SSL-enabled interaction with MySQL
Hi there, [I did not get any response :-( on this issue on user's forum so putting it here. Please help me on this.] 1. Primarily I wanted to know, if it is possible for an apache (--enable-mods-shared=all --enable-ssl=shared --enable-so) module to interact with a SSL-enabled MySQL (--with-openssl=DIR)? 2. If yes, then considering that I have got required keys/certificates for both the client, server and the CA, what are the apache-end APIs that would be needed to make this SSL session possible? Thanks in advance. Warm Regards, Naveen Rawat
Re: SSL-enabled interaction with MySQL
If by interaction you mean access a ssl mysql server from php, asp, coldfusion... then no, that would require the php module to be compiled with ssl. If your talking about modules like mod_auth_mysql then no again since that specific module would need to support ssl. To my knowledge there isn't one yet. IIRC the --with-openssl= option is when you want to compile apache with mod_ssl and openssl is installed in a non-standard location. don't take my word on it though. I'm sure If I'm wrong people will correct me withing minutes. Jorge On 4/25/07, Naveen Rawat [EMAIL PROTECTED] wrote: Hi there, [I did not get any response L on this issue on user's forum so putting it here. Please help me on this.] 1. Primarily I wanted to know, if it is possible for an apache (--enable-mods-shared=all --enable-ssl=shared --enable-so) module to interact with a SSL-enabled MySQL (--with-openssl=DIR)? 2. If yes, then considering that I have got required keys/certificates for both the client, server and the CA, what are the apache-end APIs that would be needed to make this SSL session possible? Thanks in advance. Warm Regards, Naveen Rawat -- ~Jorge
Re: RFC: replace r-subprocess_env was Re: Patch for implementing ap_document_root as a hook
Thoughts?
I like it.
I prefer this generel env. API rather than making
ap_add_{common,cgi}_vars hook'able.
/Jakob
RE: SSL-enabled interaction with MySQL
Hi Jorge, Thanks for the reply, 1. Primarily I wanted to know, if it is possible for an apache (--enable-mods-shared=all --enable-ssl=shared --enable-so) module to interact with a SSL-enabled MySQL (--with-openssl=DIR)? 2. If yes, then considering that I have got required keys/certificates for both the client, server and the CA, what are the apache-end APIs that would be needed to make this SSL session possible? Sorry for not being more descriptive. I am trying to find an implementation for supporting the universal basic client authentication functionality for anyone who intends to access my Apache httpd server. I am using a third party authentication module 'mod_myauth' which will do this task for me. Unfortunate to my specification this particular module does not provide for SSL encryption when it validates the data (username / password) against my database on MySQL. This module is having MySQL C APIs usage for talking to the databse. My communication from my module, is database specific (my MySQL is already SSL-enabled). So is it only up to the MySQL SSL-specific C API to provide SSL (I tried using mysql_ssl_set() with no success) or there has more to be done at my module's code end? Thanks in advance, Best Regards, Naveen Rawat
Re: RFE -- external overload procedure
its now in bugzilla. patches submitted http://issues.apache.org/bugzilla/show_bug.cgi?id=42216 -- juerg On 4/20/07, Juerg Umhang [EMAIL PROTECTED] wrote: hello please consider this posting as a request for enhancement httpd knows about his overload situation. [error] server reached MaxClients setting, consider raising the MaxClients setting this overload is easily created by an external attacker. in case of an attack you have to react. best done on a lower osi-layer (iptables, pf, ...). realtime log analysis has his own odds and twists. we would prefer a call to an 'external helper procedure'. in this context we have some questions: -- do you think it makes sense to implement this feature ? -- could it be done in a module (without the overhead of going through the scoreboard for each pre_connection call) ? It is reasonable to me for httpd to provide a module interface (hook) so that a third-party module can take action when httpd reaches the MaxClients (Unix) or ThreadsPerChild (Windows) condition. (Maybe the hook just provides some basic statistics, and the module can determine whether the absolute limit has been reached or its own configurable threshhold has been reached.) A way that a module can do something reasonable without modifying the server is to create a separate child process that monitors the scoreboard at its own interval, and takes whatever action is appropriate. That check can be infrequent enough that the performance overhead is negligible. -- can we expect this enhancement in a future release ? Some other committer can speak for themselves, but I wouldn't expect it without a patch submitted. btw: we hope to see separately configurable timeouts ( http://httpd.apache.org/docs/2.2/mod/core.html#timeout ) very soon. I don't recall anyone here interested in fulfilling the goal expressed in that comment.
