43946c9181bc311fa

- PHP

https://github.com/php/php-src/pull/8558/commits/55be0f489e390d28892a07c32d45a404c62fc9f2

I suggest to adopt it, ie. set it if the option is available.

WDYT?


+1 to setting this for our users sake. I withhold my opinion about this stupid 
OpenSSL change...oops.


Thanks for your feedback. I committed it to trunk in r1912015 and can 
revert if someone thinks its premature. Will propose for backport 
probably tomorrow.


Best regards,

Rainer

Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues

[Rainer Jung]

Hi JFC,

I have not checked ur current code, but the topic reminds me of our 
history in mod_jk land. There we switched the counters to atomics were 
available. The other problematic part could be how to handle process 
local counters versus global counters.


Busyness was especially problematic for mod_jk as well, because we never 
deremented below zero if we lost increments, but if we lost decrements 
the counters stayed elevated. I think there we now have no longer such 
problems.


Best regards,

Rainer

Am 30.08.23 um 17:19 schrieb jean-frederic clere:

Hi,

All the balancers have thread/process safe issues, but with bybusyness 
the effect is worse, basically a worker may stay with a busy count 
greater than zero even no request is being processed.


busy is displayed in the balancer_handler() so users/customers will 
notice the value doesn't return to zero...


If you run a load test the value of busy will increase by time and in 
all the workers


When using bybusyness, having pics in the load and later no much load 
makes the lowest busy workers used and the ones with a wrong higher 
value not being used.


In a test with 3 workers, I end with busy:
worker1: 3
worker2: 0
worker3: 2
Doing the load test several time the buys values are increasing in all 
workers.


I am wondering is we could end with something like:
worker1: 1000
worker2: 0
worker3: 1000

in this case bybusyness will send all the load to worker2 until we reach 
1000 simultaneous request on worker2... Obvious that looks bad.


How to fix that?
1 - reset the busy using a watchdog and elected (or transferred+read) 
unchanged for some time (using one of timeout we have on workers).
2 - warn in the docs that bybusyness is not the best choice for 
loadbalancing.

3 - create another balancer that just choose random a worker.

Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues

[Rainer Jung]

Hi there,

mod_jk for example uses such aging, but only for the non busyness case. 
busyness is meant to show the number of currently in-flight requests, so 
aging isn't a good fit there. Old load numbers are never part of 
busyness. But busyness is the mode that is most sensitive to the numer 
skew effects that JFC observed. Therefore that attempt to have more 
precise counting there.


It makes sense for byrequests and bytraffic though. But in mod_jk we use 
a different byrequests algorithm. Not the original count and decrement 
system that Mladen introduced but instead a count and age system.


The aging for byrequests and bytraffic could be hooked on mod_watchdog 
which is nice, because we would not need to run it as part of normal 
request handling.


Another thing that comes to my mind is (graceful) restart handlingan 
bybusyness. It might make sense to clear the numbers in case of such an 
event.


Best regards,

Rainer

Am 31.08.23 um 18:23 schrieb Jim Jagielski:

IIRC, the goal of having an "aging" function was to handle this exact kind of 
thing, where values could be normalized over a long period of time so that old entries 
that may skew results are not weighted as heavily as new ones.


On Aug 30, 2023, at 11:19 AM, jean-frederic clere  wrote:

Hi,

All the balancers have thread/process safe issues, but with bybusyness the 
effect is worse, basically a worker may stay with a busy count greater than 
zero even no request is being processed.

busy is displayed in the balancer_handler() so users/customers will notice the 
value doesn't return to zero...

If you run a load test the value of busy will increase by time and in all the 
workers

When using bybusyness, having pics in the load and later no much load makes the 
lowest busy workers used and the ones with a wrong higher value not being used.

In a test with 3 workers, I end with busy:
worker1: 3
worker2: 0
worker3: 2
Doing the load test several time the buys values are increasing in all workers.

I am wondering is we could end with something like:
worker1: 1000
worker2: 0
worker3: 1000

in this case bybusyness will send all the load to worker2 until we reach 1000 
simultaneous request on worker2... Obvious that looks bad.

How to fix that?
1 - reset the busy using a watchdog and elected (or transferred+read) unchanged 
for some time (using one of timeout we have on workers).
2 - warn in the docs that bybusyness is not the best choice for loadbalancing.
3 - create another balancer that just choose random a worker.

--
Cheers

Jean-Frederic

´

Re: mod_ssl SSL_OP_IGNORE_UNEXPECTED_EOF: "unexpected eof while reading"

[Rainer Jung]

Am 07.09.23 um 14:58 schrieb Joe Orton:

On Wed, Aug 30, 2023 at 01:21:11PM +0200, Rainer Jung wrote:

Hi there,

OpenSSL 3 flags some abortive shutdowns as an error different to what 1.1.1
did. This results in info log output in httpd:

[Tue Aug 29 12:33:06.787210 2023] [ssl:info] [pid 1994673:tid 1994737] SSL
Library Error: error:0A000126:SSL routines::unexpected eof while reading
[Tue Aug 29 12:33:06.787374 2023] [ssl:info] [pid 1994673:tid 1994737]
[client 1.2.3.4:54790] AH01998: Connection closed to child 215 with abortive
shutdown (server myserver:443)

Some background is given in

   https://github.com/openssl/openssl/issues/18866

They introduced a new context option "SSL_OP_IGNORE_UNEXPECTED_EOF" to
suppress this. Some other software now sets it with SSL_CTX_set_options():


Interesting! Just wondering, is there a reason why we'd only want to
enable this for server-side operation (mctx->pkp == NULL) not also for
client-side/proxy operation? Seems like it might be better to enable it
unconditionally.

Regards, Joe


Hi Joe,

I just wanted to be a bit cautious. I had observed it on the server side 
and have no real knowledge about the client side. But I am OK, to enable 
this "compatibility" flag in both cases.


I'll wait abit for more feedback and then adjust trunk and the backport 
proposal.


Thanks for the feedback,

Rainer

pytest: 3 minutes gap or long single test runtime

[Rainer Jung]

Hi all,

when running the current pytest, I see a gap between two specific test 
outputs of more than three minutes:


...
13.09.2023 21:47:46.220943 
modules/http2/test_712_buffering.py::TestBuffering::test_h2_712_03 
PASSED [ 39%]
13.09.2023 21:50:55.456457 
modules/md/test_001_store.py::TestStore::test_md_001_001 PASSED 
[ 39%]

...

I assume the lines are written at the end of the respective test, so 
either modules/md/test_001_store.py::TestStore::test_md_001_001 takes so 
long, or the teardown after the test before it or startup befor thos test.


Before I try to investigate more: is this happening only here, or does 
someone else also see this?


Thanks and regards,

Rainer

Re: pytest: 3 minutes gap or long single test runtime

[Rainer Jung]

Am 14.09.23 um 07:44 schrieb Stefan Eissing via dev:




Am 13.09.2023 um 22:14 schrieb Rainer Jung :

Hi all,

when running the current pytest, I see a gap between two specific test outputs 
of more than three minutes:

...
13.09.2023 21:47:46.220943 
modules/http2/test_712_buffering.py::TestBuffering::test_h2_712_03 PASSED [ 39%]
13.09.2023 21:50:55.456457 
modules/md/test_001_store.py::TestStore::test_md_001_001 PASSED [ 39%]
...

I assume the lines are written at the end of the respective test, so either 
modules/md/test_001_store.py::TestStore::test_md_001_001 takes so long, or the 
teardown after the test before it or startup befor thos test.

Before I try to investigate more: is this happening only here, or does someone 
else also see this?


I do not see any noticeable delay in starting the mod_md tests on my machine. 
The gap you see indicate to a startup problem, maybe until pebble starts 
responding?


Thank you very much for checking. I will investigate.

Re: svn commit: r1913010 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS

[Rainer Jung]

Thanks for merging. I am fine with this one not making in into the final 
2.4.58 release (but of course also if it goes in in case we need a 
seconds rc).


Am 16.10.23 um 13:45 schrieb rpl...@apache.org:

Author: rpluem
Date: Mon Oct 16 11:45:19 2023
New Revision: 1913010

URL: http://svn.apache.org/viewvc?rev=1913010&view=rev
Log:
Merge r1912015 from trunk:

mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
  SSL routines::unexpected eof while reading" when using
  OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
  available. [Rainer Jung]

Reviewed by: rjung, gbechis, rpluem

Modified:
 httpd/httpd/branches/2.4.x/   (props changed)
 httpd/httpd/branches/2.4.x/CHANGES
 httpd/httpd/branches/2.4.x/STATUS

Propchange: httpd/httpd/branches/2.4.x/
--
   Merged /httpd/httpd/trunk:r1912015

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1913010&r1=1913009&r2=1913010&view=diff
==
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Oct 16 11:45:19 2023
@@ -1,6 +1,11 @@
   -*- coding: utf-8 -*-
  Changes with Apache 2.4.58
  
+  *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:

+ SSL routines::unexpected eof while reading" when using
+ OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
+ available. [Rainer Jung]
+
*) mod_http2: improved early cleanup of streams.
   [Stefan Eissing]
  


Modified: httpd/httpd/branches/2.4.x/STATUS
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1913010&r1=1913009&r2=1913010&view=diff
==
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Mon Oct 16 11:45:19 2023
@@ -152,15 +152,6 @@ RELEASE SHOWSTOPPERS:
  PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
  
-  *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:

- SSL routines::unexpected eof while reading" when using
- OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
- available. [Rainer Jung]
- Trunk version of patch:
-https://svn.apache.org/r1912015
- Backport version for 2.4.x of patch:
-svn merge -c 1912015 ^/httpd/httpd/trunk .
- +1: rjung, gbechis, rpluem
  
  PATCHES PROPOSED TO BACKPORT FROM TRUNK:

[ New proposals should be added at the end of the list ]

Re: [VOTE] Release httpd-2.4.58-rc3 as httpd-2.4.58

[Rainer Jung]

Am 16.10.23 um 17:08 schrieb Stefan Eissing via dev:

Hi all,

after fixing my merge mistake in rc2 (sorry!), we go again:

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.58-rc3 as 2.4.58:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 503a7da4a4a27fd496037998b17078dc9fe004db32c657c96cce8356b8aa2eb6 
*httpd-2.4.58-rc3.tar.gz
sha512: 
5c11faf0572035ef67b27775d975999411c689cb774553175299a9e99b63d3d7138b0c7f15048ec28038494d8513689f916202c2289d557947d8b190d46ca9f3
 *httpd-2.4.58-rc3.tar.gz

The SVN candidate source is found at tags/2.4.58-rc3-candidate.

Cheers,
Stefan


I know I am late, but for the sake of completeness my test results:

+1 to release and thanks a bunch for RM!

The full range of unit tests is still running, but enough have completed 
for a vote.


- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas

Built on

- SLES 11+12+15 (64 Bits)
- RHEL 6+7+8+9 (64 Bits)

For all platforms built

- with default (shared) and static modules
- with module set reallyall
- using --enable-load-all-modules

- using libraries
  - APR/APU
- bundled deps tarball
- 1.7.4/1.6.3
- 1.6.5/1.6.3
- 1.7.x(r1911757)/1.7.x(r1911757) with libxml2
- 1.7.x(r1911757)/1.7.x(r1911757) with expat
- 1.6.x(r1908753)/1.6.x(r1911757)
- trunk(r1911757) with libxml2
- trunk(r1911757) with expat
  - OpenSSL 3.1.3, 3.0.11, 1.1.1w,
and for all except RHEL 9
also 1.1.1, 1.0.2u, 1.0.2
  - expat 2.5.0
  - pcre 10.42
  - lua 5.4.6 (compiled with LUA_COMPAT_MODULE)
  - libxml2 2.11.5
  - libnghttp2 1.57.0
  - brotli 1.1.0
  - curl 8.4.0
  - jansson 2.14
  - libldap 2.6.6 (2.5.7 with OpenSSL 1.1.1,
   2.4.59 with OpenSSL 1.0.2*)

- in total 200 builds per platform (80 for RHEL 9)

- Tool chain:
- platform gcc
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing

All builds succeeded.

- compiler warnings:

  - deprecation warnings when building against OpenSSL 3.1.3, see other 
thread


Tested for

- SLES 11+12+15
- RHEL 6+7+8+9
- MPMs prefork, worker, event
- log level trace8
- Perl client bundle build against OpenSSL 3.1.0beta1-1,
  3.0.0, 1.1.1g plus patches, 1.1.0l, 1.0.2u and 1.1.0l-1
  (RHEL 9 3.1.2-1, 3.0.10-1, 1.1.1w-1)

Every OpenSSL version in the client tested with every OpenSSL version in 
the server. 18 unit test runs (3 MPMS x 6 OpenSSL clients) per server build.


About 2.400 unit test runs are done, most with server OpenSSL 3.1 and 
3.0, for RHEL 9 also 1.1.1.


Some local adjustments to tests were used:

- t/modules/buffer.t: removing huge buffer tests
  -my $bigsize = 10;
  +my $bigsize = 5;

The following test failures were seen:

a t/modules/buffer.t line 37
  Not a regression
  Only on RHEL 6, SLES 11.

c t/modules/sed.t line 37 test 3
  Not a regression
  Only on RHEL 6, SLES 11.


