Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Yann Ylavic]

On Fri, Oct 9, 2015 at 7:40 PM, Jim Jagielski  wrote:
> The pre-release test tarballs for Apache httpd 2.4.17 can be found
> at the usual place:
>
> http://httpd.apache.org/dev/dist/
>
> I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA.
>
> [X] +1: Good to go

* md5/sha1/asc
=> OK

* Debian 8.2 (Jessie)
- Linux 3.14.15-2
- autoconf 2.69-8
- automake 1.14.1-4
- libtool 2.4.2-1.11
- gcc 4.9.2-10
- libc6 2.19-18+deb8u1
- openssl 1.0.1k-3+deb8u1
- pcre 8.35-3.3
=> All tests passed.

* Debian 7.9 (Wheezy)
- Linux 3.2.68-1+deb7u4
- autoconf 2.69-1
- automake 1.11.6-1
- libtool 2.4.2-1.1
- gcc 4.7.2-5
- libc6 2.13-38+deb7u8
- openssl 1.0.1e-2+deb7u17
- pcre 8.30-5
=> All passed passed.

* Debian 6.0.10 (Squeeze)
- Linux 2.6.32-48squeeze13
- autoconf 2.67-2
- automake 1.11.1-1+squeeze11
- libtool 2.2.6b-2
- gcc 4.4.5-8
- libc6 2.11.3-4+deb6u6
- openssl 0.9.8o-4squeeze21
- pcre 8.02-1.1
=> No regression.

Thanks Jim!

Bug report for Apache httpd-2 [2015/10/11]

[bugzilla]

+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
| 7483|Ass|Enh|2002-03-26|Add FileAction directive to assign a cgi interpret|
| 8713|Inf|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity|
| 8867|Opn|Cri|2002-05-07|exports.c generation fails when using a symlink to|
|10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i|
|11294|New|Enh|2002-07-30|desired vhost_alias option|
|11580|Opn|Enh|2002-08-09|generate Content-Location headers |
|12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long|
|12680|New|Enh|2002-09-16|Digest authentication with integrity protection   |
|13599|Inf|Nor|2002-10-14|autoindex formating broken for multibyte sequences|
|13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation  |
|14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR|
|14496|New|Enh|2002-11-13|Cannot upgrade any version on Windows. Must uninst|
|14922|Inf|Enh|2002-11-28| is currently hardcoded to 'apache2'  |
|15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne|
|16761|Inf|Nor|2003-02-04|CustomLog with pipe spawns process during config  |
|16802|New|Enh|2003-02-05|Additional AllowOverride directive "Restrict" |
|16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.|
|17107|New|Min|2003-02-16|Windows should not install printenv   |
|17114|New|Enh|2003-02-17|Please add strip and install-strip targets to Make|
|17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi|
|17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header|
|18325|New|Enh|2003-03-25|PAM support for suEXEC|
|18334|Inf|Cri|2003-03-25|Server crashes when authenticating users against L|
|18497|New|Min|2003-03-30|configure --help gives wrong default for sysconfdi|
|19043|New|Min|2003-04-15|Interesting interaction between cern_meta module a|
|19670|New|Enh|2003-05-05|content type header supplied upon PUT is thrown aw|
|20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment |
|21253|New|Nor|2003-07-01|Mime magic doesn't continue if type is specifed fo|
|21260|New|Nor|2003-07-02|CacheMaxExpire directive not enforced !   |
|21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut|
|22138|Inf|Cri|2003-08-05|Webdav is not preccessing special chars right.|
|22237|New|Enh|2003-08-08|option to disable ServerSignature on index pages  |
|22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down|
|22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7|
|22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header  |
|23167|Inf|Cri|2003-09-14|--enable-layout never goes to apr apr-util|
|23181|New|Nor|2003-09-15|Status 304 (Not modified) and chunking leads to an|
|23238|New|Cri|2003-09-18|non-async-signal-safe operations from signal handl|
|23330|New|Enh|2003-09-22|Enhance ApacheMonitor to view and control Tomcat s|
|23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54|
|24031|New|Enh|2003-10-23|Passphrase protected private key in SSLProxyMachin|
|24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32|
|24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact|
|24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g|
|25014|New|Enh|2003-11-26|A flexible interface for mod_log_config   |
|25201|New|Enh|2003-12-04|Provide Cache Purge operation |
|25240|Inf|Enh|2003-12-05|SSL Library Error: 336105671 logged as information|
|25435|New|Enh|2003-12-11|sethandler and directoryindex not playing nice|
|25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files  |
|25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP |
|25543|Inf|Nor|2003-12-15|mod_proxy_ajp overwrites existing response headers|

Re: this expected?

[Stefan Eissing]

Thanks, Kaspar, that did it. -clean does not seem to reset it, removed dir and 
restored from svn.

All PASS now.

