Unable to run t/ssl tests.
On Win32... Using openssl 0.9.8, httpd 2.1-dev (current) and perl-framework (current)... and I end up in a loop between running t/TEST -clean and t/TEST -apxs g:/path/to/apxs with this error, every time; The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'California' localityName :PRINTABLE:'San Francisco' organizationName :PRINTABLE:'ASF' organizationalUnitName:PRINTABLE:'httpd-test/dsa-des3-test' commonName:PRINTABLE:'localhost' emailAddress :IA5STRING:'test-dev@httpd.apache.org' Certificate is to be certified until Jul 22 21:36:28 2006 GMT (365 days) Write out database with 1 new entries unable to rename serial to serial.old reason: File exists [ error] configure() has failed: system ca -policy policy_anything -in csr/server_des3_dsa.csr -out certs/server_ des3_dsa.crt -passin pass:httpd -config conf/server_des3_dsa.cnf -batch extensions comment failed (exit status=1) at G:\built\perl-framework\blib\lib/Apache/TestSSLCA.pm line 172. [warning] forcing Apache::TestConfig object save [warning] run 't/TEST -clean' to clean up before continuing Does this look familiar to anyone? Bill
Re: Unable to run t/ssl tests.
At 05:20 PM 7/22/2005, William A. Rowe, Jr. wrote: On Win32... Using openssl 0.9.8, httpd 2.1-dev (current) and perl-framework (current)... and I end up in a loop between running t/TEST -clean and t/TEST -apxs g:/path/to/apxs with this error, every time; Ok - I lie - now -clean ... -apxs ... results in no ssl certificate generation whatsoever, although mod_test_ssl.so is generated. Clues? Bill
Re: Unable to run t/ssl tests.
Well now; rm -rf t , and svn up, gives me the original error attempting to create 'serial', a 'serial.old' lingers during the config phase. Again, any help appreciated. Joe Orton would like me to try to reproduce his segv, and perl-framework is not cooperating :) Bill At 05:33 PM 7/22/2005, William A. Rowe, Jr. wrote: At 05:20 PM 7/22/2005, William A. Rowe, Jr. wrote: On Win32... Using openssl 0.9.8, httpd 2.1-dev (current) and perl-framework (current)... and I end up in a loop between running t/TEST -clean and t/TEST -apxs g:/path/to/apxs with this error, every time; Ok - I lie - now -clean ... -apxs ... results in no ssl certificate generation whatsoever, although mod_test_ssl.so is generated. Clues? Bill
Re: Unable to run t/ssl tests.
William A. Rowe, Jr. wrote: Well now; rm -rf t , and svn up, gives me the original error attempting to create 'serial', a 'serial.old' lingers during the config phase. after nuking t/ make sure to nuke ~/.apache-test (or whatever it is on win32) and run with APACHE_TEST_NO_STICKY_PREFERENCES=1 from now on to make sure that things aren't lingering around when they shouldn't. other than that, I'll have a look on monday, but I'm not a win32 guy :) --Geoff
Re: Website
Philip M. Gollucci [EMAIL PROTECTED] writes: Hi, Would it be worthwile for me to invest some time in designing a website in the syle of the httpd/apr websites. Sorry, I think I misunderstood your question earlier. (I think our section of the httpd site blows, and am always eager to fob off that responsibility to someone else :-). From which we could link to the doxygen docs like apr/apr-util do ? Sounds cool to me. Got more details? -- Joe Schaefer
Re: mod-cache-requestor plan
Thanks Ian, Graham and Sergio for your help. for past couple of days I am trying to figure out how our mod-cache-requester should spawn thread (or set of threads). Currently, I am considering following option. please let me know what you think about this approach. - mod-cache-requester would be a sub-module in mod-cache as Graham had suggested once. - it would look similar to mod-mem-cache. it would have provider (mod-cache-requester-provider, for lack of any better word for now) registered. - mod-cache (cache_url_handler to be precise) will do lookup for this provider and will use this provider's methods to push any page which is soon-to-be-expired in the priority queue. - in the post config of the mod-cache-requester our pqueue would be initialized along with mutexes and other stuff. - now, we would create new thread (or set of threads) in the post config which would basically contain an infinite loop. it (or they) will keep checking pqueue and would make sub requests accordingly. Does this make sense? If this approach is correct then I have some questions regarding thread vs process implementation. I would start discussing it once we have main architecture in place. Thanks, Parin. On 7/20/05, Graham Leggett [EMAIL PROTECTED] wrote: Parin Shah wrote: 2. how mod-cache-requester can generate the sub request just to reload the content in the cache. Look inside mod_include - it uses subrequests to be able to embed pages within other pages. Regards, Graham --