Re: Apache 2.0.58 on i5/OS question
--- Henri Gomez [EMAIL PROTECTED] wrote: Hi to all, I'm trying to adapt mod_jk to i5/OS v5r4 and see the following in mod_jk.log (debug mode) [Tue Apr 17 16:23:44 2007] [6589:0038] [debug] jk_uri_worker_map.c (423): rule map size is 0 [Tue Apr 17 16:23:44 2007] [6589:0038] [error] mod_jk.c (2701): Initializing shm:/www/dapserver/logs/jk.shm.6589 errno=3025. Load balancing workers will not function properly. [...] [Tue Apr 17 16:23:44 2007] [6589:0038] [info] mod_jk.c (2743): mod_jk/1.2.22 initialized [Tue Apr 17 16:23:45 2007] [6589:0038] [debug] jk_uri_worker_map.c (423): rule map size is 0 [Tue Apr 17 16:23:45 2007] [6589:0038] [error] mod_jk.c (2701): Initializing shm:/www/dapserver/logs/jk.shm.6589 errno=3025. Load balancing workers will not function properly. [...] [Tue Apr 17 16:23:45 2007] [6589:0038] [debug] mod_jk.c (2661): Initialized mod_jk/1.2.22 It's strange but it seems the initialisation is done twice. Is it a specific i5/OS (IBM HTTP Server power by Apache) case or general ? not so strange. Apache httpd has been running thru the config twice at initialization for a long time. most modules know how to deal with it. yes it would be more straight forward if we could just run it once, but that would require revamping the config system. Greg __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[STATUS] (httpd-2.0) Wed Apr 25 23:49:52 2007
APACHE 2.0 STATUS: -*-text-*- Last modified at [$Date: 2007-04-05 02:06:26 -0400 (Thu, 05 Apr 2007) $] The current version of this file can be found at: * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS Documentation status is maintained seperately and can be found at: * docs/STATUS in this source tree, or * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/docs/STATUS Consult the following STATUS files for information on related projects: * http://svn.apache.org/repos/asf/apr/apr/branches/0.9.x/STATUS * http://svn.apache.org/repos/asf/apr/apr-util/branches/0.9.x/STATUS Consult the trunk/ for all new development and documentation efforts: * http://svn.apache.org/repos/asf/httpd/httpd/trunk/STATUS * http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/STATUS Release history: 2.0.60 : in maintenance 2.0.59 : released July 28, 2006 as GA. 2.0.58 : released May 1, 2006 as GA. 2.0.57 : tagged April 19, 2006, not released. 2.0.56 : tagged April 16, 2006, not released. 2.0.55 : released October 16, 2005 as GA. 2.0.54 : released April 17, 2005 as GA. 2.0.53 : released February 7, 2005 as GA. 2.0.52 : released September 28, 2004 as GA. 2.0.51 : released September 15, 2004 as GA. 2.0.50 : released June 30, 2004 as GA. 2.0.49 : released March 19, 2004 as GA. 2.0.48 : released October 29, 2003 as GA. 2.0.47 : released July 09, 2003 as GA. 2.0.46 : released May 28, 2003 as GA. 2.0.45 : released April 1, 2003 as GA. 2.0.44 : released January 20, 2003 as GA. 2.0.43 : released October 3, 2002 as GA. 2.0.42 : released September 24, 2002 as GA. 2.0.41 : rolled September 16, 2002. not released. 2.0.40 : released August 9, 2002 as GA. 2.0.39 : released June 17, 2002 as GA. 2.0.38 : rolled June 16, 2002. not released. 2.0.37 : rolled June 11, 2002. not released. 2.0.36 : released May 6, 2002 as GA. 2.0.35 : released April 5, 2002 as GA. 2.0.34 : tagged March 26, 2002. 2.0.33 : tagged March 6, 2002. not released. 2.0.32 : released Feburary 16, 2002 as beta. 2.0.31 : rolled Feburary 1, 2002. not released. 