//Stefan

> Am 11.10.2015 um 07:45 schrieb Kaspar Brand :
> 
> On 10.10.2015 20:14, Stefan Eissing wrote:
>> Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl 
>> 1.0.2d):
>> 
>> t/ssl/varlookup.t ... 1/81 # Failed test 55 in 
>> t/ssl/varlookup.t at line 105 fail #55
>> # Failed test 56 in t/ssl/varlookup.t at line 105 fail #56
>> # Failed test 57 in t/ssl/varlookup.t at line 105 fail #57
>> # Failed test 58 in t/ssl/varlookup.t at line 105 fail #58
>> # Failed test 75 in t/ssl/varlookup.t at line 105 fail #75
>> # Failed test 76 in t/ssl/varlookup.t at line 105 fail #76
>> t/ssl/varlookup.t ... Failed 6/81 subtests 
> 
> Can you quickly confirm that t/conf/ssl/ca/asf/certs/client_ok.crt (or
> any other cert in this directory) is older than
> Apache-Test/lib/Apache/TestSSLCA.pm in that test framework installation?
> If so, the above failures are a consequence of r1705534 and r1705535,
> and TEST -clean should help in getting a fresh collection of certs (if
> it doesn't remove the t/conf/ssl/ca directory, it can just be rm'ed
> manually).
> 
> Kaspar

2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Rainer Jung]

I get a test failure for 2.4.17 in the mod_nntp_like_ssl part. Te 
failure happens on Solaris. Note that the nntp tests are disabled by 
default on Linux because of problems with the kernel accept filter, so 
that many of you wont run this test and thus not observe the problem.


The problems is that the test hangs after test 1 when waiting for the 
result of 2. On Solaris 8 the behavior changes a bit, there test 2 
succeeds, but 3-5 receive an empty result. The difference might be due 
to slight perl test differences. I suspect a common root cause.


Maybe the problem is due to some unclean brigade handling in 
mod_nntp_like_ssl (in light of recent dev list discussions)? Or 
mod_http2 is simply incompatible with mod_nntp_like_ssl and we should 
disable that test if mod_http2 is loaded?


Trace 8 log comparison between good runs (without having mod_http2 
loaded) and bad runs (having mod_http2 loaded):


Good run (no mod_http2)

- end of handshake and immediately write 52 bytes

[Sun Oct 11 14:53:47.911105 2015] [ssl:trace3] [pid 23096:tid 27] 
ssl_engine_kernel.c(1810): [client 127.0.0.1:50990] OpenSSL: Handshake: done
[Sun Oct 11 14:53:47.911142 2015] [ssl:debug] [pid 23096:tid 27] 
ssl_engine_kernel.c(1855): [client 127.0.0.1:50990] AH02041: Protocol: 
TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Sun Oct 11 14:53:47.911212 2015] [ssl:trace4] [pid 23096:tid 27] 
ssl_engine_io.c(2088): [client 127.0.0.1:50990] OpenSSL: write 52/52 
bytes to BIO#2861b8 [mem: 2bd45b] (BIO dump follows)



Bad run (including mod_http2)

- end of handshake

[Sun Oct 11 14:54:38.550476 2015] [ssl:trace3] [pid 23133:tid 50] 
ssl_engine_kernel.c(1810): [client 127.0.0.1:50994] OpenSSL: Handshake: done
[Sun Oct 11 14:54:38.550520 2015] [ssl:debug] [pid 23133:tid 50] 
ssl_engine_kernel.c(1855): [client 127.0.0.1:50994] AH02041: Protocol: 
TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Sun Oct 11 14:54:38.550555 2015] [core:trace6] [pid 23133:tid 50] 
core_filters.c(523): [client 127.0.0.1:50994] core_output_filter: 
flushing because of FLUSH bucket


- one minute established connection, but nothing else

[Sun Oct 11 14:54:39.274796 2015] [mpm_event:trace6] [pid 23133:tid 53] 
event.c(1577): connections: 1 (clogged: 0 write-completion: 0 
keep-alive: 0 lingering: 0 suspended: 0)

...

- timeout after one minute and write 52 bytes

[Sun Oct 11 14:55:38.551174 2015] [ssl:trace4] [pid 23133:tid 50] 
ssl_engine_io.c(2099): [client 127.0.0.1:50994] OpenSSL: I/O error, 5 
bytes expected to read on BIO#273480 [mem: 3624e3]
[Sun Oct 11 14:55:38.551253 2015] [ssl:info] [pid 23133:tid 50] 
(70007)The timeout specified has expired: [client 127.0.0.1:50994] 
AH01991: SSL input filter read failed.
[Sun Oct 11 14:55:38.551316 2015] [http2:debug] [pid 23133:tid 50] 
h2_h2.c(189): (70007)The timeout specified has expired: [client 
127.0.0.1:50994] h2_h2, error reading 24 bytes speculative
[Sun Oct 11 14:55:38.551344 2015] [http2:trace1] [pid 23133:tid 50] 
h2_h2.c(205): [client 127.0.0.1:50994] h2_h2, declined
[Sun Oct 11 14:55:38.551433 2015] [ssl:trace4] [pid 23133:tid 50] 
ssl_engine_io.c(2088): [client 127.0.0.1:50994] OpenSSL: write 52/52 
bytes to BIO#282488 [mem: 36a633] (BIO dump follows)


Regards,

Rainer

2.4.17 test failure for mod_http2 (test 30-31, misdirected)

[Rainer Jung]

# testing : GET https://localhost:8532/misdirected
# expected: 421
# received: '404'
not ok 30
# Failed test 30 in t/modules/http2.t at line 129 fail #6
# testing : GET https://localhost:8532/misdirected
# expected: 421
# received: '404'
not ok 31

Is this expected for 2.4? I didn't find anything about this in the 
trace8 error log.