[PATCH] SetenvIf OID(2.16.840.1.113730.1.13) (.*) NetscapeComment=$1
Hi everybody, Based on a discussion with David Reid and Dirk-Willem van Gulik since yesterday it is possible to allow or deny access based on the (string) values of arbitrary X509 extension fields in an SSL certificate, identified by their object oid (OID): # Require the user to have a certain NsComment in the cert, or be ASF committer SSLRequire TinyCA Generated Certificate in Oid(2.16.840.1.113730.1.13) \ || committers in Oid(1.3.6.1.4.1.18060.1) This allows flexible control to extension fields for which there is no standard name (as for the SSL_CLIENT_I_DN_x509 values). In another discussion with Mads Toftum we talked about how to pass such an OID information to a backhand program (e.g., a ProxyPass server) or just to any Apache module that might want to check access (or do anything else) based on the OID values. I then came up with the idea of extracting the values of SSL certificate extensions into environment variables, so that their value could be used by any module aware of environment variables, as in: SetenvIf Oid(1.3.6.1.4.1.18060.1) committers svnaccess=rw Directory /my/repos LimitExcept GET POST Order deny,allow Deny from all Allow from env=svnaccess /LimitExcept /Directory or similar would for instance allow to check the environment variable $svnaccess for allowing/denying read/write access. Similarly, SetEnvIf OID(2.16.840.1.113730.1.13) (TinyCA) Generated (Certificate) Yes_this_certificate_is_from_TinyCA=$1_$2 sets Yes_this_certificate_is_from_TinyCA=TinyCA_Certificate or if you want the var to be set to the oid's value directly, use SetenvIf OID(2.16.840.1.113730.1.13) (.*) NetscapeComment=$1 Note that it is technically allowed to have multiple instances of an extension field, all with the same oid. In this case, the environment variable will be set to the list of all fields, separated by commas. Nice things can be done with environment variables, see manual/env.html#using in the docs. Do you think this is useful? The [PATCH] uses a cross-module call from mod_setenvif to mod_ssl (the latter may also be missing: in this case the variable will never be set). It calls a common function in the ssl module that returns the list of OID extension values as an apr array. That same function is also used for the SSLRequire directive's test. Martin Index: modules/metadata/mod_setenvif.c === --- modules/metadata/mod_setenvif.c (Revision 220078) +++ modules/metadata/mod_setenvif.c (Arbeitskopie) @@ -102,7 +102,8 @@ SPECIAL_REQUEST_URI, SPECIAL_REQUEST_METHOD, SPECIAL_REQUEST_PROTOCOL, -SPECIAL_SERVER_ADDR +SPECIAL_SERVER_ADDR, +SPECIAL_OID_VALUE }; typedef struct { char *name; /* header name */ @@ -120,6 +121,12 @@ } sei_cfg_rec; module AP_MODULE_DECLARE_DATA setenvif_module; +#if (MODULE_MAGIC_NUMBER_MAJOR 20020903) +#include mod_ssl.h +#else +APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr)); +#endif +static APR_OPTIONAL_FN_TYPE(ssl_extlist_by_oid) *ssl_extlist_by_oid_func = NULL; /* * These routines, the create- and merge-config functions, are called @@ -345,6 +352,31 @@ else if (!strcasecmp(fname, server_addr)) { new-special_type = SPECIAL_SERVER_ADDR; } +else if (!strncasecmp(fname, oid(,4)) { +ap_regmatch_t match[AP_MAX_REG_MATCH]; + +new-special_type = SPECIAL_OID_VALUE; + +/* Syntax check and extraction of the OID as a regex: */ +new-pnamereg = ap_pregcomp(cmd-pool, +^oid\\(\?([0-9.]+)\?\\)$, +(AP_REG_EXTENDED // | AP_REG_NOSUB + | AP_REG_ICASE)); +/* this can never happen, as long as pcre works: + if (new-pnamereg == NULL) +return apr_pstrcat(cmd-pool, cmd-cmd-name, + OID regex could not be compiled., NULL); + */ +if (ap_regexec(new-pnamereg, fname, AP_MAX_REG_MATCH, match, 0) == AP_REG_NOMATCH) { +return apr_pstrcat(cmd-pool, cmd-cmd-name, + OID syntax is: oid(\1.2.3.4.5\); error in: , + fname, NULL); +} +new-pnamereg = NULL; +/* The name field is used for the stripped oid string */ +new-name = fname = apr_pstrdup(cmd-pool, fname+match[1].rm_so); +fname[match[1].rm_eo - match[1].rm_so] = '\0'; +} else { new-special_type = SPECIAL_NOT; /* Handle fname as a regular expression. @@ -475,6 +507,8 @@ * same header. Remember we don't need to strcmp the two header * names because we made sure the