Regards,

Rainer

OpenSSL 3.0 deprecations

[Rainer Jung]

FYI: here's a list of symbols for which I get deprecation warnings when 
compiling httpd 2.4.58 (plus bundled APU) against current OpenSSL 3.1.3. 
or 3.0.11:


srclib/apr-util/crypto/apr_crypto_openssl.c:141:5: warning: 
'ENGINE_load_builtin_engines' is deprecated (declared at 
include/openssl/engine.h:358): Since OpenSSL 3.0
srclib/apr-util/crypto/apr_crypto_openssl.c:142:5: warning: 
'ENGINE_register_all_complete' is deprecated (declared at 
include/openssl/engine.h:415): Since OpenSSL 3.0
srclib/apr-util/crypto/apr_crypto_openssl.c:208:9: warning: 
'ENGINE_finish' is deprecated (declared at 
include/openssl/engine.h:628): Since OpenSSL 3.0
srclib/apr-util/crypto/apr_crypto_openssl.c:209:9: warning: 
'ENGINE_free' is deprecated (declared at include/openssl/engine.h:493): 
Since OpenSSL 3.0
srclib/apr-util/crypto/apr_crypto_openssl.c:326:9: warning: 
'ENGINE_by_id' is deprecated (declared at include/openssl/engine.h:336): 
Since OpenSSL 3.0
srclib/apr-util/crypto/apr_crypto_openssl.c:330:9: warning: 
'ENGINE_init' is deprecated (declared at include/openssl/engine.h:620): 
Since OpenSSL 3.0
srclib/apr-util/crypto/apr_crypto_openssl.c:331:13: warning: 
'ENGINE_free' is deprecated (declared at include/openssl/engine.h:493): 
Since OpenSSL 3.0


support/ab.c:769:25: warning: 'EVP_PKEY_get1_EC_KEY' is deprecated 
(declared at include/openssl/evp.h:1377): Since OpenSSL 3.0
support/ab.c:770:25: warning: 'EC_KEY_get0_group' is deprecated 
(declared at include/openssl/ec.h:1037): Since OpenSSL 3.0
support/ab.c:771:25: warning: 'EC_KEY_free' is deprecated (declared at 
include/openssl/ec.h:1006): Since OpenSSL 3.0
support/ab.c:1431:13: warning: 'BIO_set_callback' is deprecated 
(declared at include/openssl/bio.h:279): Since OpenSSL 3.0


modules/ssl/ssl_engine_config.c:611:5: warning: 'ENGINE_by_id' is 
deprecated (declared at include/openssl/engine.h:336): Since OpenSSL 3.0
modules/ssl/ssl_engine_config.c:613:9: warning: 'ENGINE_free' is 
deprecated (declared at include/openssl/engine.h:493): Since OpenSSL 3.0
modules/ssl/ssl_engine_config.c:618:9: warning: 'ENGINE_get_first' is 
deprecated (declared at include/openssl/engine.h:318): Since OpenSSL 3.0
modules/ssl/ssl_engine_config.c:620:13: warning: 'ENGINE_get_id' is 
deprecated (declared at include/openssl/engine.h:552): Since OpenSSL 3.0
modules/ssl/ssl_engine_config.c:621:42: warning: 'ENGINE_get_name' is 
deprecated (declared at include/openssl/engine.h:553): Since OpenSSL 3.0
modules/ssl/ssl_engine_config.c:624:13: warning: 'ENGINE_get_next' is 
deprecated (declared at include/openssl/engine.h:323): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:483:9: warning: 'ENGINE_by_id' is 
deprecated (declared at include/openssl/engine.h:336): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:493:13: warning: 'ENGINE_ctrl' is 
deprecated (declared at include/openssl/engine.h:429): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:497:9: warning: 'ENGINE_set_default' is 
deprecated (declared at include/openssl/engine.h:708): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:508:9: warning: 'ENGINE_free' is 
deprecated (declared at include/openssl/engine.h:493): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:574:9: warning: 'SRP_VBASE_new' is 
deprecated (declared at include/openssl/srp.h:176): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:583:9: warning: 'SRP_VBASE_init' is 
deprecated (declared at include/openssl/srp.h:180): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:591:9: warning: 
'SSL_CTX_set_srp_username_callback' is deprecated (declared at 
include/openssl/ssl.h:1900): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:593:9: warning: 'SSL_CTX_set_srp_cb_arg' 
is deprecated (declared at include/openssl/ssl.h:1902): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:1318:5: warning: 'DH_get0_p' is deprecated 
(declared at include/openssl/dh.h:266): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:1539:9: warning: 'DH_free' is deprecated 
(declared at include/openssl/dh.h:207): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:1556:9: warning: 
'EC_KEY_new_by_curve_name' is deprecated (declared at 
include/openssl/ec.h:1001): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:1578:5: warning: 'EC_KEY_free' is 
deprecated (declared at include/openssl/ec.h:1006): Since OpenSSL 3.0
modules/ssl/ssl_engine_init.c:1843:9: warning: 'SRP_VBASE_free' is 
deprecated (declared at include/openssl/srp.h:178): Since OpenSSL 3.0
modules/ssl/ssl_engine_io.c:2288:9: warning: 'BIO_set_callback' is 
deprecated (declared at include/openssl/bio.h:279): Since OpenSSL 3.0
modules/ssl/ssl_engine_io.c:2291:13: warning: 'BIO_set_callback' is 
deprecated (declared at include/openssl/bio.h:279): Since OpenSSL 3.0
modules/ssl/ssl_engine_kernel.c:545:5: warning: 'SSL_get_srp_username' 
is deprecated (declared at include/openssl/ssl.h:1914): Since OpenSSL 3.0
modules/ssl/ssl_engine_kernel.c:2594:13: warning: 'BIO_set_callback' is 
deprecated (declared at include/openssl/bio.h:279): Since OpenSSL 3.0
mod

Re: age in proxy_balancer_method

[Rainer Jung]

I guess it could be like this: when Mladen originally implemented the by 
requests load balancing method in mod_jk he used the count and subtract 
method for the counters. He then ported this to mod_proxy_balancer and I 
think it is still, how by requests counting woorks there.


There are pros and cons, e.g. in case a worker goes down for some time. 
A bit later we switched in mod_jk to a count and divide, where division 
by 2 was done roughly every 60 seconds (configurable).


I think the idea of the age method was roughly, that you could implement 
a balanvcer method, that registers a mod_watchdog task, that regularly 
ages the balancing counters. Aging because you want to give the past a 
smaller influence on the balancing decision than the more recent activity.


I hope that's understandable and maybe Jim remembers something similar 
to that.


Best regards,

Rainer

Am 21.12.23 um 08:23 schrieb jean-frederic clere:

On 12/20/23 21:22, Jim Jagielski wrote:
I'll have to go back through my notes... I do recall adding fields 
that although
were not being used at the time, were _going to be used_ as some 
point, and

I didn't want to have to worry about ABI compatibility.


Cool I will wait before implementing something that breaks your design ;-)



On Dec 14, 2023, at 8:27 AM, jean-frederic clere  
wrote:


Hi,

Any examples or docs about:
apr_status_t (*age)(proxy_balancer *balancer, server_rec *s);

In struct proxy_balancer_method?

--
Cheers

Jean-Frederic

Re: [VOTE] Release Apache httpd 2.4.11 as GA

[Rainer Jung]

Am 17.01.2015 um 03:58 schrieb rj...@apache.org:
> Author: rjung
> Date: Sat Jan 17 02:58:24 2015
> New Revision: 1652559
>
> URL: http://svn.apache.org/r1652559
> Log:
> Fix failing test.
>
> After r1651085 for mod_cgi we log cgi script
> stderr to ScriptLog. Two of our test scripts
> write 8KB to STDERR, each is called two times.
>
> So increase ScriptLogLength by 4 x 8KB, otherwise
> the log file contents looked after by later tests
> can not be found.
>
> Modified:
>  httpd/test/framework/trunk/t/conf/extra.conf.in
>  httpd/test/framework/trunk/t/modules/cgi.t

I saw tests failing due to this test bug on Solaris 10 Sparc.

I don't see the tests failing before this change to the test on other 
platforms, but those are failing now :(


Reason: the stderr expected to get logged during the test to the 
ScriptLog does not show up in the cgi log file for those other platforms 
and instead goes to the normal error log - like it was normal until 
2.4.10. On Solaris 10 Sparc the stderr is written to the ScriptLog by 
calling log_script_err() in cgi_bucket_read() (inside mod_cgi.c). On the 
other platforms, this piece of code isn't hit and instead the STDERR 
goes to the normal error log.


Before change r1651085 to mod_cgi.c it always went to the normal error 
log. So it seems r1651085 isn't complete, but before 2.4.11 it was even 
more incomplete, so not really a regression.


I'll take a bit of sleep now and will see, whether I can narrow down the 
reason for this platform specific difference later.


Regards,

Rainer

Re: svn commit: r1626978 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/generators/mod_cgi.c

[Rainer Jung]

Hi Jan,

Am 23.09.2014 um 13:14 schrieb jkal...@apache.org:

Author: jkaluza
Date: Tue Sep 23 11:14:09 2014
New Revision: 1626978

URL: http://svn.apache.org/r1626978
Log:
mod_cgi: log cgi script stderr to ScriptLog, use APLOGNO for log_scripterror
errors.

Modified:
 httpd/httpd/trunk/docs/log-message-tags/next-number
 httpd/httpd/trunk/modules/generators/mod_cgi.c


...

Modified: httpd/httpd/trunk/modules/generators/mod_cgi.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgi.c?rev=1626978&r1=1626977&r2=1626978&view=diff
==
--- httpd/httpd/trunk/modules/generators/mod_cgi.c (original)
+++ httpd/httpd/trunk/modules/generators/mod_cgi.c Tue Sep 23 11:14:09 2014

...

@@ -210,8 +211,7 @@ static apr_status_t log_script_err(reque
  if (newline) {
  *newline = '\0';
  }
-ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01215)
-  "%s", argsbuffer);
+log_scripterror(r, conf, r->status, 0, APLOGNO(01215), argsbuffer);
  }

  return rv;


This fix and its backport to 2.4 seems to be incomplete. I can see the 
STDERR output of nph-stderr.pl in the test framework now going to the 
ScriptLog (after this patch, e.g. for 2.4.11) but only for some 
platforms. On my Solaris 10 Sparc system it works, but on Solaris 8 
Sparc or RHEL 6 the STDERR output still goes to the normal error log. I 
don't expect it to be a real platform issue, but more a timing issue or 
similar.


Regards,

Rainer

Re: svn commit: r1626978 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/generators/mod_cgi.c

[Rainer Jung]

Am 17.01.2015 um 05:45 schrieb Rainer Jung:

Hi Jan,

Am 23.09.2014 um 13:14 schrieb jkal...@apache.org:

Author: jkaluza
Date: Tue Sep 23 11:14:09 2014
New Revision: 1626978

URL: http://svn.apache.org/r1626978
Log:
mod_cgi: log cgi script stderr to ScriptLog, use APLOGNO for
log_scripterror
errors.

Modified:
 httpd/httpd/trunk/docs/log-message-tags/next-number
 httpd/httpd/trunk/modules/generators/mod_cgi.c


...

Modified: httpd/httpd/trunk/modules/generators/mod_cgi.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgi.c?rev=1626978&r1=1626977&r2=1626978&view=diff

==

--- httpd/httpd/trunk/modules/generators/mod_cgi.c (original)
+++ httpd/httpd/trunk/modules/generators/mod_cgi.c Tue Sep 23 11:14:09
2014

...

@@ -210,8 +211,7 @@ static apr_status_t log_script_err(reque
  if (newline) {
  *newline = '\0';
  }
-ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01215)
-  "%s", argsbuffer);
+log_scripterror(r, conf, r->status, 0, APLOGNO(01215),
argsbuffer);
  }

  return rv;


This fix and its backport to 2.4 seems to be incomplete. I can see the
STDERR output of nph-stderr.pl in the test framework now going to the
ScriptLog (after this patch, e.g. for 2.4.11) but only for some
platforms. On my Solaris 10 Sparc system it works, but on Solaris 8
Sparc or RHEL 6 the STDERR output still goes to the normal error log. I
don't expect it to be a real platform issue, but more a timing issue or
similar.


The problem does not occur for mod_cgi but only for mod_cgid.

If both are being build and installed, then the test framework will load 
both. It seems that for some reason my Solaris 10 Sparc system is the 
only one, on which the requests are then actually executed by mod_cgi, 
on all other platforms they are being executed by mod_cgid, which does 
not write stderr output to the ScriptLog but instead to STDERR which is 
captured by the error log.


So the fix to mod_cgi is *not* incomplete, but we should also fix it for 
mod_cgid.


Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.11 as GA

[Rainer Jung]

Am 15.01.2015 um 21:10 schrieb Jim Jagielski:

The pre-release test tarballs for Apache httpd 2.4.11 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.11 GA.

[X] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.


+1 to release, thanks for RMing.

In short: No regressions found.

Detailed report:

- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas
  (we could cleanup some m4 files in apr-util/xml/expat/conftools
   at the end of buildconf, no regression)

Built on

- Solaris 8+10 Sparc as 32 Bit Binaries
- SLES 10+11 (64 Bits)
- RHEL 6 (64 Bits)

- with default (shared) and static modules
- with module sets none, few, most, all, reallyall and default
  (always mod_privileges disabled)
- using --enable-load-all-modules
- against "included" APR/APU from deps tarball,
  plus external APR/APU 1.5.1/1.5.4

- using external libraries
  - expat 2.1.0
  - pcre 8.36
  - openssl 1.0.1l
  - lua 5.2.3
  - distcache 1.5.1
  - libxml2 2.9.2

- Tool chain:
- platform gcc except for Solaris
  (gcc 4.1.2 for Solaris 8 and 4.9.1 for Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  (and -mpcu=v9 on Solaris)

All builds succeeded
  - three builds on RHEL had to be restarted due to crashes
in the shell but that is not a regression and a platform problem
  - two harmless compiler warnings in modules/aaa/mod_authnz_fcgi.c
Fixed now in r1652829 and proposed for 2.4

Tested for

- Solaris 8+10 (32), SLES 10+11 (64), RHEL 6 (64)
- MPMs prefork, worker, event (except for Solaris 8 - no event)
- default (shared) and static modules
- log levels info, debug and trace8
- module set reallyall (121 modules plus MPMs), "all", "most",
  "few", "none" and default

Some combinations still run, but out of the about 900 finished 
combinations until now, only the following test failures were seen:


a Test 4 and 5 in t/modules/dav.t:
  70 runs creation, modified and now times not in the correct order.
  This seems to be a system issue, all tests done on NFS,
  many tested on virtualized guests.
  Not a regression.

b Various tests in t/apache/expr_string.t: (3, 6, 11, 14, 20 ,23)
  76 runs failed this test, (all except for one on RHEL).
  The failure is always on line 68, where the error_log contents
  are checked.
  Not a regression.

c Tests t/modules/cgi.t testing contents of ScriptLog
  The tests fail for "reallyall" modules because then
  mod_cgi plus mod_cgid were loaded. In r1651085 logging for
  mod_cgi was fixed for some STDERR outputs but the test in cgi.t
  wasn't adjusted. So the tests fail whenever mod_cgi handles
  the test suite requests. On some of my systems that happened,
  on most of them mod_cgid came first.
  This was a test suite problem I hope to have fixed.
  We should though try to port the r1651085 enhancement
  from mod_cgi to mod_cgid as well (logging errors to ScriptLog
  instead of error log in more cases).

Regards,

Rainer

Re: svn commit: r1652955 - /httpd/httpd/trunk/Makefile.in

[Rainer Jung]

Am 19.01.2015 um 13:25 schrieb Yann Ylavic:

Hi Rainer,

On Mon, Jan 19, 2015 at 11:32 AM,   wrote:

Author: rjung
Date: Mon Jan 19 10:32:51 2015
New Revision: 1652955

URL: http://svn.apache.org/r1652955
Log:
PR 57379: If mod_cgi and mod_cgid get installed,
use IfModule for MPM to choose mod_cgi for
prefork and mod_cgid in all other cases.