2.0.30 : tagged January 8, 2002. not rolled. 2.0.29 : tagged November 27, 2001. not rolled. 2.0.28 : released November 13, 2001 as beta. 2.0.27 : rolled November 6, 2001 2.0.26 : tagged October 16, 2001. not rolled. 2.0.25 : rolled August 29, 2001 2.0.24 : rolled August 18, 2001 2.0.23 : rolled August 9, 2001 2.0.22 : rolled July 29, 2001 2.0.21 : rolled July 20, 2001 2.0.20 : rolled July 8, 2001 2.0.19 : rolled June 27, 2001 2.0.18 : rolled May 18, 2001 2.0.17 : rolled April 17, 2001 2.0.16 : rolled April 4, 2001 2.0.15 : rolled March 21, 2001 2.0.14 : rolled March 7, 2001 2.0a9 : released December 12, 2000 2.0a8 : released November 20, 2000 2.0a7 : released October 8, 2000 2.0a6 : released August 18, 2000 2.0a5 : released August 4, 2000 2.0a4 : released June 7, 2000 2.0a3 : released April 28, 2000 2.0a2 : released March 31, 2000 2.0a1 : released March 10, 2000 Contributors looking for a mission: * Just do an egrep on TODO or XXX in the source. * Review the bug database at: http://issues.apache.org/bugzilla/ * Review the PatchAvailable bugs in the bug database: http://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEWbug_status=ASSIGNEDbug_status=REOPENEDproduct=Apache+httpd-2.0keywords=PatchAvailable After testing, you can append a comment saying Reviewed and tested. * Open bugs in the bug database. CURRENT RELEASE NOTES: * Forward binary compatibility is expected of Apache 2.0.x releases, such that no MMN major number changes will occur. Such changes can only be made in the trunk. * All commits to branches/2.0.x must be reflected in SVN trunk, as well, if they apply. Logical progression is commit to trunk, get feedback and votes on list or in STATUS, then merge into branches/2.2.x, and finally merge into branches/2.0.x, as applicable. RELEASE SHOWSTOPPERS: * mod_proxy: ProxyTimeout (and others) ignored due to not merging the *_set params. PR# 11540 Trunk version of patch: http://svn.apache.org/viewvc?view=revrevision=507516 2.0 version: http://people.apache.org/~jim/patches/httpd-2.0-proxy.patch +1: jim, minfrin, wrowe PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ please place SVN revisions from trunk here, so it is easy to identify exactly what the proposed changes are! Add all new proposals to the end of this list. ] * mod_ssl: Move thread locking upcall initialization before
[STATUS] (httpd-2.2) Wed Apr 25 23:51:04 2007
APACHE 2.2 STATUS: -*-text-*-
Last modified at [$Date: 2007-04-12 16:00:54 -0400 (Thu, 12 Apr 2007) $]
The current version of this file can be found at:
* http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS
Documentation status is maintained seperately and can be found at:
* docs/STATUS in this source tree, or
* http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/STATUS
Consult the following STATUS files for information on related projects:
* http://svn.apache.org/repos/asf/apr/apr/trunk/STATUS
* http://svn.apache.org/repos/asf/apr/apr-util/trunk/STATUS
Patches considered for backport are noted in their branches' STATUS:
* http://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x/STATUS
* http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS
* http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS
Release history:
[NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
2.2.5 : In Development
2.2.4 : Released on January 9, 2007 as GA.