RE: mod-cache-requestor plan
The basic approach is ok for me, I just make a note. I think that mod_cache should put each cached page in the queue at the time its entry in the cache is created (or when its expire time has been changed), setting the proper regeneration time in the queue (e.g. regeneration time = page expire time - time spent for last page generation). In such a way there's no need to lookup for what's expiring, just sleep until something needs to be regenerated. Bye Sergio -Original Message- From: Parin Shah [mailto:[EMAIL PROTECTED] Sent: venerdì 22 luglio 2005 8.02 To: dev@httpd.apache.org Subject: Re: mod-cache-requestor plan Thanks Ian, Graham and Sergio for your help. for past couple of days I am trying to figure out how our mod-cache-requester should spawn thread (or set of threads). Currently, I am considering following option. please let me know what you think about this approach. - mod-cache-requester would be a sub-module in mod-cache as Graham had suggested once. - it would look similar to mod-mem-cache. it would have provider (mod-cache-requester-provider, for lack of any better word for now) registered. - mod-cache (cache_url_handler to be precise) will do lookup for this provider and will use this provider's methods to push any page which is soon-to-be-expired in the priority queue. - in the post config of the mod-cache-requester our pqueue would be initialized along with mutexes and other stuff. - now, we would create new thread (or set of threads) in the post config which would basically contain an infinite loop. it (or they) will keep checking pqueue and would make sub requests accordingly. Does this make sense? If this approach is correct then I have some questions regarding thread vs process implementation. I would start discussing it once we have main architecture in place. Thanks, Parin. On 7/20/05, Graham Leggett [EMAIL PROTECTED] wrote: Parin Shah wrote: 2. how mod-cache-requester can generate the sub request just to reload the content in the cache. Look inside mod_include - it uses subrequests to be able to embed pages within other pages. Regards, Graham --
Re: Dispatching MPM
Feedback greatly appreciated... Hello Michal, This sounds like a great idea! Obviously, perchild is dead, so needs a replacement. MetuxMPM doesn't handle SSL at all, which is a serious limitation for anyone who wants to use it seriously (after all, who uses a perchild model for security and doesn't use SSL?). Something to throw into the mix - mod_php. As we all know mod_php doesn't like threaded environments (dependencies on non threadsafe libraries), and as such admins are limited to using process-based MPMs. Can I suggest you consider making the MPM thread/process agnostic? This way two MPMs, one process-based and one thread-based, could be created from the same codebase, allowing admins to select the one that's best for their setup. Forgive me if I've hit on a technical impossibility - my coding skills have sadly deteriorated since university. Thanks, -- Nick Maynard [EMAIL PROTECTED] http://www.fluffybrain.com
Re: svn commit: r219940 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/ssl_expr.h modules/ssl/ssl_expr_eval.c modules/ssl/ssl_expr_parse.y modules/ssl/ssl_expr_scan.l