Previously when combined with --enable-load-all-modules
both modules were loaded and it was undefined
which one actually handled cgi requests.

Modified:
 httpd/httpd/trunk/Makefile.in



Indentation looks incorrect here (it should at least start with a tab).


Fixed by using only tabs for the new lines and added to proposal.

Note that the file also contains quite a few other (old) places where 
continuation lines start with space instead of tabs.


Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.11 as GA

[Rainer Jung]

Am 19.01.2015 um 14:16 schrieb Jim Jagielski:

Thx for the catch!! Looks like we need to add some additional
tests to the perl test framework :)

I'll keep the VOTE open, to encourage others to continue to
test, but I consider 2.4.11 DOA.


I took the opportunity to put 2.4.11 plus the one after-tag revert on 
aurora (the EU server for the www website of the ASF, server is FreeBSD 
9.1). Currently running fine, no crashes, about 180 requests/s, no 
obvious errors.


Regards,

Rainer

Hanging child process during MaxConnectionsPerChild exit (event, 2.4.11)

[Rainer Jung]

I noticed a hanging child process on our ASF server aurora.
It currently uses 2.4.11 (plus the post tag commit) and event MPM.
Most processes exiting due to MaxConnectionsPerChild get cleaned up 
after some time but this one doesn't. It now hangs for more than an 
hour. I'll let it hang. In case anyone has a good question I can answer 
with gdb let me know.


It shows a strange connection view in the server status table:

PID Connections Threads Async connections
total   accepting   busyidlewriting keep-alive  closing
93557   1   yes 0   0   0   0   0

So it has 1 connection, but 0s in all other columns.

The connection can be seen by lsof:

 FD TYPE DEVICE   SIZE/OFF   NODE NAME
txt VREG 183,3400335528   36497117 275235 
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip

  9uPIPE 0xfe061ecfab60  16384->0xfe061ecfacb8
 10uPIPE 0xfe061ecfacb8  0->0xfe061ecfab60
 24u  KQUEUE 0xfe033071be00   count=0, state=0x2
 41uIPv4 0xfe01316243d00t0TCP 
127.0.0.1:35849->127.0.0.1:8050 (CLOSE_WAIT)
 83uIPv4 0xfe0255d08b700t0TCP 
127.0.0.1:52023->127.0.0.1:8050 (CLOSE_WAIT)
108uIPv4 0xfe09990eeb700t0TCP 
127.0.0.1:22532->127.0.0.1:8050 (CLOSE_WAIT)


This is the established connectioN:

110uIPv4 0xfe0255ab4b700t0TCP 
192.87.106.229:http->179.206.174.192:65496 (ESTABLISHED)


And this is likely the file being served on that connection:

126rVREG 183,3400335528   36497117 275235 
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip
156uIPv4 0xfe048d0ff3d00t0TCP 
127.0.0.1:26685->127.0.0.1:8050 (CLOSE_WAIT)
229uIPv4 0xfe0131d013d00t0TCP 
127.0.0.1:31538->127.0.0.1:8050 (CLOSE_WAIT)


netstat shows:

Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0  87650 192.87.106.229.80  179.206.174.192.65496 
ESTABLISHED


so there's 87650 bytes in the send-q. Most lilely the client hans't 
acked what we send.


The highest thread is in:

#0  0x000101a0887c in ?? () from /lib/libthr.so.3
No symbol table info available.
#1  0x000101a098c9 in ?? () from /lib/libthr.so.3
No symbol table info available.
#2  0x0001015d0295 in apr_thread_join (retval=0x7fffd52c, 
thd=0x109410c88) at threadproc/unix/thread.c:217

stat = 
thread_stat = 0xa
#3  0x000108d67a50 in join_workers (listener=0x109410c88, 
threads=0x10200b400) at event.c:2110

iter = 0
i = 
rv = 
thread_rv = 1
#4  0x000108d6a324 in child_main (child_num_arg=3) at event.c:2299
threads = 0x2
rv = 2
ts = 0x1020a1fa8
thread_attr = 0x1020a1fc8
start_thread_id = 0x1020a1ff8

So it hangs in apr_thread_join(). From another gdb view I can see, that 
the two top most frames are actually pthread_kill() and the event line 
number shows, that it hangs while trying to kill the listener.


The listener itself is in:

#0  0x000101cfe4bc in kevent () from /lib/libc.so.7
No symbol table info available.
#1  0x0001015cbe79 in impl_pollset_poll (pollset=0x1020a2dc8, 
timeout=, num=0x7fffef97cf88, descriptors=0x7fffef97cf68) 
at poll/unix/kqueue.c:263

ret = 0
i = 
j = 
tv = {tv_sec = 0, tv_nsec = 1}
tvptr = 0x7fffef97c640
rv = 
fd = {p = 0x123805bf0, desc_type = 6848688, reqevents = 0, 
rtnevents = 0, desc = {f = 0x10201d0a0, s = 0x10201d0a0}, client_data = 
0x123bd3f80}
#2  0x000108d68688 in listener_thread (thd=0x109410c88, 
dummy=) at event.c:1519

workers_were_busy = 0
ep = 
rc = 70007
ti = 
process_slot = 3
tpool = 0x109411028
csd = 0x12ff4a0b0
ptrans = 0x12ff4a028
lr = 
have_idle_worker = 0
cs = 
out_pfd = 0x109411048
num = 0
timeout_interval = 10
timeout_time = 1421704478168661
now = 1421704478068663
last_log = 1421697060293018
pt = 
closed = 1
listeners_disabled = 0
#3  0x000101a010a4 in ?? () from /lib/libthr.so.3

The impl_pollset_poll() has a timeout of 100ms set. Some data for the 
kevent() args:


(gdb) print *pollset
$1 = {pool = 0x1020a1028, nelts = 0, nalloc = 256, flags = 19, 
wakeup_pipe = {0x6174736e692d3265, 0x612e772f6c6c}, wakeup_pfd = {p 
= 0x726f2e6568636170,
desc_type = 1868771175, reqevents = 26222, rtnevents = 25135, desc 
= {f = 0x70695f64656e6e61, s = 0x70695f64656e6e61}, client_data = 
0x666e6f632e73}, p = 0x1020a2e20,

  provider = 0x1017d9480 }
(gdb) print *pollset->p
$2 = {kqueue_fd = 24, kevent = {ident = 479, filter = -1, flags = 2, 
fflags = 0, data = 0, udata = 0x0}, setsize = 512, ke_set = 0x10940c028, 
result_set = 0x109411028,
  ring_lock = 0x1020a2e98, query_ring = {next = 0x1020a2e6

Re: Hanging child process during MaxConnectionsPerChild exit (event, 2.4.11)

[Rainer Jung]

Am 20.01.2015 um 00:33 schrieb Eric Covener:

On Mon, Jan 19, 2015 at 5:40 PM, Rainer Jung  wrote:

It currently uses 2.4.11 (plus the post tag commit) and event MPM.


Was it 2.4.10 previously, or earlier?


2.4.10. But since it is automatically restarted each night, I can not 
say for sure whether that behavior is really new. The restart at 
midnight GMT a few minutes ago killed the hanging process. I'll check 
during the next days, whether it happens again.


Regards,

Rainer

Re: Hanging child process during MaxConnectionsPerChild exit (event, 2.4.11)

[Rainer Jung]

Am 20.01.2015 um 08:45 schrieb Ruediger Pluem:

On 01/19/2015 11:40 PM, Rainer Jung wrote:

I noticed a hanging child process on our ASF server aurora.
It currently uses 2.4.11 (plus the post tag commit) and event MPM.
Most processes exiting due to MaxConnectionsPerChild get cleaned up after some 
time but this one doesn't. It now hangs
for more than an hour. I'll let it hang. In case anyone has a good question I 
can answer with gdb let me know.

It shows a strange connection view in the server status table:

PID Connections Threads Async connections
total   accepting   busyidlewriting keep-alive  closing
93557   1   yes 0   0   0   0   0

So it has 1 connection, but 0s in all other columns.

The connection can be seen by lsof:

  FD TYPE DEVICE   SIZE/OFF   NODE NAME
txt VREG 183,3400335528   36497117 275235 
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip
   9uPIPE 0xfe061ecfab60  16384->0xfe061ecfacb8
  10uPIPE 0xfe061ecfacb8  0->0xfe061ecfab60
  24u  KQUEUE 0xfe033071be00   count=0, state=0x2
  41uIPv4 0xfe01316243d00t0TCP 
127.0.0.1:35849->127.0.0.1:8050 (CLOSE_WAIT)
  83uIPv4 0xfe0255d08b700t0TCP 
127.0.0.1:52023->127.0.0.1:8050 (CLOSE_WAIT)
108uIPv4 0xfe09990eeb700t0TCP 
127.0.0.1:22532->127.0.0.1:8050 (CLOSE_WAIT)

This is the established connectioN:

110uIPv4 0xfe0255ab4b700t0TCP 
192.87.106.229:http->179.206.174.192:65496 (ESTABLISHED)

And this is likely the file being served on that connection:

126rVREG 183,3400335528   36497117 275235 
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip
156uIPv4 0xfe048d0ff3d00t0TCP 
127.0.0.1:26685->127.0.0.1:8050 (CLOSE_WAIT)
229uIPv4 0xfe0131d013d00t0TCP 
127.0.0.1:31538->127.0.0.1:8050 (CLOSE_WAIT)

netstat shows:

Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0  87650 192.87.106.229.80  179.206.174.192.65496 ESTABLISHED

so there's 87650 bytes in the send-q. Most lilely the client hans't acked what 
we send.


Isn't it weird that the connection remains in this state for an hour? I would 
guess the OS tries to resent whats in the
buffer and if doesn't get  ACK'ed it would somehow timeout the TCP connection 
and assume the peer is gone.


I was misguided by the server-status table. I have another child process 
now with one open connection, all zeroes in the other server status 
columns and for that I checked network and process activity. And indeed 
ktrace and tcpdump both show, that the process still does send some data 
every few seconds. It just takes very long for the big file served and 
the low rate of transfer. Thanks for putting me on the right track. I 
will check for a few more "hanging" children during the next days 
whether they actually still serve files.


So it all boils down to why the connection isn't shown in any of the 
state columns in the server status table. Plus it could be interesting 
to limit the time a closing child still serves requests, because it 
keeps blocking a scoreboard entry and aborting one or two requests every 
now and them might be better than running out of children.


Regards,

Rainer

Re: Hanging child process during MaxConnectionsPerChild exit (event, 2.4.11)

[Rainer Jung]

Am 20.01.2015 um 10:15 schrieb Rainer Jung:

Am 20.01.2015 um 08:45 schrieb Ruediger Pluem:

On 01/19/2015 11:40 PM, Rainer Jung wrote:

I noticed a hanging child process on our ASF server aurora.
It currently uses 2.4.11 (plus the post tag commit) and event MPM.
Most processes exiting due to MaxConnectionsPerChild get cleaned up
after some time but this one doesn't. It now hangs
for more than an hour. I'll let it hang. In case anyone has a good
question I can answer with gdb let me know.

It shows a strange connection view in the server status table:

PID Connections Threads Async connections
total   accepting   busyidlewriting keep-alive  closing
93557   1   yes 0   0   0   0   0

So it has 1 connection, but 0s in all other columns.

The connection can be seen by lsof:

  FD TYPE DEVICE   SIZE/OFF   NODE NAME
txt VREG 183,3400335528   36497117 275235
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip
   9uPIPE 0xfe061ecfab60  16384->0xfe061ecfacb8
  10uPIPE 0xfe061ecfacb8  0->0xfe061ecfab60
  24u  KQUEUE 0xfe033071be00   count=0, state=0x2
  41uIPv4 0xfe01316243d00t0TCP
127.0.0.1:35849->127.0.0.1:8050 (CLOSE_WAIT)
  83uIPv4 0xfe0255d08b700t0TCP
127.0.0.1:52023->127.0.0.1:8050 (CLOSE_WAIT)
108uIPv4 0xfe09990eeb700t0TCP
127.0.0.1:22532->127.0.0.1:8050 (CLOSE_WAIT)

This is the established connectioN:

110uIPv4 0xfe0255ab4b700t0TCP
192.87.106.229:http->179.206.174.192:65496 (ESTABLISHED)

And this is likely the file being served on that connection:

126rVREG 183,3400335528   36497117 275235
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip
156uIPv4 0xfe048d0ff3d00t0TCP
127.0.0.1:26685->127.0.0.1:8050 (CLOSE_WAIT)
229uIPv4 0xfe0131d013d00t0TCP
127.0.0.1:31538->127.0.0.1:8050 (CLOSE_WAIT)

netstat shows:

Proto Recv-Q Send-Q Local Address  Foreign Address
(state)
tcp4   0  87650 192.87.106.229.80  179.206.174.192.65496
ESTABLISHED

so there's 87650 bytes in the send-q. Most lilely the client hans't
acked what we send.


Isn't it weird that the connection remains in this state for an hour?
I would guess the OS tries to resent whats in the
buffer and if doesn't get  ACK'ed it would somehow timeout the TCP
connection and assume the peer is gone.


I was misguided by the server-status table. I have another child process
now with one open connection, all zeroes in the other server status
columns and for that I checked network and process activity. And indeed
ktrace and tcpdump both show, that the process still does send some data
every few seconds. It just takes very long for the big file served and
the low rate of transfer. Thanks for putting me on the right track. I
will check for a few more "hanging" children during the next days
whether they actually still serve files.

So it all boils down to why the connection isn't shown in any of the
state columns in the server status table. Plus it could be interesting
to limit the time a closing child still serves requests, because it
keeps blocking a scoreboard entry and aborting one or two requests every
now and them might be better than running out of children.


And now another hour later, the same process actually shows the 
connection in the "Async connection - writing" column. Even more 
confusing. I wonder in which state the connection was in between.


Regards,

Rainer

Re: Hanging child process during MaxConnectionsPerChild exit (event, 2.4.11)

[Rainer Jung]

Hi Jim,

let this observation not stop you from tagging 2.4.12. I don't think it 
is new behavior and in contrast to my original expectation the child 
processes do not hang infinitely but instead just serve the remaining 
requests with a low data send rate.


The only strange thing - and that is likely not new - is that the 
remaining connection(s) often are not counted in the busy or async 
connections columns in server-status.


