Re: disk cache file rename errors on Windows

2012-10-07 Thread Eric Covener 
On Thu, Dec 2, 2010 at 12:23 PM, Graham Leggett minf...@sharp.fm wrote:
 On 23 Nov 2010, at 8:21 PM, Dan Poirier wrote:

 We're seeing errors like this from mod_disk_cache on Windows only:

 (OS 5)Access is denied.  : disk_cache: rename tempfile to datafile
 failed: c:/temp/HTTPServer7/aptmpV0JKJ8 -
 c:/temp/HTTPServer7/wHY/FhW/b5uD@muvt...@v4w.data

 under moderate to heavy load, resulting in requests failing.


 Looking at the code, the error message is thrown when apr_file_rename()
 fails, specifically when a temporary file is swung into place in the cache.

 Looking at the APR code, there is a forest of ifdefs that seem to choose one
 of MoveFileEx(), MoveFileW(), MoveFileExW() or MoveFile(). Ideally, the
 Microsoft API documentation should explain under what conditions the error
 Access is denied is thrown.

 Does Windows allow you to move a file into place while the replaced file is
 still open for read?

This may have been a red herring.

When a revalidation fails, mod_disk_cache still has an open handle to
the data file, but will be called on to create a new tmpfile and copy
it on top of that very same datafile.

Index: modules/cache/mod_cache_disk.c
===
--- modules/cache/mod_cache_disk.c  (revision 1395428)
+++ modules/cache/mod_cache_disk.c  (working copy)
@@ -596,6 +596,11 @@

 static int remove_entity(cache_handle_t *h)
 {
+disk_cache_object_t *dobj = (disk_cache_object_t *) h-cache_obj-vobj;
+if (dobj-fd != NULL) {
+apr_file_close(dobj-fd);
+}
+
 /* Null out the cache object pointer so next time we start from scratch  */
 h-cache_obj = NULL;
 return OK;

This fixes the error in the OP for me, but if it were right you'd
think it would be a problem outside of windows during failed
revalidations.  It seems like in the normal path where the datafile is
opened, it is closed somewhere under the covers by virtue of being
used in a file bucket written out to the client.  But there seems to
be no hope for this fd if it's not written to the client.

Fwd: [Bug 53219] mod_ssl should allow to disable ssl compression

2012-10-07 Thread Eric Covener 
Any opinions on the default change?  AIUI current maintenance of
browsers have disabled TLS compression already, because they can be
driven to generate arbitrary traffic that eventually reveals httpOnly
session cookies.


-- Forwarded message --
From:  bugzi...@apache.org
Date: Sun, Oct 7, 2012 at 8:55 PM
Subject: [Bug 53219] mod_ssl should allow to disable ssl compression
To: b...@httpd.apache.org


https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

--- Comment #10 from Christoph Anton Mitterer cales...@scientia.net ---
Hi.

It's good to see this backported...

However,... I'm a bit concerned...

As far as I understood,... _ALL_ versions of SSL/TLS are vulnerable to the
CRIME attack, right?

So why is compression not forcefully disabled? Not with respect to speed (as
originally intended by Björn) but to security.

If newer versions of TLS should fix the attack one could allow them to
select whether compression should be used or not.

Ideas?

--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org



-- 
Eric Covener
cove...@gmail.com

Re: [Bug 53219] mod_ssl should allow to disable ssl compression

2012-10-07 Thread Roy T. Fielding 
On Oct 7, 2012, at 6:05 PM, Eric Covener wrote:

 Any opinions on the default change?  AIUI current maintenance of
 browsers have disabled TLS compression already, because they can be
 driven to generate arbitrary traffic that eventually reveals httpOnly
 session cookies.

Just disable it completely -- adaptive compression of headers is
inherently incompatible with the goals of TLS.

Roy