On Wed, Jul 20, 2005 at 04:42:59PM -, Martin Kraemer wrote: Author: martin Date: Wed Jul 20 09:42:58 2005 New Revision: 219940 URL: http://svn.apache.org/viewcvs?rev=219940view=rev Log: Collaborative work: (Thanks, dreid!) Implement OID checking for mod_ssl. This code allows for checking of arbitrary client certificate extensions by OID, in a syntax like: SSLRequire BaDCA Generated Certificate in Oid(2.16.840.1.113730.1.13) \ || committers in Oid(1.3.6.1.4.1.18060.1) Note the following: * A given OID can occur multiple times in one cert, with different values. Therefore the OID function compares the left-hand string against each of the OID values, until a complete match is found. If none patches, the result is FALSE * The left hand side can be another expression, so can be a reference to a variable or an file() invocation etc. * The OID is also just a reference to a string, or function, or whatever. * My manual description is very short. Someone else please help improve the description 1) this is a pretty specific to way to code it. Is there no way to make it more general so that OID() is just a function like file() and can be used e.g. in regex matches too? 2) you must always check in the regenerated generated scanner source along with changes to the lex file. Regards, joe
Re: svn commit: r219940 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/ssl_expr.h modules/ssl/ssl_expr_eval.c modules/ssl/ssl_expr_parse.y modules/ssl/ssl_expr_scan.l
On Fri, Jul 22, 2005 at 11:12:07AM +0100, Joe Orton wrote: On Wed, Jul 20, 2005 at 04:42:59PM -, Martin Kraemer wrote: Author: martin Date: Wed Jul 20 09:42:58 2005 New Revision: 219940 URL: http://svn.apache.org/viewcvs?rev=219940view=rev Log: Collaborative work: (Thanks, dreid!) Implement OID checking for mod_ssl. This code allows for checking of arbitrary client certificate extensions by OID, in a syntax like: SSLRequire BaDCA Generated Certificate in Oid(2.16.840.1.113730.1.13) \ || committers in Oid(1.3.6.1.4.1.18060.1) Note the following: * A given OID can occur multiple times in one cert, with different values. Therefore the OID function compares the left-hand string against each of the OID values, until a complete match is found. If none patches, the result is FALSE * The left hand side can be another expression, so can be a reference to a variable or an file() invocation etc. * The OID is also just a reference to a string, or function, or whatever. * My manual description is very short. Someone else please help improve the description and since I can't update to fix (2) myself, here's another... 3) oid() is a terrible name for this; it's simply the type of the parameter. It would be like calling malloc() size(). The function expands (conceptually) to the values of an extension in the peer's certificate, identified by OID; so call it peerext() or something meaningful like that.
Re: svn commit: r219940 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/ssl_expr.h modules/ssl/ssl_expr_eval.c modules/ssl/ssl_expr_parse.y modules/ssl/ssl_expr_scan.l
On Fri, Jul 22, 2005 at 12:02:29PM +0100, Joe Orton wrote: and since I can't update to fix (2) myself, here's another... Try again. All should be operational again. -- justin
Re: svn commit: r219936 - in /httpd/httpd/trunk/modules/aaa: mod_authz_dbm.c mod_authz_groupfile.c mod_authz_user.c
--On July 21, 2005 6:30:36 PM +0200 Rich Bowen [EMAIL PROTECTED] wrote: Sorry. This is actually my very first code patch in all the years I've been working with Apache. Picking a nit. Will fix. No worries - by all means, feel free to commit! Just expect that we'll treat your commits with the same scrutiny as everyone else. ;-) -- justin
Re: svn commit: r220307 - in /httpd/httpd/trunk/modules: metadata/mod_setenvif.c ssl/mod_ssl.c ssl/mod_ssl.h ssl/ssl_expr_eval.c
On Fri, Jul 22, 2005 at 12:11:56PM -, Martin Kraemer wrote: Author: martin Date: Fri Jul 22 05:11:55 2005 New Revision: 220307 URL: http://svn.apache.org/viewcvs?rev=220307view=rev Log: Allow extraction of the values of SSL certificate extensions into environment variables, so that their value can be used by any module that is aware of environment variables, as in: So what is the point in posting patches for review if you don't actually wait for anyone to review them before committing? SetEnvIf OID(2.16.840.1.113730.1.13) (.*) Generated (Certificate) ca=$1 -1 on the naming since OID is completely entirely meaningless in this context. mod_setenvif.c: module AP_MODULE_DECLARE_DATA setenvif_module; +#if (MODULE_MAGIC_NUMBER_MAJOR 20020903) +#include mod_ssl.h unnecessary for trunk code to care about the MMN, it can always rely on mod_ssl.h being available. mod_ssl.h: +extern apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr); and don't export the function as well as the optional function.