Regards,

Rainer

Am 20.01.2015 um 12:52 schrieb Jim Jagielski:

Isn't the TCP keepalive like 2hours or so?


On Jan 20, 2015, at 2:45 AM, Ruediger Pluem  wrote:



On 01/19/2015 11:40 PM, Rainer Jung wrote:

I noticed a hanging child process on our ASF server aurora.
It currently uses 2.4.11 (plus the post tag commit) and event MPM.
Most processes exiting due to MaxConnectionsPerChild get cleaned up after some 
time but this one doesn't. It now hangs
for more than an hour. I'll let it hang. In case anyone has a good question I 
can answer with gdb let me know.

It shows a strange connection view in the server status table:

PID Connections Threads Async connections
total   accepting   busyidlewriting keep-alive  closing
93557   1   yes 0   0   0   0   0

So it has 1 connection, but 0s in all other columns.

The connection can be seen by lsof:

FD TYPE DEVICE   SIZE/OFF   NODE NAME
txt VREG 183,3400335528   36497117 275235 
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip
  9uPIPE 0xfe061ecfab60  16384->0xfe061ecfacb8
10uPIPE 0xfe061ecfacb8  0->0xfe061ecfab60
24u  KQUEUE 0xfe033071be00   count=0, state=0x2
41uIPv4 0xfe01316243d00t0TCP 
127.0.0.1:35849->127.0.0.1:8050 (CLOSE_WAIT)
83uIPv4 0xfe0255d08b700t0TCP 
127.0.0.1:52023->127.0.0.1:8050 (CLOSE_WAIT)
108uIPv4 0xfe09990eeb700t0TCP 
127.0.0.1:22532->127.0.0.1:8050 (CLOSE_WAIT)

This is the established connectioN:

110uIPv4 0xfe0255ab4b700t0TCP 
192.87.106.229:http->179.206.174.192:65496 (ESTABLISHED)

And this is likely the file being served on that connection:

126rVREG 183,3400335528   36497117 275235 
/x1/www/archive.apache.org/dist/cordova/cordova-3.4.0-src.zip
156uIPv4 0xfe048d0ff3d00t0TCP 
127.0.0.1:26685->127.0.0.1:8050 (CLOSE_WAIT)
229uIPv4 0xfe0131d013d00t0TCP 
127.0.0.1:31538->127.0.0.1:8050 (CLOSE_WAIT)

netstat shows:

Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0  87650 192.87.106.229.80  179.206.174.192.65496 ESTABLISHED

so there's 87650 bytes in the send-q. Most lilely the client hans't acked what 
we send.


Isn't it weird that the connection remains in this state for an hour? I would 
guess the OS tries to resent whats in the
buffer and if doesn't get  ACK'ed it would somehow timeout the TCP connection 
and assume the peer is gone.

Regards

Rüdiger

Re: [VOTE] Release Apache httpd 2.4.12 as GA

[Rainer Jung]

Am 26.01.2015 um 14:14 schrieb Eric Covener:

On Mon, Jan 26, 2015 at 8:08 AM, Jim Jagielski  wrote:

 svn diff https://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.11 
https://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.12 | cdiff



first one should be 2.4.10 (not that it turns up anything better)

What about APR changes?


I checked the logs of my about 1000 runs of the test suite with various 
MPMs and log levels and on various platforms and did not find a single 
entry with wrong timezone.


I also checked the access logs of the two ASF httpd instance which I had 
updated to 2.4.12 yesterday. Those run on GMT timezone, so checking the 
offset made no sense, but I was looking for timestamps which were out of 
the expected range w.r.t. neighboring entries and their own duration. 
For the www instance using the event MPM I could not find such entries. 
For the mail-archives instance using the prefork MPM I found some 
entries. For example two entries apparently logged at 01:02 but 
containing a timestamp of 00:02. But the same process/connection had its 
previous requests being handled at 00:02, so it seems the two requests 
were somehow written delayed or finishing the request was delayed. The 
request duration (%D) was small though.


The same observation holds for older versions, e.g. 2.4.10. I do find 
such constellations there as well.


Would be interesting to know why it happens, but IMHO not a show-stopper 
or a regression. At least not the cases on these instances.


But those only partially fit the pattern observed by Noel.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.12 as GA

[Rainer Jung]

Am 22.01.2015 um 19:54 schrieb Jim Jagielski:

The pre-release test tarballs for Apache httpd 2.4.12 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.12 GA.

[X] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.


+1 to release, thanks for RMing.

In short: No regressions found.

Detailed report:

- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas
  (we could cleanup some m4 files in apr-util/xml/expat/conftools
   at the end of buildconf, no regression)

Built on

- Solaris 8+10 Sparc as 32 Bit Binaries
- SLES 10+11 (64 Bits)
- RHEL 6 (64 Bits)
- FreeBSD 9.1

On FreeBSD 2.4.12 runs on one machine for the ASF the www and 
mail-archives httpd instances. No problems showed up.


For all platforms except FreeBSD built

- with default (shared) and static modules
- with module sets none, few, most, all, reallyall and default
  (always mod_privileges disabled)
- using --enable-load-all-modules
- against "included" APR/APU from deps tarball,
  plus external APR/APU 1.5.1/1.5.4

- using external libraries
  - expat 2.1.0
  - pcre 8.36
  - openssl 1.0.1l
  - lua 5.2.3
  - distcache 1.5.1
  - libxml2 2.9.2

- Tool chain:
- platform gcc except for Solaris
  (gcc 4.1.2 for Solaris 8 and 4.9.1 for Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  (and -mpcu=v9 on Solaris)

All builds succeeded
  - two harmless compiler warnings in modules/aaa/mod_authnz_fcgi.c
Fixed in r1652829 and proposed for 2.4

Tested for

- Solaris 8+10 (32), SLES 11 (64), RHEL 6 (64)
- MPMs prefork, worker, event (except for Solaris 8 - no event)
- default (shared) and static modules
- log levels info, debug and trace8
- module set reallyall (121 modules plus MPMs), "all", "most",
  "few", "none" and default

I didn't wait for finishing all combinations, but out of the about 1050 
finished combinations, only the following test failures were seen:


a Test 4 and 5 in t/modules/dav.t:
  50 runs. Creation, modified and now times not in the correct order.
  This seems to be a system issue, all tests done on NFS,
  many tested on virtualized guests.
  Not a regression.

b Various tests in t/apache/expr_string.t: (3, 6, 11, 14, 20 ,23)
  33 runs failed this test, (all except for two on RHEL).
  The failure is always on line 68, where the error_log contents
  are checked.
  Not a regression.

c Tests 55-57 of t/modules/cgi.t testing contents of ScriptLog.
  The tests fail for "reallyall" modules and static builds
  because then mod_cgi plus mod_cgid are loaded both.
  After r1651085 STDERR logging for mod_cgi and mod_cgid behave
  differently and cgi.t doesn't know which of the two loaded
  modules actually handles the request.
  This was a test suite problem. It happens on most platforms
  but not on Solaris 10, lilkely due to a different hook sort
  order of mod_cgi and mod_cgid there.
  We should try to port the r1651085 enhancement
  from mod_cgi to mod_cgid as well (logging errors to ScriptLog
  instead of error log in more cases).

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.12 as GA

[Rainer Jung]

Am 27.01.2015 um 21:41 schrieb William A. Rowe Jr.:

I'd agree.  My thoughts on OP's posts, that their specific PHP scripts
are modifying the global timezone locale, notably process-by-process,
and these are not reset at the end of processing.  In the case of the
event or worker MPM it's impossible to do this without a thread-local
implementation of time.h (as Windows and Netware have long had) while
even with prefork, depending on which process handles a given request,
this php script will apparently have left the server in one state or
another, leading to 'flipping' the timezone from log entry to entry.


But wasn't the time itself also wrong? I had the impression the 
observation was not only about timezone, but wrong timezone was easiest 
to detect. I could be wrong but it looked like the timezone shift would 
not have explained the change in time stamp in the same log entries.



It's [mostly] harmless.  If a given log entry is 'zinged' by a change
of the timezone offset in between formatting the zone and formatting
the time and the date, this could yield some wild jumps.  But as the
PHP crew long demoted thread saftey from experimental to deprecated
(IIUC), then I'm afraid we simply have to take them at their word.
The universally endorsed php processing mechanism is now fcgi.

There is a possibility that OP's had actually rebuilt APR (from the
-deps), even with the very same APR version, which resulting in some
different autoconf detection on their platform relative to time.h
function handling.  It would be worth close inspection of their own
config.cache files of old and new APR builds to say for sure.


Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.12 as GA

[Rainer Jung]

Am 28.01.2015 um 23:01 schrieb William A. Rowe Jr.:

On Wed, 28 Jan 2015 12:02:32 +0100
Rainer Jung  wrote:


Am 27.01.2015 um 21:41 schrieb William A. Rowe Jr.:

I'd agree.  My thoughts on OP's posts, that their specific PHP
scripts are modifying the global timezone locale, notably
process-by-process, and these are not reset at the end of
processing.  In the case of the event or worker MPM it's impossible
to do this without a thread-local implementation of time.h (as
Windows and Netware have long had) while even with prefork,
depending on which process handles a given request, this php script
will apparently have left the server in one state or another,
leading to 'flipping' the timezone from log entry to entry.


But wasn't the time itself also wrong? I had the impression the
observation was not only about timezone, but wrong timezone was
easiest to detect. I could be wrong but it looked like the timezone
shift would not have explained the change in time stamp in the same
log entries.


I reviewed Noel's comments;


170.130.179.246 - - [26/Jan/2015:01:02:06 +] "GET /archives/
197.156.95.99 - - [26/Jan/2015:11:02:18 +1000] "GET /ups/t568b.png
HTTP/1.1"
95.211.138.225 - - [26/Jan/2015:01:02:40 +]
"GET /Android-Apps.html HTTP/1.1" 144.76.247.107 - -
[26/Jan/2015:11:03:32 +1000] "GET /

(correct time is 11:xx:xx)


I presume he means 1100 hours, GMT +10.  If that is the case then
the 0100 hours entries are also correct relative to Zulu, GMT +/- 0.


Ah, sorry I had read +0100 and not +1000. Yes, you are right.

Regards,

Rainer

Re: Backporting features from 2.4 to 2.2

[Rainer Jung]

Hi,

Am 08.02.2015 um 01:48 schrieb Davis:

Is backporting of configuration parameters SSLSessionTicketKeyFile and
SSLSessionTickets to 2.2 branch welcome?


SSLSessionTickets for 2.2 has already been backported by Yann:

http://people.apache.org/~ylavic/httpd-2.2.x-SSLSessionTickets.patch

It is on vote in the STATUS file for 2.2 and only needs a third 
committer vote to get applied to 2.2.


For SSLSessionTicketKeyFile IMHO yes, welcome, but maybe you have to be 
careful because 2.2 is expected to support older OpenSSL than 2.4. I 
haven't checked whether backporting is easy or not.


Regards,

Rainer

Re: svn commit: r1657685 - /httpd/httpd/trunk/server/util_expr_eval.c

[Rainer Jung]

Hi Yann,

Am 24.02.2015 um 12:51 schrieb Yann Ylavic:

Hi,

On Thu, Feb 5, 2015 at 9:33 PM,   wrote:

Author: rjung
Date: Thu Feb  5 20:33:59 2015
New Revision: 1657685

URL: http://svn.apache.org/r1657685

[...]


Modified:
 httpd/httpd/trunk/server/util_expr_eval.c

Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1657685&r1=1657684&r2=1657685&view=diff
==
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Thu Feb  5 20:33:59 2015

[...]

@@ -113,6 +114,30 @@ static const char *ap_expr_eval_word(ap_
  else
  result = apr_pstrcat(ctx->p, s1, s2, NULL);
  }
+else if (((ap_expr_t *)node->node_arg1)->node_op == op_Concat) {
+const ap_expr_t *nodep = node;
+int n;
+int i = 1;
+struct iovec *vec;
+do {
+nodep = nodep->node_arg1;
+i++;
+} while (nodep->node_op == op_Concat);
+vec = apr_palloc(ctx->p, i * sizeof(struct iovec));
+n = i;
+nodep = node;
+i--;
+do {
+vec[i].iov_base = (void *)ap_expr_eval_word(ctx,
+nodep->node_arg2);
+vec[i].iov_len = strlen(vec[i].iov_base);
+i--;
+nodep = nodep->node_arg1;
+} while (nodep->node_op == op_Concat);
+vec[i].iov_base = (void *)ap_expr_eval_word(ctx, nodep);
+vec[i].iov_len = strlen(vec[i].iov_base);
+result = apr_pstrcatv(ctx->p, vec, n, NULL);
+}
  else {


Why concatenating in reverse order here?


Because first doing it in normal order produced a reverse result and my 
paper computer then showed reverse is correct :)


Assume the tree looks like (left is node1, right node2):

concat
concat  r1
concat  r2
l1  r3

Result should be l1r3r2r1, so the r's need reverse order.


Actually, I cannot manage to test this because I'm not able to find an
expression that produces node_arg1->node_op == op_Concat.
Due to the %right association of T_OP_CONCAT in the parser/yacc, "'x'
. 'y' . 'z'" gives "concat( 'x', concat ('y, 'z'))", which is
node_arg1->node_op == op_String and node_arg2->node_op == op_Concat...

Can you please share an expression for the new branch to be taken?


The problem (recursion limit reached because the previous optimization 
didn't apply) occurred for me with string expressions (not boolean) of 
the form


"constant1%{function1:arg1}constant2%{function2:arg2}constant3%{function3:arg3}..."

For example in 2.4 use mod_log_debug and the following config:

LogLevel info

  LogMessage 
"|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}|%{HTTPS}"



Without the patch the error log contains:

[Tue Feb 24 14:06:48.913709 2015] [log_debug:error] [pid 3664:tid 22] 
[client 127.0.0.1:48807] Evaluation of expression from 
/.../conf/httpd.conf:563 failed: Recursion limit reached
[Tue Feb 24 14:06:48.913805 2015] [log_debug:error] [pid 3664:tid 22] 
[client 127.0.0.1:48807] AH00641: Can't evaluate message expression: 
Recursion limit reached
[Tue Feb 24 14:06:48.913827 2015] [log_debug:info] [pid 3664:tid 22] 
[client 127.0.0.1:48807] (null)


With the patch you get:

[Tue Feb 24 14:10:50.497472 2015] [log_debug:info] [pid 8785:tid 27] 
[client 127.0.0.1:48817] 
|off|off|off|off|off|off|off|off|off|off|off|off|off|off|off


Thank you for your careful review!