2.2.3 : Released on July 28, 2006 as GA.
2.2.2 : Released on May 1, 2006 as GA.
2.2.1 : Tagged on April 1, 2006, not released.
2.2.0 : Released on December 1, 2005 as GA.
2.1.10 : Tagged on November 19, 2005, not released.
2.1.9 : Released on November 5, 2005 as beta.
2.1.8 : Released on October 1, 2005 as beta.
2.1.7 : Released on September 12, 2005 as beta.
2.1.6 : Released on June 27, 2005 as alpha.
2.1.5 : Tagged on June 17, 2005.
2.1.4 : not released.
2.1.3 : Released on February 22, 2005 as alpha.
2.1.2 : Released on December 8, 2004 as alpha.
2.1.1 : Released on November 19, 2004 as alpha.
2.1.0 : not released.
Contributors looking for a mission:
* Just do an egrep on TODO or XXX in the source.
* Review the bug database at: http://issues.apache.org/bugzilla/
* Review the PatchAvailable bugs in the bug database:
https://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEWbug_status=ASSIGNEDbug_status=REOPENEDproduct=Apache+httpd-2keywords=PatchAvailable
After testing, you can append a comment saying Reviewed and tested.
* Open bugs in the bug database.
CURRENT RELEASE NOTES:
* Forward binary compatibility is expected of Apache 2.2.x releases, such
that no MMN major number changes will occur. Such changes can only be
made in the trunk.
* All commits to branches/2.2.x must be reflected in SVN trunk,
as well, if they apply. Logical progression is commit to trunk,
get feedback and votes on list or in STATUS, then merge into
branches/2.2.x, as applicable.
RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
* ab: Two minor fixes for PRs
* 42070: sign mismatch in format string causes high server listening port
numbers to be reported incorrectly. Subversion r526584
* 31268 and 26554: Allow -H command-line switch to override default
values for Accept:, Host: and User-Agent: request headers.
Subversion r526872
svn diff -r516175:HEAD
http://svn.apache.org/repos/asf/httpd/httpd/trunk/support/ab.c
applies to 2.2.x branch with offsets.
+1: sctemme
* mod_ssl: Move thread locking upcall initialization before
hardware library initialization, so hardware library can use
these upcalls when run in a threaded MPM. Fixes PR 20951.
Trunk version of patch applies:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?r1=520701r2=525709view=patch
+1: sctemme
* mod_proxy_ajp: Fix wrong retry when sending the response failed.
PR 40310 (The old fix wasn't ok).
Trunk version of patch:
http://svn.apache.org/viewvc?view=revrevision=518938
(It also works for httpd-2.2.x).
+1: jfclere
* mpm_winnt: Fix return values from wait_for_many_objects.
Note - this is required to avoid hangups of socket #64, #128
as Microsoft set aside 64 reserved values.
Trunk version of patch:
http://svn.apache.org/viewvc?view=revrevision=428029
2.2.x version of patch:
Trunk version works
http://people.apache.org/~wrowe/mpm_winnt_waits.patch
is easier to read (-U8)
+1: mturk
wrowe notes: a patch should have the necessary effect with the
minimum lines of code - there's alot of redecorating that's
going on in this patch to no net effect. The WAIT_TIMEOUT
result value seems to be ignored in the revised code?
mturk notes: WAIT_TIMEOUT is replaced by WAIT_FAILED with
the accompanied patch in mpm\winnt\child.c.
* PKCS#7: backport PCKS#7 patches from trunk.