Re: svn commit: r220307 - in /httpd/httpd/trunk/modules: metadata/mod_setenvif.c ssl/mod_ssl.c ssl/mod_ssl.h ssl/ssl_expr_eval.c
Joe Orton wrote: On Fri, Jul 22, 2005 at 12:11:56PM -, Martin Kraemer wrote: Author: martin Date: Fri Jul 22 05:11:55 2005 New Revision: 220307 URL: http://svn.apache.org/viewcvs?rev=220307view=rev Log: Allow extraction of the values of SSL certificate extensions into environment variables, so that their value can be used by any module that is aware of environment variables, as in: So what is the point in posting patches for review if you don't actually wait for anyone to review them before committing? That would be my fault. We're here at ApacheCon and when Martin said he posted to the list first I asked him why he didn't commit to trunk directly, since that is C-T-R. It's a reasonable smallish patch, with little impact on existing functionality; hence the nudge. Sander
bw_mod : How to do some stuff.
Hi, I've been working on this mod since a time now. I've done most of the work before, but i'm working on improve and fix some bugs. This started as an ugly hack to bandwidth_mod for apache 1.x (really ugly). Then looking at some other code, i learn how to do it the right way (using buckets, and splitting them). As simple as it may sound, there is a complication. Using non-threaded MPM, i must use some sort of shared memory resource to share the stats of the bandwidth used by each client within the vhost context. This is exactly the way i implemented it, but i have some issues :( I cant do bw configuration on .htaccess files, as i need to allocate a different space of memory to hold that configuracion and stats. (or maybe i can, but i dont know how). There is another catch. I'm not able to know the exact speed a client is downloading something, as i just split the buckets, and send each with certain delay. I think i may need to write another output filter (final in the chain) which will write to the client, and get the real speed he is using, so the can give a more accurate speed to each one. (currently it just splits the total speed with the number of clients). Some pointers, recommendations, and even better, if someone knows some code that does something similar, would be useful. My idea is to have a complete bandwidth control mod for use. (bw throttle, bw limiting, bw per period, bw accounting). My main trouble, is the shm part (as i need to reallocate pools of memory) The code to bw_mod is on http://ivn.cl/apache , version 0.6. It works pretty stable, some minor glitches, on lots of platforms (linux, BSD, Win, Solaris, MacOSX, etc) on many archs (x86,ppc,mips,sparc). Feedback greatly appreciated. Bruce.-
SSI for gzipped files
I have an idea for someone to implement and give me credit for. I recently needed to have my SSI work from a gz file. The server-intensive way to make that work is to decompress the file to read the SSI, make the changes, then optionally compress it again before sending it to the client. There's are better ways, which browsers would have to be developed to support, in some cases with no change to the servers. Since the www-html list has been giving me trouble, I'm posting the idea to this list. The best solution requires server support anyway. Have the server store SSI directives and the names of the files that contain them separately from the files when the files are compressed on the server. If the files were uploaded already compressed, then any SSI and file names should be uploaded separately, uncompressed. When a compressed shtml file (with SSI) is requested by a browser, the server would process the SSI without having to decompress the file that contains it, and would send a supporting browser the processed SSI in addition to the main file for the browser to combine after decompression. This could also be a security feature because the file name could be omitted from a virtual-include directive, and the text virtual-include alone could be the marker for where the markup gets inserted, so even if the browser can't include the markup from the SSI directive, the URL from the include won't be visible. If the server doesn't support that and the browser receives a gzipped file with SSI in it, the browser should check for alternative support for gzipped SSI, which would be for the server to send an ID code with the gzipped file, which the browser would send back to the server along with the uncompressed SSI directive, so if the ID is correct, the server would process the SSI and send it to the browser to be combined with the webpage. The final backup method would require no special server support at all. The browser would just decompress the file, request the page at the URL that's in the SSI directive, and if HTML is served, the browser would insert it into the webpage. Barry -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/52 - Release Date: 7/19/2005
Re: SSI for gzipped files
I have an idea for someone to implement and give me credit for. I recently needed to have my SSI work from a gz file. The server-intensive way to make Interesting, I've wanted to accomplish the same thing but couldn't figure out a good way to do it. Maybe there are a lot of people who need this?