Regards,

Rainer

Re: svn commit: r1634520 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/rewrite/advanced.xml modules/proxy/proxy_util.c

[Rainer Jung]

Am 23.01.2015 um 11:09 schrieb Yann Ylavic:

On Mon, Oct 27, 2014 at 1:40 PM,   wrote:

Author: jim
Date: Mon Oct 27 12:40:34 2014
New Revision: 1634520

URL: http://svn.apache.org/r1634520
Log:
Merge r1621367, r1621372, r1625952 from trunk:

PR53218
Allow for longer worker names and make truncation a non-fatal
error...


Correct loglevel.


oops... prepend 0

Reviewed/backported by: jim

Modified:
 httpd/httpd/branches/2.4.x/   (props changed)
 httpd/httpd/branches/2.4.x/CHANGES
 httpd/httpd/branches/2.4.x/STATUS
 httpd/httpd/branches/2.4.x/docs/manual/rewrite/advanced.xml   (props 
changed)
 httpd/httpd/branches/2.4.x/modules/proxy/proxy_util.c



The "modules/proxy/mod_proxy.h" part of r1621367 was not merge here, ie :

--- httpd/httpd/trunk/modules/proxy/mod_proxy.h (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy.h Fri Aug 29 19:17:45 2014
@@ -317,7 +317,7 @@ PROXY_WORKER_DISABLED | PROXY_WORKER_STO
  #define PROXY_WORKER_MAX_SCHEME_SIZE 16
  #define PROXY_WORKER_MAX_ROUTE_SIZE  96
  #define PROXY_BALANCER_MAX_ROUTE_SIZE64
-#define PROXY_WORKER_MAX_NAME_SIZE   96
+#define PROXY_WORKER_MAX_NAME_SIZE  192
  #define PROXY_BALANCER_MAX_NAME_SIZE 64
  #define PROXY_WORKER_MAX_HOSTNAME_SIZE   96
  #define PROXY_BALANCER_MAX_HOSTNAME_SIZE 64

So the worker name is still 96 bytes (max) in 2.4.x.


This hasn't changed yet.

Re: svn commit: r1670397 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c mod_ssl.h ssl_engine_config.c ssl_engine_io.c ssl_private.h

[Rainer Jung]

Hi Stefan,

Am 01.04.2015 um 18:22 schrieb Stefan Eissing:

Jim,

today I converted your commit to a path on 2.4.12 and tested it with mod_h2. 
All fine!

Then I got a trouble report that alpn negotiation always selected "http/1.1" unless SSLAlpnPreference 
configured something else. This is due to the deterministic ordering and "http/1.1." > 
"h2". So, I made a slight modification, attached below.


Maybe related but concerning NPN: There was a difference between the NPN 
parts of your original Bugzilla attachment and what was already in 
mod_ssl trunk and therefore was not applied. In your attachment, there 
was some code for sorting in ssl_callback_AdvertiseNextProtos() which 
IMHO does not exist in trunk. Is that part necessary?


A second difference: your original addition to ssl_engine_io.c had the 
NPN and the ALPN parts merged in the same code block. In trunk those are 
now two separate pieces coming after each other.



--- modules/ssl/ssl_engine_kernel.c 2015-04-01 15:23:48.0 +0200
+++ ../../mod-h2/sandbox/httpd/gen/httpd-2.4.12/modules/ssl/ssl_engine_kernel.c 
2015-04-01 17:53:03.0 +0200
@@ -2177,7 +2152,7 @@
  }

  /*
- * Compare to ALPN protocol proposal. Result is similar to strcmp():
+ * Compare two ALPN protocol proposal. Result is similar to strcmp():
   * 0 gives same precedence, >0 means proto1 is prefered.
   */
  static int ssl_cmp_alpn_protos(modssl_ctx_t *ctx,
@@ -2254,14 +2229,8 @@
  i += plen;
  }

-/* Regardless of installed hooks, the http/1.1 protocol is always
- * supported by us. Add it to the proposals if the client also
- * offers it. */
  proposed_protos = apr_array_make(c->pool, client_protos->nelts+1,
   sizeof(char *));
-if (ssl_array_index(client_protos, alpn_http1) >= 0) {
-APR_ARRAY_PUSH(proposed_protos, const char*) = alpn_http1;
-}

  if (sslconn->alpn_proposefns != NULL) {
  /* Invoke our alpn_propos_proto hooks, giving other modules a chance 
to
@@ -2280,9 +2249,16 @@
  }

  if (proposed_protos->nelts <= 0) {
-ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02839)
-  "none of the client alpn protocols are supported");
-return SSL_TLSEXT_ERR_ALERT_FATAL;
+/* Regardless of installed hooks, the http/1.1 protocol is always
+ * supported by us. Choose it if none other matches. */
+if (ssl_array_index(client_protos, alpn_http1) < 0) {
+ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02839)
+  "none of the client alpn protocols are supported");
+return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+*out = (const unsigned char*)alpn_http1;
+*outlen = (unsigned char)strlen(alpn_http1);
+return SSL_TLSEXT_ERR_OK;
  }

  /* Now select the most preferred protocol from the proposals. */

Re: svn commit: r1673470 - /httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml

[Rainer Jung]

Am 14.04.2015 um 19:06 schrieb rbo...@apache.org:

Author: rbowen
Date: Tue Apr 14 17:06:10 2015
New Revision: 1673470

URL: http://svn.apache.org/r1673470
Log:
Add "pre-compressed content" recipe, as per
https://bz.apache.org/bugzilla/show_bug.cgi?id=51336

Modified:
 httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml?rev=1673470&r1=1673469&r2=1673470&view=diff
==
--- httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml Tue Apr 14 17:06:10 2015
@@ -178,6 +178,51 @@ SetEnvIfNoCase Request_URI \.(?:gif|jpe?
  
  

+Serving pre-compressed
+content
+
+Since mod_deflate re-compresses content each
+time a request is made, some performance benefit can be derived by
+pre-compressing the content and telling mod_deflate to serve them
+without re-compressing them. This may be accomplished using a
+configuration like the following:
+
+
+  
+# Serve gzip compressed CSS files if they exist
+# and the client accepts gzip.
+RewriteCond %{HTTP:Accept-encoding} gzip
+RewriteCond %{REQUEST_FILENAME}\.gz -s
+RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
+
+# Serve gzip compressed JS files if they exist
+# and the client accepts gzip.
+RewriteCond %{HTTP:Accept-encoding} gzip
+RewriteCond %{REQUEST_FILENAME}\.gz -s
+RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
+
+
+# Serve correct content types, and prevent mod_deflate double gzip.
+RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
+RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
+
+
+
+  # Serve correct encoding type.
+  Header append Content-Encoding gzip
+
+  # Force proxies to cache gzipped &
+  # non-gzipped css/js files separately.
+  Header append Vary Accept-Encoding
+
+  
+
+
+
+
+
+
+
  
  DeflateFilterNote
  Places the compression ratio in a note for logging


AFAIK mod_rewrite automatically adds headers from RewriteCond to the 
Vary header as long as no "NV" flag is used. So the "Header append Vary 
Accept-Encoding" part should not be necessary.


Thanks for putting effort into documenting the recipe.

Regards,

Rainer

Re: svn commit: r1673470 - /httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml

[Rainer Jung]

Am 15.04.2015 um 00:14 schrieb Rainer Jung:

Am 14.04.2015 um 19:06 schrieb rbo...@apache.org:

Author: rbowen
Date: Tue Apr 14 17:06:10 2015
New Revision: 1673470

URL: http://svn.apache.org/r1673470
Log:
Add "pre-compressed content" recipe, as per
https://bz.apache.org/bugzilla/show_bug.cgi?id=51336

Modified:
 httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml?rev=1673470&r1=1673469&r2=1673470&view=diff

==

--- httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_deflate.xml Tue Apr 14
17:06:10 2015
@@ -178,6 +178,51 @@ SetEnvIfNoCase Request_URI \.(?:gif|jpe?
  
  

+Serving pre-compressed
+content
+
+Since mod_deflate re-compresses content each
+time a request is made, some performance benefit can be derived by
+pre-compressing the content and telling mod_deflate to serve them
+without re-compressing them. This may be accomplished using a
+configuration like the following:
+
+
+  <IfModule mod_headers.c>
+# Serve gzip compressed CSS files if they exist
+# and the client accepts gzip.
+RewriteCond %{HTTP:Accept-encoding} gzip
+RewriteCond %{REQUEST_FILENAME}\.gz -s
+RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
+
+# Serve gzip compressed JS files if they exist
+# and the client accepts gzip.
+RewriteCond %{HTTP:Accept-encoding} gzip
+RewriteCond %{REQUEST_FILENAME}\.gz -s
+RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
+
+
+# Serve correct content types, and prevent mod_deflate double gzip.
+RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
+RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
+
+
+<FilesMatch "(\.js\.gz|\.css\.gz)$">
+  # Serve correct encoding type.
+  Header append Content-Encoding gzip
+
+  # Force proxies to cache gzipped &
+  # non-gzipped css/js files separately.
+  Header append Vary Accept-Encoding
+</FilesMatch>
+  </IfModule>
+
+
+
+
+
+
+
  
  DeflateFilterNote
  Places the compression ratio in a note for
logging


AFAIK mod_rewrite automatically adds headers from RewriteCond to the
Vary header as long as no "NV" flag is used. So the "Header append Vary
Accept-Encoding" part should not be necessary.


I should probably also mention, that the recipe gets easier, once one 
accepts a non-standard convention for the names of the compressed 
content. If you add the ".gz" before the final suffix ".js", ".css" 
etc., then the web server will automatically get the content type 
correct. So you can drop the "T=" flags. My variant of the recipe was:


RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteCond %{REQUEST_FILENAME} ^(.+)\.(css|js)$
RewriteCond %1.gz%2 -s
RewriteRule ^(.+)\.(css|js)$ $1.gz.$2 [QSA,E=gz:1,E=no-gzip:1]

Header append Content-Encoding gzip env=gz

The additional replacement of FilesMatch with a custom env var (here 
named "gz") one can check in the "Header append" part is independent of 
the other change.


One could drop the second and third RewriteCond, if one assumes that all 
such files have been compressed. To create the compressed files with 
non-standard name convention, one can use on Unix/Linux a script like e.g.


CONTENT_DIR=/opt/myapp/static/
PERMS=644
for suffix in css js
do
for file in \
  `find $CONTENT_DIR -type f -name "*.$suffix" -a ! -name "*.gz.*"`
do
gzfile=`echo $file | sed -e 's#\.'$suffix'#.gz.'$suffix'#'`
gzip --best -c $file > $gzfile
chmod $PERMS $gzfile
echo === $file $gzfile ===
ls -ld $file $gzfile
done
done

I like the idea of adding this as a feature to mod_deflate. I actually 
started doing this a few weeks ago but got side-tracked.


Regards,

Rainer

Re: svn commit: r1673940 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS modules/ssl/ssl_util_ssl.c

[Rainer Jung]

Am 15.04.2015 um 21:49 schrieb cove...@apache.org:

Author: covener
Date: Wed Apr 15 19:49:31 2015
New Revision: 1673940

URL: http://svn.apache.org/r1673940
Log:
Merge r1666297 from trunk:

ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when
checking the server certificate constraints (SSL_X509_getBC()).


Modified:
 httpd/httpd/branches/2.4.x/   (props changed)
 httpd/httpd/branches/2.4.x/CHANGES
 httpd/httpd/branches/2.4.x/STATUS
 httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_ssl.c




Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1673940&r1=1673939&r2=1673940&view=diff
==
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Wed Apr 15 19:49:31 2015
@@ -12,6 +12,13 @@ Changes with Apache 2.4.13
   calls r:wsupgrade() can cause a child process crash.
   [Edward Lu ]

+  *) mod_ssl: Fix possible crash when loading server certificate constraints.
+ PR 57694. [Paul Spangler , Yann Ylavic]
+
+  *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body).  [Yann Ylavic]
+
*) build: Don't load mod_cgi and mod_cgid in the default configuration
   if they're both built.  [olli hauer ]


Is the second (core) entry intentional or a merge error?

Regards,

Rainer

Re: ALPN patch comments

[Rainer Jung]

Am 22.04.2015 um 17:49 schrieb Kaspar Brand:

On 22.04.2015 10:52, Stefan Eissing wrote:

I made two small patches based on the feedback from Kaspar. One for
the code and one for the documentation.


Thanks. In the patch for ssl_private.h, the complete NPN block should
actually be dropped - the same block is are already part of
ssl_private.h, just 10 lines above.


I've kept the new one and dropped the old one in r1675459. The condition 
was slightly different. I dropped


#if !defined(OPENSSL_NO_NEXTPROTONEG) && defined(OPENSSL_NPN_NEGOTIATED)

and kept

#if !defined(OPENSSL_NO_NEXTPROTONEG) && !defined(OPENSSL_NO_TLSEXT) && 
defined(OPENSSL_NPN_NEGOTIATED)


Hope that's OK.

Regards,

Rainer

Re: ALPN patch comments

[Rainer Jung]

Am 23.04.2015 um 06:56 schrieb Kaspar Brand:

On 22.04.2015 21:30, Rainer Jung wrote:

Am 22.04.2015 um 17:49 schrieb Kaspar Brand:

Thanks. In the patch for ssl_private.h, the complete NPN block should
actually be dropped - the same block is are already part of
ssl_private.h, just 10 lines above.


I've kept the new one and dropped the old one in r1675459.


It's nitpicking, but... the old one was already correct, actually. All
this stuff is in a larger "#if !defined(OPENSSL_NO_TLSEXT) ..." block,
so there's no need to repeat NO_TLSEXT.


Oups, fixed in r1675549.


I'd rather get consensus on completely dropping HAVE_TLS_NPN from trunk
anyway, though, so it's really a very minor point right now ;-)


Agreed.

Rainer

Re: svn commit: r1680895 - in /httpd/httpd/trunk: docs/manual/mod/mod_log_config.xml modules/loggers/mod_log_config.c

[Rainer Jung]

Am 21.05.2015 um 20:57 schrieb Eric Covener:

On Thu, May 21, 2015 at 2:54 PM, Jeff Trawick  wrote:

This is a very nice improvement over introducing "M", and Yann's suggestion
to expand "T" instead of "D" is an increment above that.

Any concerns if I switch them out?


+1 here


No concern. I'm just to lazy to do it myself after goind down the %D 
route. Go ahead if you like. Most of us seem to favor it.