[STATUS] (httpd-trunk) Wed Apr 25 23:56:00 2007
APACHE 2.3 STATUS: -*-text-*-
Last modified at [$Date: 2006-08-22 16:41:03 -0400 (Tue, 22 Aug 2006) $]
The current version of this file can be found at:
* http://svn.apache.org/repos/asf/httpd/httpd/trunk/STATUS
Documentation status is maintained seperately and can be found at:
* docs/STATUS in this source tree, or
* http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/STATUS
Consult the following STATUS files for information on related projects:
* http://svn.apache.org/repos/asf/apr/apr/trunk/STATUS
* http://svn.apache.org/repos/asf/apr/apr-util/trunk/STATUS
Patches considered for backport are noted in their branches' STATUS:
* http://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x/STATUS
* http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS
* http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS
Release history:
[NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
while x.{even}.z versions are Stable/GA releases.]
2.3.0 : in development
Contributors looking for a mission:
* Just do an egrep on TODO or XXX in the source.
* Review the bug database at: http://issues.apache.org/bugzilla/
* Review the PatchAvailable bugs in the bug database:
https://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEWbug_status=ASSIGNEDbug_status=REOPENEDproduct=Apache+httpd-2keywords=PatchAvailable
After testing, you can append a comment saying Reviewed and tested.
* Open bugs in the bug database.
CURRENT RELEASE NOTES:
RELEASE SHOWSTOPPERS:
* Handling of non-trailing / config by non-default handler is broken
http://marc.theaimsgroup.com/?l=apache-httpd-devm=105451701628081w=2
jerenkrantz asks: Why should this block a release?
wsanchez agrees: this may be a change in behavior, but isn't
clearly wrong, and even if so, it doesn't seem like a
showstopper.
* the edge connection filter cannot be removed
http://marc.theaimsgroup.com/?l=apache-httpd-devm=105366252619530w=2
jerenkrantz asks: Why should this block a release?
stas replies: because it requires a rewrite of the filters stack
implementation (you have suggested that) and once 2.2 is
released you can't do that anymore.
CURRENT VOTES:
* If the parent process dies, should the remaining child processes
gracefully self-terminate. Or maybe we should make it a runtime
option, or have a concept of 2 parent processes (one being a
hot spare).
See: Message-ID: [EMAIL PROTECTED]
Self-destruct: Ken, Martin, Lars
Not self-destruct: BrianP, Ian, Cliff, BillS
Make it runtime configurable: Aaron, jim, Justin, wrowe, rederpj, nd
/* The below was a concept on *how* to handle the problem */
Have 2 parents: +1: jim
-1: Justin, wrowe, rederpj, nd
+0: Lars, Martin (while standing by, could it do
something useful?)
* Make the worker MPM the default MPM for threaded Unix boxes.
+1: Justin, Ian, Cliff, BillS, striker, wrowe, nd
+0: BrianP, Aaron (mutex contention is looking better with the
latest code, let's continue tuning and testing), rederpj, jim
-0: Lars
pquerna: Do we want to change this for 2.2?
RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
* Patches submitted to the bug database:
http://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEWbug_status=ASSIGNEDbug_status=REOPENEDproduct=Apache+httpd-2keywords=PatchAvailable
* Filter stacks and subrequests, redirects and fast redirects.
There's at least one PR that suffers from the current unclean behaviour
(which lets the server send garbage): PR 17629
nd says: Every subrequest should get its own filter stack with the
subreq_core filter as bottom-most. That filter does two things:
- swallow EOS buckets
- redirect the data stream to the upper request's (rr-main)
filter chain directly after the subrequest's starting
point.
Once we have a clean solution, we can try to optimize
it, so that the server won't be slow down too much.
* RFC 2616 violations.
Closed PRs: 15857.
Open PRs: 15852, 15859, 15861, 15864, 15865, 15866, 15868, 15869,
15870, 16120, 16125, 16126, 16133, 16135, 16136, 16137,
16138, 16139, 16140, 16142, 16518, 16520, 16521,
jerenkrantz says: need to decide how many we need to backport and/or
if these rise to showstopper status.
wrowe suggests: it would be nice to see MUST v.s. SHOULD v.s. MAY
out of this list, without reviewing them individually.
* There is a bug in how we sort some hooks, at