Re: SSI for gzipped files
At 04:17 PM 7/22/2005, Jem Berkes wrote: I have an idea for someone to implement and give me credit for. I recently needed to have my SSI work from a gz file. The server-intensive way to make Interesting, I've wanted to accomplish the same thing but couldn't figure out a good way to do it. Maybe there are a lot of people who need this? I think we need a slightly more intellegent hook insertion schema; something that a hook can identify what C-L/C-T/T-E that it can grok (SSI would play stupid, of course) and httpd would inject appropriately registered filters in front, and afterwards. The exact schema and syntax escapes me at the moment, but this is something that interested Nick Kew, refactoring our filter ordering and registration schema. You raise a good point for the crowd to consider. Bill
bad liblucene4c.la while building lucene4c
I am trying to build lucene4c to use with mod_mbox for a SoC project. I have checked out the gcj-backend branch of lucene4c, checked out the trunk version of apr and built it with the experimental library enabled, and built lucene4c with gcj4. The resultant liblucene4c.la file looks like this: /usr/local/lib I have never used libtool before but that .la doesn't look like any others I have seen and mod_mbox doesn't like it either: libtool: link: `/usr/local/lib/liblucene4c.la' is not a valid libtool archive Anyone have a suggestion?
Re: mod-cache-requestor plan
This would definitely relieve mod-cache from checking the status of page every time. But then, we would not be able to keep track of the popularity of the pages. But yes, this is a good observation. If we could come up with a mechanism where we could keep track of popularity of pages (# no of requests, and last access time) without mod-cache's interference, than that would be a better approach. -Parin. On 7/22/05, Sergio Leonardi [EMAIL PROTECTED] wrote: The basic approach is ok for me, I just make a note. I think that mod_cache should put each cached page in the queue at the time its entry in the cache is created (or when its expire time has been changed), setting the proper regeneration time in the queue (e.g. regeneration time = page expire time - time spent for last page generation). In such a way there's no need to lookup for what's expiring, just sleep until something needs to be regenerated. Bye Sergio -Original Message- From: Parin Shah [mailto:[EMAIL PROTECTED] Sent: venerdì 22 luglio 2005 8.02 To: dev@httpd.apache.org Subject: Re: mod-cache-requestor plan Thanks Ian, Graham and Sergio for your help. for past couple of days I am trying to figure out how our mod-cache-requester should spawn thread (or set of threads). Currently, I am considering following option. please let me know what you think about this approach. - mod-cache-requester would be a sub-module in mod-cache as Graham had suggested once. - it would look similar to mod-mem-cache. it would have provider (mod-cache-requester-provider, for lack of any better word for now) registered. - mod-cache (cache_url_handler to be precise) will do lookup for this provider and will use this provider's methods to push any page which is soon-to-be-expired in the priority queue. - in the post config of the mod-cache-requester our pqueue would be initialized along with mutexes and other stuff. - now, we would create new thread (or set of threads) in the post config which would basically contain an infinite loop. it (or they) will keep checking pqueue and would make sub requests accordingly. Does this make sense? If this approach is correct then I have some questions regarding thread vs process implementation. I would start discussing it once we have main architecture in place. Thanks, Parin. On 7/20/05, Graham Leggett [EMAIL PROTECTED] wrote: Parin Shah wrote: 2. how mod-cache-requester can generate the sub request just to reload the content in the cache. Look inside mod_include - it uses subrequests to be able to embed pages within other pages. Regards, Graham --