Regards,

Rainer

Two questions on mod_ssl source code details

[Rainer Jung]

1) In other code I see

EC_KEY_free(ecdh);

after

  EC_KEY *ecdh = EC_KEY_new_by_curve_name(...)
and using ecdh, e.g. in
  SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);

Should we add the free? Or is it not needed? Anyone knows why?

2) In modules/ssl/ssl_private.h I see

/**
  * The following features all depend on TLS extension support.
  * Within this block, check again for features (not version numbers).
  */
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)

#define HAVE_TLSEXT

and then further checks and defines for OCSP, Session Tickets, SRP, 
ALPN, all inside this "if" block.


Is it really true, that they are only supported if 
SSL_set_tlsext_host_name is defined? That function seems to belong only 
to SNI.


Should we switch the code to:

/**
  * The following features all depend on TLS extension support.
  * Within this block, check again for features (not version numbers).
  */
#if !defined(OPENSSL_NO_TLSEXT)

#define HAVE_TLSEXT

#if defined(SSL_set_tlsext_host_name)
#define HAVE_SNI
#endif

and then use HAVE_SNI where appropriate.

Regards,

Rainer

Re: Two questions on mod_ssl source code details

[Rainer Jung]

1) In other code I see

EC_KEY_free(ecdh);

after

  EC_KEY *ecdh = EC_KEY_new_by_curve_name(...)
and using ecdh, e.g. in
  SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);

Should we add the free? Or is it not needed? Anyone knows why?


This was added in r1666363:

* mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,
otherwise eckey will not be freed.


Damn, I was working my way though old patches to port them to Tomcat 
tcnative and forgot to check the current code.



2) In modules/ssl/ssl_private.h I see

/**
   * The following features all depend on TLS extension support.
   * Within this block, check again for features (not version numbers).
   */
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)

#define HAVE_TLSEXT


I guess this was (one of) the first TLS extention added to OpenSSL,
hence OPENSSL_NO_TLSEXT was probably defined at the same time as
SSL_set_tlsext_host_name.
This code checks if extensions are not disabled (OPENSSL_NO_TLSEXT),
but that's relevent only if they exist in OpenSSL
(SSL_set_tlsext_host_name).



Should we switch the code to:

/**
   * The following features all depend on TLS extension support.
   * Within this block, check again for features (not version numbers).
   */
#if !defined(OPENSSL_NO_TLSEXT)


That would be true before OPENSSL_NO_TLSEXT existed...


Yup, got it.

Thanks a bunch,

Rainer

Re: svn commit: r1681297 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS docs/manual/mod/mod_log_config.xml modules/loggers/mod_log_config.c

[Rainer Jung]

Am 23.05.2015 um 11:28 schrieb Yann Ylavic:

On Sat, May 23, 2015 at 11:23 AM,   wrote:

Author: ylavic
Date: Sat May 23 09:23:13 2015
New Revision: 1681297

URL: http://svn.apache.org/r1681297
Log:
Merged r979120 from trunk.

[]

Modified: httpd/httpd/branches/2.2.x/STATUS

[]


-   * mod_log_config: Allow to choose request start or end time
- as time stamp in log (httpd traditionally uses start, many
- other components, e.g. Tomcat use end time, so they are kind
- of hard to correlate). Also add more format choices for time stamps.
- Needed get_request_end_time() was already ported back.
- trunk patch: http://svn.apache.org/r979120 (remaining parts)
- 2.4.x patch: http://svn.apache.org/r979120 (remaining parts)
- 2.2.x patch: 
http://people.apache.org/~rjung/patches/httpd-2.2.x-mod_log_config-more_time_formats-v2.patch
- +1: rjung, wrowe, ylavic
- rjung: I had forgotten the docs part. Added in v2 patch. OK to keep 
Bill's vote?


Applied since docs is CTR, right?


Yes and thanks!

Rainer

Re: Upcoming 2.2.x any chance to include the following fixes/additions

[Rainer Jung]

Am 24.05.2015 um 23:08 schrieb olli hauer:

Hi,

is there a chance to get the following revisions merged to 2.2.x
- r1551685, r1652929 (fix IPv4 mapping on FreeBSD)


In ssl_engine_dh.c there are calls to generate dh512 and dh1012,
perhaps it is also an idea to drop dh512 and add dh2048 or higher.

-system("openssl gendh $rand -out dh512.pem 512");
-system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh $rand -out dh1024.pem 1024");
+system("openssl gendh $rand -out dh2048.pem 2048");


I wonder whether we should instead remove that whole embedded perl 
script. An improvement was ported back from 2.4 to 2.2 that means you 
can simply include the "openssl dhparam" output in the certificate file. 
In addition by default the next 2.2 will also choose a prime length 
corresponding to the RSA key length in the certificate. So in most cases 
user should be just fine. If admins want to tune, they can by generating 
params and appending them to the cert file.


What do you think: is there still a need for this embedded perl script?


PS:
on my local 2.2.x test system 'ab.c' from 2.4.13 build fine, perhaps
this is also a candidate for a next 2.2.x release.
Probably a bit to late for now. We are heading for a release real soon. 
But thanks for the heads up.


Regards,

Rainer

Re: Two questions on mod_ssl source code details

[Rainer Jung]

Am 22.05.2015 um 18:35 schrieb Yann Ylavic:

On Fri, May 22, 2015 at 6:29 PM, Rainer Jung  wrote:

1) In other code I see

 EC_KEY_free(ecdh);

after

   EC_KEY *ecdh = EC_KEY_new_by_curve_name(...)
and using ecdh, e.g. in
   SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);

Should we add the free? Or is it not needed? Anyone knows why?


This was added in r1666363:

* mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,
otherwise eckey will not be freed.


Ha! It is in trunk and 2.2, but the backport/changes in 2.4 were 
incomplete. Exactly the free is missing. Proposed now for 2.4 in STATUS.


Regards,

Rainer

mod_ssl: Reading dhparams and ecparams not only from the first certificate file

[Rainer Jung]

Current mod_ssl code tries to read embedded DH and ECC parameters only 
from the first certificate file. Although this is documented


"DH and ECDH parameters, however, are only read from the first 
SSLCertificateFile directive, as they are applied independently of the 
authentication algorithm type."


I find it questionable. I would find it more natural to embed the params 
in the cert files they apply to, so e.g. the DH params in the RSA cert 
file and the EC params in the ECDH cert file and also to not require a 
special order for the files which at the end we do not check. Since 
missing the embedded params goes unnoticed (finding them is only a DEBUG 
log line) it is not very user friendly.


Can't we simply try to read DH and ECC params from every certificate 
file and stop in each of the two cases when we have found some? That 
would tighten the user unfriendlyness to the case of having multiple 
inconsistent parameters embedded in different cert files. And even that 
could be checked and logged as a warning.


I would suggest to move the param extraction a little above in the 
certificate loop and only try to extract and use the params if a 
previous extraction for that type did not already succeed. See below for 
a patch suggestion. It moved the read code into the cert loop, removes 
the NULL check for certfile (it is done in the loop condition), adds a 
boolean dhparams_found and ecparams_found to track whether we already 
found some and adds warnings if we find them more than once or if found 
ecparams are not valid. The final "auto" behavior setting stays after 
the loop and is executed if ecparams is still NULL.


Related is handling of keys embedded in cert files. AFAIK we only try to 
read the key from the certificate file instead of a configured key file, 
if there is no key file for the same index configured. That means if you 
start mixing embedded keys and separate key files, all certificates with 
separate key files must come first, then the certificates with the 
embedded keys (and the order must match).For this I don't have a better 
solution than just documenting it.


Regards,

Rainer

Index: modules/ssl/ssl_engine_init.c
===
--- modules/ssl/ssl_engine_init.c   (revision 1681275)
+++ modules/ssl/ssl_engine_init.c   (working copy)
@@ -1039,8 +1039,10 @@
 int i;
 X509 *cert;
 DH *dhparams;
+int dhparams_found = 0;
 #ifdef HAVE_ECC
 EC_GROUP *ecparams;
+int ecparams_found = 0;
 int nid;
 EC_KEY *eckey = NULL;
 #endif
@@ -1174,40 +1176,67 @@
 SSL_free(ssl);
 #endif

+/*
+ * Try to read DH parameters from the SSLCertificateFile
+ */
+dhparams = ssl_dh_GetParamFromFile(certfile);
+if (dhparams) {
+if (dhparams_found) {
+ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 
APLOGNO(02901)

+ "Custom DH parameters already loaded for %s,"
+ " ignored from %s",
+ vhost_id, certfile);
+}
+else {
+SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
+dhparams_found = 1;
+ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+ "Custom DH parameters (%d bits) for %s 
loaded from %s",

+ BN_num_bits(dhparams->p), vhost_id, certfile);
+}
+}
+
+#ifdef HAVE_ECC
+/*
+ * Try to read the ECDH curve name from SSLCertificateFile
+ */
+ecparams = ssl_ec_GetParamFromFile(certfile);
+if (ecparams) {
+if (ecparams_found) {
+ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, 
APLOGNO(02902)
+ "Custom ECDH parameters already loaded for 
%s,"

+ " ignored from %s",
+ vhost_id, certfile);
+}
+else {
+if ((nid = EC_GROUP_get_curve_name(ecparams)) &&
+(eckey = EC_KEY_new_by_curve_name(nid))) {
+SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
+ecparams_found = 1;
+ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, 
APLOGNO(02541)

+ "ECDH curve %s for %s specified in %s",
+ OBJ_nid2sn(nid), vhost_id, certfile);
+}
+else {
+ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, 
APLOGNO(02903)
+ "Invalid ECDH parameters for %s 
ignored from %s",

+ vhost_id, certfile);
+}
+}
+}
+#endif
+
 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02568)
  "Certificate and private key %s configured from 
%s and %s",

  key_id, certfi

Re: 2.4 release backport list

[Rainer Jung]

Hi Stefan,

Am 26.05.2015 um 10:37 schrieb Stefan Eissing:

Sorry, if this question has an obvious answer which I was unable to find: where 
would I find a list of the changes that will be backported to the 2.4.13 
release in order to see if a change has received enough votes?


The backports that are currently on vote are always in the STATUS file 
which sits in the top level directory of the respective branch in svn. 
For example:


http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?view=co

If an item has enough votes it is moved in the file from "PATCHES 
PROPOSED TO BACKPORT FROM TRUNK:" to "PATCHES ACCEPTED TO BACKPORT FROM 
TRUNK:". Next it gets applied to the code and removed from the file.


After the backport you can find the backported items in the CHANGES file 
in svn (if the backport contains a user facing change). Most backports 
also are done using "svn merge", so you can also look at the 
svn:mergeinfo property of the top level directory of the branch. Finally 
you can diff ...


Some parts can be applied without going through status, mostly docs 
changes and some platform specific things.


All changes be it to STATUS, to CHANGES or some other files in svn are 
mailed to c...@httpd.apache.org to which you could subscribe, if you want 
to follow more closely.


Regards,

Rainer

Re: mod_ssl: Reading dhparams and ecparams not only from the first certificate file

[Rainer Jung]

Am 26.05.2015 um 11:00 schrieb Tim Bannister:

On 26 May 2015, at 09:37, Reindl Harald  wrote:



Am 26.05.2015 um 10:33 schrieb Rainer Jung:

Current mod_ssl code tries to read embedded DH and ECC parameters only from the 
first certificate file. Although this is documented

"DH and ECDH parameters, however, are only read from the first
SSLCertificateFile directive, as they are applied independently of the
authentication algorithm type."

I find it questionable. I would find it more natural to embed the params in the 
cert files they apply to, so e.g. the DH params in the RSA cert file and the EC 
params in the ECDH cert file and also to not require a special order for the 
files which at the end we do not check. Since missing the embedded params goes 
unnoticed (finding them is only a DEBUG log line) it is not very user friendly


honestly it would be much more user friendly to have a own parameter for that 
which would make it easy to regenerate the params via cronjobs without touching 
the PEM file containing the real certificate and private key


With that kind of directive it would also leave flexibility for this kind of 
thing:

DHParamsEC /tmp/example
DHParamsEC none
DHParamsEC auto

(that last case – I'm imagining that httpd generates the D-H parameters at each 
startup, blocking use of ECDH until generation is complete).


I think the way forward is SSLOpenSSLConfCmd which tries to get rid of 
one new mod_ssl directive per new OpenSSL feature. But that is 1.0.2 
only. So for a transitory phase we need something else and at least me 
I'm happy, that you can already configure the params (by embedding in 
the cert file).


Regards,

Rainer

Re: 2.4 release backport list

[Rainer Jung]

Am 26.05.2015 um 11:07 schrieb Yann Ylavic:

Oups, several simultaneous responses...


That shows how much we like him (his work) :)

Re: mod_ssl: Reading dhparams and ecparams not only from the first certificate file

[Rainer Jung]

Am 27.05.2015 um 08:40 schrieb Kaspar Brand:

On 26.05.2015 10:33, Rainer Jung wrote:

I find it questionable. I would find it more natural to embed the params
in the cert files they apply to, so e.g. the DH params in the RSA cert
file and the EC params in the ECDH cert file and also to not require a
special order for the files which at the end we do not check. Since
missing the embedded params goes unnoticed (finding them is only a DEBUG
log line) it is not very user friendly.


When I added this with r1527295, I didn't expect custom [EC]DH
parameters in a certificate file to be the typical case for a mod_ssl
configuration - and even in the light of Logjam, I don't think that we
would want to recommend creating custom DH parameters for the average
admin. As long as 2048-bit RSA keys are configured (the standard for
certs issued by publicly-trusted CAs these days), there's nothing wrong
with relying on the built-in DH parameters, i.e. those from RFC 3526. [1]


Can't we simply try to read DH and ECC params from every certificate
file and stop in each of the two cases when we have found some? That
would tighten the user unfriendlyness to the case of having multiple
inconsistent parameters embedded in different cert files. And even that
could be checked and logged as a warning.


I don't have strong feelings on this, but am not sure if it's worth
adding more code to address this specific case. My guess is that
multi-cert virtual host configurations with OpenSSL < 1.0.2 are
extremely rare, since they are prone to the
one-intermediate-CA-cert-only issue, and with OpenSSL 1.0.2 or later,
SSLOpenSSLConfCmd is definitely preferrable.


OK


As far as your observation "to embed the params in the cert files they
apply to" is concerned, I think there might be a misunderstanding here:
the [EC]DH parameters are orthogonal to the authentication algorithm -
for an RSA key, both are applicable (cf. openssl ciphers -v aRSA+DHE and
openssl ciphers -v aRSA+ECDHE).


Thanks for the correction.


That means if you start mixing embedded keys and separate key files,


I would definitely discourage from doing so, and wouldn't bother with
adding configuration code to address such cases (would introduce
unneeded complexity). Putting the the private key into the
SSLCertificateFile has been discouraged since the 2.0 release, actually
- see the SSLCertificateKeyFile docs added with r93825. What is probably
missing is a more prominent notice in the section on SSLCertificateFile.


OK I'll have a look at the docs an see whether I can improve them.


[1] The weakdh.org site needs an update on this, as acknowledged by a
team member meanwhile, see
https://www.ietf.org/mail-archive/web/tls/current/msg16515.html


Thanks for your helpful comments!

Rainer

Re: httpd and OpenSSL 1.0.2

[Rainer Jung]

Am 29.05.2015 um 15:16 schrieb Wang, Andy:

You might want to reconsider that unless you really really are sure you know 
what you're doing.
On a linux distro, the system installed openssl is considered a fundamental 
platform infrastructure library.  I.e. many many things rely on it.  openssl 
versions are not backward compatible.

So if you don't rebuild all of your distro installed dependencies on openssl, 
you've likedly just screwed up runtime linking of alot of things.

Also, the system installed library and the openssl config makefiles may be 
using incompatible soname mechanisms, which could explain why you're able to 
link but not run (i.e. at linktime it may be finding the right library, but at 
runtime it's not).


I didn't follow the whole thread, but about linking versus running:

at link time the linker will use the files libssl.so and libcrypto.so 
(or libssl.a and libcrypto.a). Because all it is given is -lssl and 
-lcrypto as flags.


It will look in those files for an entry named SONAME. On linux you can 
see that name by issuing


objdump -p /path/to/my/libssl.so

and

objdump -p /path/to/my/libcrypto.so

Example output:

/path/to/my/libssl.so: file format elf64-x86-64

Program Header:
...

Dynamic Section:
  NEEDED   libcrypto.so.1.0.0
  NEEDED   libdl.so.2
  NEEDED   libz.so.1
  NEEDED   libc.so.6
  SONAME   libssl.so.1.0.0
...

Version References:
  required from libc.so.6:
0x09691a75 0x00 02 GLIBC_2.2.5

Here you can see the SONAME is libssl.so.1.0.0. This name is added as a 
dependency into the linked binary. At runtime the runtime linker will 
look for this file, not for libssl.so.


During installation of lobssl.so (resp. libcrypto.so) typically the 
files get linked using a symlink, so it would make no difference. If you 
start to overwrite parts of the system installation, the two names might 
point to different content.


About compatibility: OpenSSL 1.0.0 up to OpenSSL 1.0.2 have compatible 
APIs, that's why the SONAME ends with .1.0.0 in all three cases. It is 
definitely possible to upgrade, i.e. use a newer version in the 1.0.0 to 
1.0.2 range during runtime than was used during compile/link time. The 
other way round only holds for patch versions with the same first three 
digits.


The SSL_CONF_CTX_* symbols you were originally referring to are only 
part of 1.0.2. So it seems you compiled against header files from 1.0.2 
and likely also loinked against a 1.0.2 libssl.so, but at runtime the 
libssl.so.1.0.0 that the runtime linker finds is version 1.0.0 or 1.0.1. 
The runtime linker has a search path that is defined on the system and 
can be influenced using LD_LIBRARY_PATH. The compile time linker is also 
influenced by compile "-L" flags.


Whether some specific libssl.so (or libssl.so.1.0.0) file contains the 
symbol or not can be checked using the "nm" command:


nm /path/to/my/libssl.so1.0.0 | grep SSL_CONF_CTX

Example output here:

000581a0 T SSL_CONF_CTX_clear_flags
00058180 T SSL_CONF_CTX_finish
00058250 T SSL_CONF_CTX_free
000582f0 T SSL_CONF_CTX_new
00058280 T SSL_CONF_CTX_set1_prefix
00058190 T SSL_CONF_CTX_set_flags
000581b0 T SSL_CONF_CTX_set_ssl
00058200 T SSL_CONF_CTX_set_ssl_ctx

If the symbols are not contained you will get no hits, if they are only 
referred in the lib but contained in another depenency lib, you get a 
"U" marker instead of the "T" (also see the nm man page for more 
possible cases).


HTH

Rainer

Re: httpd and OpenSSL 1.0.2

[Rainer Jung]

Am 29.05.2015 um 18:30 schrieb William A Rowe Jr:

Don't be fooled.

OpenSSL 1.0.1 did not break binary compatibility, the lib designation
remains .so.1.0.0.  Can someone confirm whether this was changed in 1.0.2?


As I already wrote it didn't.

Rainer

Re: httpd and OpenSSL 1.0.2

[Rainer Jung]

Am 29.05.2015 um 18:36 schrieb Wang, Andy:

It didn't break api compatibly but it sure did break backwards compatibility. 
I'm pretty sure if you link against 1.0.2 you can't run with an older 1.0.x 
library. Which is what appears to happen in Mario's case.


That's correct. If the app or lib you compile uses symbols only 
available in newer versions, then this is true. An example is mod_ssl. 
The runtime version needs to have the same SONAME and must have at least 
the same numeric OpenSSL version as the compile version.



I'm speculating as to why - being related to improperly replacing a system 
package management maintained library.


I don't get the "why": Why what? Why his runtime version is older than 
the version used during compile time? For that he would have to track 
down the files used. I tried to gave hints how to do that.


Regards,

Rainer

Re: ALPN patch comments

[Rainer Jung]

Am 29.04.2015 um 13:05 schrieb Kaspar Brand:

I did some formatting cleanup in r1676709 and put a patch for 2.4.x
online under
https://people.apache.org/~kbrand/mod_ssl-2.4.x-alpn_2015-04-29.diff.
This should hopefully make it easier for people to test and review (it's
an amalgamation of ten revisions from trunk, see the top of the patch file).


Question on that ALPN backport patch and the one in the STATUS file: is 
it clear that the registration setting up the propose and nego callback 
function arrays should be per connection? Wouldn't that be more a global 
or per vhost thing? Just asking because of performance reasons.


Regards,

Rainer

Re: About PR56925's fix (was: svn commit: r1682872 - /httpd/httpd/branches/2.4.x/STATUS)

[Rainer Jung]

Am 01.06.2015 um 13:36 schrieb Yann Ylavic:

Hi Rainer,

On Mon, Jun 1, 2015 at 1:06 PM,   wrote:

@@ -232,14 +238,14 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   trunk patch: http://svn.apache.org/r1681694
   2.4.x patch: trunk works (modulo CHANGES)
   +1: ylavic
+ rjung: Would it makes sense to handle 500/503 for the other proxy
+protocols similar? I see error_override at least also in the
+AJP and FCGI case.


I'll have a look at these, looks consitent to do it there too.


+ rjung: What about setting the note proxy-error-override in general
+if an error override happens so it might get more uses in
+the future. Would that make sense?


I'm not sure to understand here, what would be a "general" way to set the note?
It seems to me that each (proxy) module only can tell whether the
error comes from itself or the backend.


I meant "set it always if a ProxyErrorOverride happens", not "set it if 
we need it for the 500/503 check later". Maybe this is (for http) 
already the case, not sure about possible code paths for ProxyErrorOverride.


Rainer

Re: mod_ssl: Reading dhparams and ecparams not only from the first certificate file

[Rainer Jung]

Am 27.05.2015 um 09:33 schrieb Rainer Jung:

Am 27.05.2015 um 08:40 schrieb Kaspar Brand:

On 26.05.2015 10:33, Rainer Jung wrote:

I find it questionable. I would find it more natural to embed the params
in the cert files they apply to, so e.g. the DH params in the RSA cert
file and the EC params in the ECDH cert file and also to not require a
special order for the files which at the end we do not check. Since
missing the embedded params goes unnoticed (finding them is only a DEBUG
log line) it is not very user friendly.


When I added this with r1527295, I didn't expect custom [EC]DH
parameters in a certificate file to be the typical case for a mod_ssl
configuration - and even in the light of Logjam, I don't think that we
would want to recommend creating custom DH parameters for the average
admin. As long as 2048-bit RSA keys are configured (the standard for
certs issued by publicly-trusted CAs these days), there's nothing wrong
with relying on the built-in DH parameters, i.e. those from RFC 3526. [1]


Can't we simply try to read DH and ECC params from every certificate
file and stop in each of the two cases when we have found some? That
would tighten the user unfriendlyness to the case of having multiple
inconsistent parameters embedded in different cert files. And even that
could be checked and logged as a warning.


I don't have strong feelings on this, but am not sure if it's worth
adding more code to address this specific case. My guess is that
multi-cert virtual host configurations with OpenSSL < 1.0.2 are
extremely rare, since they are prone to the
one-intermediate-CA-cert-only issue, and with OpenSSL 1.0.2 or later,
SSLOpenSSLConfCmd is definitely preferrable.


OK


As far as your observation "to embed the params in the cert files they
apply to" is concerned, I think there might be a misunderstanding here:
the [EC]DH parameters are orthogonal to the authentication algorithm -
for an RSA key, both are applicable (cf. openssl ciphers -v aRSA+DHE and
openssl ciphers -v aRSA+ECDHE).


Thanks for the correction.


That means if you start mixing embedded keys and separate key files,


I would definitely discourage from doing so, and wouldn't bother with
adding configuration code to address such cases (would introduce
unneeded complexity). Putting the the private key into the
SSLCertificateFile has been discouraged since the 2.0 release, actually
- see the SSLCertificateKeyFile docs added with r93825. What is probably
missing is a more prominent notice in the section on SSLCertificateFile.


OK I'll have a look at the docs an see whether I can improve them.


[1] The weakdh.org site needs an update on this, as acknowledged by a
team member meanwhile, see
https://www.ietf.org/mail-archive/web/tls/current/msg16515.html


I edited the mod_ssl docs and faq in r1682923  and r1682937 (trunk), 
r1682929  and r1682939 (2.4) and r1682942 (2.2). I hope things are at 
least as clear as before my editing.


Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.13 as GA

[Rainer Jung]

 Am 04.06.2015 um 18:33 schrieb Jim Jagielski:

The pre-release test tarballs for Apache httpd 2.4.13 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.13 GA.

[X] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.

Vote will last the normal 72 hrs.


+1 to release, thanks for RMing.

In short: No regressions found.

Detailed report:

- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas
  (we could cleanup some m4 files in apr-util/xml/expat/conftools
   at the end of buildconf, no regression)

Built on

- Solaris 10 Sparc as 32 Bit Binaries
- SLES 10+11 (64 Bits)
- RHEL 6 (64 Bits)
- FreeBSD 9.1

On FreeBSD 2.4.12 runs on one machine for the ASF. No obvious problems 
showed up.


For all platforms except FreeBSD built

- with default (shared) and static modules
- with module sets none, few, most, all, reallyall and default
  (always mod_privileges disabled)
- using --enable-load-all-modules
- against "included" APR/APU from deps tarball,
  plus external APR/APU 1.5.2/1.5.4

- using external libraries
  - expat 2.1.0
  - pcre 8.37
  - openssl 1.0.1m
  - lua 5.2.4
  - distcache 1.5.1
  - libxml2 2.9.2

- Tool chain:
- platform gcc except for Solaris
  (gcc 4.1.2 for Solaris 8 and 4.9.2 for Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  (and -mpcu=v9 on Solaris)

All builds succeeded
  - one compiler warning
server/mpm/event/event.c:1438: warning: 'last' may be used uninitialized 
in this function


Tested for

- Solaris 10 (32), SLES 10+11 (64), RHEL 6 (64)
- MPMs prefork, worker, event
- default (shared) and static modules
- log levels info, debug and trace8
- module set reallyall (121 modules plus MPMs)

The following test failures were seen:

a Test 4 or 5 in t/modules/dav.t:
  Happens for 33 out of 324 runs.
  Creation, modified and now times not in the correct order.
  This seems to be a system issue, all tests done on NFS,
  many tested on virtualized guests.
  Not a regression.

b Various tests in t/apache/expr_string.t: (6, 11, 14, 17, 20 ,23)
  Happens for 65 out of 324 runs (almost all on SLES 10, 6 on RHEL6
  and 2 on Solaris).
  The failure is always on line 68, where the error_log contents
  are checked.
  Not a regression.

c Tests 55-57 of t/modules/cgi.t testing contents of ScriptLog.
  The tests fail for "reallyall" modules.
  Likely similar than what I observed for 2.4.12.
  Fix probably by porting r1651085 from mod_cgi to mod_cgid.
  Not a regression.

On FreeBSD I see the following failures:

t/apache/limits.t (Wstat: 0 Tests: 12 Failed: 1)
  Failed test:  8
t/modules/aaa.t   (Wstat: 0 Tests: 40 Failed: 3)
  Failed tests:  23-24, 27
t/ssl/pr12355.t   (Wstat: 0 Tests: 10 Failed: 4)
  Failed tests:  3-4, 7-8
t/ssl/pr43738.t   (Wstat: 0 Tests: 4 Failed: 2)
  Failed tests:  1-2

Since I don't have result from previous releases this is just for 
information.


Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.13 as GA

[Rainer Jung]

Am 08.06.2015 um 03:34 schrieb Jeff Trawick:

On Sun, Jun 7, 2015 at 1:20 PM, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

...

On FreeBSD I see the following failures:

t/apache/limits.t (Wstat: 0 Tests: 12 Failed: 1)
   Failed test:  8


10.1: limits.t hangs for me after testing 7/12 if I have the kernel
accept filter loaded; passes fine otherwise

(presumably "hang" is just temporary, until the testcase is timed out)


Correct, it hangs for me as well, but just waiting long enough the test 
times our and proceeds.



t/modules/aaa.t   (Wstat: 0 Tests: 40 Failed: 3)
   Failed tests:  23-24, 27


I don't see that with or without accept filter loaded


OK, I analyzed that: my test install failed to install HTTP::Cookies. 
That resulted in a failure to reset the UA in t/modules/aaa.t when 
switching to form based auth checks. The old UA still had redirect 
support active and thus the test failed, because it tested conditions on 
the wrong response. The failure to create a new UA was hidden, because 
Apache-Test/lib/Apache/TestRequest.pm uses


172 eval { $UA ||= __PACKAGE__->new(%$args); };

and the eval hides the error (likely on purpose for other situations).


t/ssl/pr12355.t   (Wstat: 0 Tests: 10 Failed: 4)
   Failed tests:  3-4, 7-8


ditto (tested only with accept filter unloaded)

t/ssl/pr43738.t   (Wstat: 0 Tests: 4 Failed: 2)
   Failed tests:  1-2


ditto (tested only with accept filter unloaded)


The failures have to do with renegotiations on POST. I see

[Mon Jun 08 05:00:10.525918 2015] [ssl:trace4] [pid 41020:tid 
34396698624] ssl_engine_io.c(2059): [client 127.0.0.1:57206] OpenSSL: 
I/O error, 5 bytes expected to read on BIO#80

2369be0 [mem: 813817003]
[Mon Jun 08 05:00:10.525934 2015] [ssl:debug] [pid 41020:tid 
34396698624] ssl_engine_kernel.c(802): [client 127.0.0.1:57206] AH02260: 
Performing full renegotiation: complete handshake protocol (client does 
support secure renegotiation)


then a reneg handshake but finally:

[Mon Jun 08 05:00:10.527224 2015] [ssl:error] [pid 41020:tid 
34396698624] [client 127.0.0.1:57206] AH02261: Re-negotiation handshake 
failed
[Mon Jun 08 05:00:10.527250 2015] [ssl:error] [pid 41020:tid 
34396698624] SSL Library Error: error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher -- Too restrictive 
SSLCipherSuite or using DSA server certificate?


The config for the test case wants

SSLCipherSuite RC4-MD5

That it fails is a bit strange, because the https communication in 
principle works and the OpenSSL used does support that cipher.


Rainer

Re: svn commit: r1685052 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_config.c

[Rainer Jung]

Am 12.06.2015 um 13:49 schrieb Yann Ylavic:

Hi Christophe,

On Fri, Jun 12, 2015 at 1:26 PM, Christophe JAILLET
 wrote:


should this warning at startup be an issue, why not just remove it in 2.4.x
and keep it in trunk?
Having the depreciation written in doc (and in migration note for 2.4 ->
2.6/3.0 one day) could be enough, no?


Probably, but the (only one) warning per startup can possibly
encourage users to look at the doc :)
Let's see what others say.


I don't have a strong opinion, but if we want to remove the directive in 
the next version, then it would help to keep the deprecation logging to 
make people aware and reduce the migration complains a bit.


Logging only once instead of for each certificate is IMHO enough and 
much better.


As to if the current situation in 2.4.14 is a problem or should be 
tolerated (lots of log output for people with huge numbers of 
certificates) I'm quite undecided.


Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.14 as GA

[Rainer Jung]

Am 12.06.2015 um 18:48 schrieb Jeff Trawick:

On Fri, Jun 12, 2015 at 12:35 PM, Jacob Perkins
mailto:jacob.perk...@cpanel.net>> wrote:

+1 to Noels comments.  We have a ton of servers running Apache 2.4
with our control panel.  Doing this in a point release will cause us
to have to change our product instead of doing a regular Apache
release.

When you have a server with 10k+ SSL vhosts, this can cause massive,
unexpected problems. I have a feeling that this will cause massive
headaches with all those running Apache 2.4.


Thanks to Noel's comments, we have dropped this to one message at a
quieter log level for the next 2.4.x release, and we can assist with a
tiny patch to any recent 2.4.x.

It doesn't make sense for us to hold up a release when that change has
been in the last several releases however.  (That's a high barrier for
making progress.)

Make sense?


Agreed, I forgot about that, the warning exists since 2.4.9 in March 
2014. So from my project member point of view you are totally right.


Rainer

Re: [VOTE] Release Apache httpd 2.4.14 as GA

[Rainer Jung]

Am 12.06.2015 um 19:12 schrieb William A Rowe Jr:

Revision 1678233 - (view) (download) (annotate) - [select for diffs]
Modified Thu May 7 16:26:43 2015 UTC (5 weeks, 1 day ago) by jim
File length: 57106 byte(s)
Diff to previous 1674655 (colored)
Merge r1676085 from trunk:

consistently output SSLCertificateChainFile deprecation warnings
Submitted by: kbrand
Reviewed/backported by: jim

sent the warnings to the console/main server error log, rather than a
specific server error log file.  Because this is during config parsing,
it that may have previously been a bit bucket.  So this could be
perceived as a regression although the logic and log file activity was
there for some time.


Indeed there was a discussion thread for r1562500 in 2014 during which 
Falco Schwarz reported, that he did *not* get the log message a anywhere 
(neither console, not log files) when he had the directive only in 
VirtualHosts. After the 2.4.13 change it seems to be new, that you get 
the message massively on console, if you have the directive in frequent 
use inside VHosts. That might well be perceived as a regression.


The 2.4.13 change replaced cmd->server in ap_log_error by NULL. The log 
level "APLOG_WARNING|APLOG_STARTUP" was not changed.


Rainer

Re: Apache-Test pre-requisites

[Rainer Jung]

Hi Michael,

Am 13.06.2015 um 12:10 schrieb Michael Felt:

Just a link to the "Howto setup Apache::Test" would be sufficient. The
README in the project sends me to mod_perl info, not a list of perl mods
needed to be added -- and unfortunately the Apache::Test does not
"include" a dependency list either - or CPAN could do this all
automatically.


Try cpan command

install Bundle::ApacheTest

to install prerequisites.

See also

http://search.cpan.org/~shay/Apache-Test-1.39/lib/Bundle/ApacheTest.pm

Regards,

Rainer


On Tue, Jun 9, 2015 at 9:55 PM, Michael Felt mailto:mamf...@gmail.com>> wrote:

My apologies for asking - but I am sure there are extra perl mods
that need to be installed before Apache-Test will operate as expected.

Unfortunately, it does not seem to demand them, and I have forgotten
the extra mods I loaded to get 100's of tests compared to the 13 I
am getting now.

I had hoped CPAN would tell me, but unfortunately, no.

cpan> install Apache::Test
CPAN: Storable loaded ok
Fetching with LWP:
ftp://download.xs4all.nl/pub/mirror/CPAN/authors/01mailrc.txt.gz
Going to read /var/perl/.cpan/sources/authors/01mailrc.txt.gz
Fetching with LWP:
ftp://download.xs4all.nl/pub/mirror/CPAN/modules/02packages.details.txt.gz
Going to read /var/perl/.cpan/sources/modules/02packages.details.txt.gz
   Database was generated on Tue, 09 Jun 2015 17:17:02 GMT

   There's a new CPAN.pm version (v2.10) available!
   [Current version is v1.7601]
   You might want to try
 install Bundle::CPAN
 reload cpan
   without quitting the current session. It should be a seamless upgrade
   while we are running...

Fetching with LWP:
ftp://download.xs4all.nl/pub/mirror/CPAN/modules/03modlist.data.gz
Going to read /var/perl/.cpan/sources/modules/03modlist.data.gz
Going to write /var/perl/.cpan/Metadata
Apache::Test is up to date.

Reminders are welcome!

Michael

Tests are ending with:
Failed 2/13 test scripts, 84.62% okay. 7/43 subtests failed, 83.72%
okay.

whereas before I was gettign numbers such as:

Failed 18/109 test programs. 247/4555 subtests failed.

And I have also had all test successful... But do not have those saved.

Mainly I am looking at 2/13 and 7/43 compared to 18/109 and 247/4555

Re: Apache-Test pre-requisites

[Rainer Jung]

Am 13.06.2015 um 12:23 schrieb Rainer Jung:

Hi Michael,

Am 13.06.2015 um 12:10 schrieb Michael Felt:

Just a link to the "Howto setup Apache::Test" would be sufficient. The
README in the project sends me to mod_perl info, not a list of perl mods
needed to be added -- and unfortunately the Apache::Test does not
"include" a dependency list either - or CPAN could do this all
automatically.


Try cpan command

install Bundle::ApacheTest

to install prerequisites.

See also

http://search.cpan.org/~shay/Apache-Test-1.39/lib/Bundle/ApacheTest.pm


There's some more info in the README file you can find after checking out

http://svn.apache.org/repos/asf/httpd/test/framework/trunk/

or browsing via

http://svn.apache.org/viewvc/httpd/test/framework/trunk/

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.14 as GA

[Rainer Jung]

2.4.14 as GA


Regression: All works fine except a Proxy Pass  to Sambar server, was
working ok with 2.4.12.

ProxyPasses to other servers the Sambar works fine.

ProxyPass /sysadmin http://127.0.0.1:81/sysadmin
ProxyPassReverse /sysadmin http://127.0.0.1:81/sysadmin

Calling with http://127.0.0.1:8080/sysadmin/ gives AH01110: error
reading
response :

[Sat Jun 13 13:23:08.010826 2015] [authz_core:debug] [pid 5684:tid 1128]
mod_authz_core.c(834): [client ::1:51072] AH01628: authorization result:
granted (no directives)
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
mod_proxy.c(1157): [client ::1:51072] AH01143: Running scheme http
handler
(attempt 0)
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
proxy_util.c(2145): AH00942: HTTP: has acquired connection for
(127.0.0.1)
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
proxy_util.c(2199): [client ::1:51072] AH00944: connecting
http://127.0.0.1:81/sysadmin/ to 127.0.0.1:81 <http://127.0.0.1:81>
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
proxy_util.c(2408): [client ::1:51072] AH00947: connected /sysadmin/ to
127.0.0.1:81 <http://127.0.0.1:81>
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
proxy_util.c(2782): AH02824: HTTP: connection established with
127.0.0.1:81 <http://127.0.0.1:81>
(127.0.0.1)
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
proxy_util.c(2936): AH00962: HTTP: connection complete to
127.0.0.1:81 <http://127.0.0.1:81>
(127.0.0.1)
[Sat Jun 13 13:23:08.010826 2015] [proxy_http:error] [pid 5684:tid 1128]
(20014)Internal error (specific information not available): [client
::1:51072] AH01110: error reading response
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
proxy_util.c(2160): AH00943: HTTP: has released connection for
(127.0.0.1)
[Sat Jun 13 13:23:08.010826 2015] [proxy:debug] [pid 5684:tid 1128]
proxy_util.c(2878): [remote 127.0.0.1:81 <http://127.0.0.1:81>]
AH02642: proxy: connection
shutdown



-Original Message- From: Jim Jagielski
Sent: Thursday, June 11, 2015 4:08 PM Newsgroups:
gmane.comp.apache.devel
To: httpd
Subject: [VOTE] Release Apache httpd 2.4.14 as GA

The pre-release test tarballs for Apache httpd 2.4.14 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.14 GA.

[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.

Vote will last the normal 72 hrs.

NOTE: The *-deps are only there for convenience.

Thx!



--
Born in Roswell... married an alien...
http://emptyhammock.com/


--
kippdata
informationstechnologie GmbH   Tel: 0228 98549 -0
Bornheimer Str. 33aFax: 0228 98549 -50
53111 Bonn www.kippdata.de

HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann

Re: [VOTE] Release Apache httpd 2.4.14 as GA

[Rainer Jung]

Am 11.06.2015 um 16:08 schrieb Jim Jagielski:

The pre-release test tarballs for Apache httpd 2.4.14 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.14 GA.

[ ] +1: Good to go
[ ] +0: meh
[X] -1: Danger Will Robinson. And why.


Not an easy call.

-1 but even more thanks for RMing.

Negative vote due to:

- chance of breaking chunked encoding due to spec intolerance.
  Proxy example reported by Steffen plus
  at least anecdotal evidence by Jeff (Apache 1.3 backends).

- mass occurrence of SSLCertificateChainFile deprecation warning

IMHO it would be better to tolerate white space in chunk header, as 
suggested by Yann now in STATUS.


Concerning the deprecation warnings I'm not sure what the current 
consensus for best behavior is. I think we want only one log message, 
not one per VHosts. Probably undecided currently:


- log level of this one message (IMHO: WARNING)
- send it to log file only or also to console (IMHO: log file only)
- should we indicate in the message, that here might be other places 
using SSLCertificateChainFile as well? (IMHO yes)
- should we log all the other places, but only to log file and with info 
or debug log level? (IMHO no, because it could be quite a lot and 
switching to debug would make it invisible for most people; find/grep is 
not that hard)


Test using test suite:

In short: No regressions found.

Detailed report:

- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas
  (we could cleanup some m4 files in apr-util/xml/expat/conftools
   at the end of buildconf, no regression)

Built on

- Solaris 8+10 Sparc as 32 Bit Binaries
- SLES 10+11 (64 Bits)
- RHEL 6 (64 Bits)

For all platforms built

- with default (shared), shared and static modules
- with module sets none, few, most, all, reallyall and default
  (always mod_privileges disabled)
- using --enable-load-all-modules
- against "included" APR/APU from deps tarball,
  plus external APR/APU 1.5.2/1.5.4

- using external libraries
  - expat 2.1.0
  - pcre 8.37
  - openssl 1.0.1n
  - lua 5.2.4
  - distcache 1.5.1
  - libxml2 2.9.2

- Tool chain:
- platform gcc except for Solaris
  (gcc 4.1.2 for Solaris 8 and 4.9.2 for Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  (and -mpcu=v9 on Solaris)

All builds succeeded
  - two compiler warnings
server/mpm/event/event.c:1438: warning: 'last' may be used uninitialized 
in this function
ssl/ssl_util_stapling.c:657: warning: 'ok' may be used uninitialized in 
this function

Tested for

- Solaris 8+10 (32), SLES 10+11 (64), RHEL 6 (64)
- MPMs prefork, worker, event
  (except event on Solaris8, unsupported)
- default, shared and static modules
- log levels info, debug and trace8
- module set reallyall (121 modules plus MPMs)

The following test failures were seen:

a Test 4 or 5 in t/modules/dav.t:
  Happens for 27 out of 364 runs.
  Creation, modified and now times not in the correct order.
  This seems to be a system issue, all tests done on NFS,
  many tested on virtualized guests.
  Not a regression.

b Various tests in t/apache/expr_string.t: (6, 11, 14, 17, 20 ,23)
  Happens for 63 out of 364 runs (almost all on SLES 10, 6 on RHEL6
  and 1 on Solaris 8).
  The failure is always on line 68, where the error_log contents
  are checked.
  Not a regression.

c Tests 55-57 of t/modules/cgi.t testing contents of ScriptLog.
  Likely similar than what I observed for 2.4.12.
  Fix probably by porting r1651085 from mod_cgi to mod_cgid.
  Not a regression.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.14 as GA

[Rainer Jung]

Am 14.06.2015 um 19:17 schrieb Rainer Jung:

[X] -1: Danger Will Robinson. And why.


Not an easy call.

-1 but even more thanks for RMing.

Negative vote due to:

- chance of breaking chunked encoding due to spec intolerance.


s/spec/space/ - Sorry.


   Proxy example reported by Steffen plus
   at least anecdotal evidence by Jeff (Apache 1.3 backends).

- mass occurrence of SSLCertificateChainFile deprecation warning