Any hints how to debug? I was using OpenSSL 1.0.2c in the client (Perl 
Test Framework) and 1.0.2d in the server.


Regards,

Rainer

Re: 2.4.17 test failure for mod_http2 (test 30-31, misdirected)

[Rainer Jung]

Am 11.10.2015 um 16:04 schrieb Rainer Jung:

# testing : GET https://localhost:8532/misdirected
# expected: 421
# received: '404'
not ok 30
# Failed test 30 in t/modules/http2.t at line 129 fail #6
# testing : GET https://localhost:8532/misdirected
# expected: 421
# received: '404'
not ok 31

Is this expected for 2.4? I didn't find anything about this in the
trace8 error log.

Any hints how to debug? I was using OpenSSL 1.0.2c in the client (Perl
Test Framework) and 1.0.2d in the server.


Don't know whether it is related, but there is a small delta between 
trunk modules/ssl/ssl_engine_kernel.c and 2.4.x:


--- 2.4.x/modules/ssl/ssl_engine_kernel.c
+++ trunk/modules/ssl/ssl_engine_kernel.c
@@ -554,6 +529,8 @@
  */
 if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
 (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
+SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
+
 /* remember old state */
 verify_old = SSL_get_verify_mode(ssl);
 /* configure new state */
@@ -617,8 +623,6 @@
 && renegotiate
 && ((verify & SSL_VERIFY_PEER) ||
 (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
-SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
-
 #define MODSSL_CFG_CA_NE(f, sc1, sc2) \
 (sc1->server->auth.f && \
  (!sc2->server->auth.f || \

Regards,

Rainer

Re: 2.4.17 test failure for mod_http2 (test 30-31, misdirected)

[Yann Ylavic]

On Sun, Oct 11, 2015 at 4:24 PM, Rainer Jung  wrote:
> Am 11.10.2015 um 16:04 schrieb Rainer Jung:
>>
>> # testing : GET https://localhost:8532/misdirected
>> # expected: 421
>> # received: '404'
>> not ok 30
>> # Failed test 30 in t/modules/http2.t at line 129 fail #6
>> # testing : GET https://localhost:8532/misdirected
>> # expected: 421
>> # received: '404'
>> not ok 31
>>
>> Is this expected for 2.4? I didn't find anything about this in the
>> trace8 error log.
>>
>> Any hints how to debug? I was using OpenSSL 1.0.2c in the client (Perl
>> Test Framework) and 1.0.2d in the server.
>
>
> Don't know whether it is related, but there is a small delta between trunk
> modules/ssl/ssl_engine_kernel.c and 2.4.x:
>
> --- 2.4.x/modules/ssl/ssl_engine_kernel.c
> +++ trunk/modules/ssl/ssl_engine_kernel.c
> @@ -554,6 +529,8 @@
>   */
>  if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
>  (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
> +SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
> +
>  /* remember old state */
>  verify_old = SSL_get_verify_mode(ssl);
>  /* configure new state */
> @@ -617,8 +623,6 @@
>  && renegotiate
>  && ((verify & SSL_VERIFY_PEER) ||
>  (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
> -SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
> -
>  #define MODSSL_CFG_CA_NE(f, sc1, sc2) \
>  (sc1->server->auth.f && \
>   (!sc2->server->auth.f || \

This change (hunk) may be the one which changed the 421 behaviour:

--- 2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ 2.4.x/modules/ssl/ssl_engine_kernel.c Mon Sep 28 13:06:31 2015
@@ -196,11 +195,12 @@ int ssl_hook_ReadReq(request_rec *r)
 " provided in HTTP request", servername);
 return HTTP_BAD_REQUEST;
 }
-rv = apr_parse_addr_port(, _id, ,
r->hostname, r->pool);
-if (rv != APR_SUCCESS || scope_id) {
-return HTTP_BAD_REQUEST;
-}
-if (strcasecmp(host, servername)) {
+if (r->server != handshakeserver) {
+/*
+ * We are really not in Kansas anymore...
+ * The request does not select the virtual host that was
+ * selected by the SNI.
+ */
 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
APLOGNO(02032)
 "Hostname %s provided via SNI and
hostname %s provided"
 " via HTTP are different", servername, host);

Previously we issued 421 based on the handshaken Host header vs the
current one, we now only control that request is still on the same
server.
So with no or the default vhost which can handle different requested
Host, there previously could be "refused" with 421 whereas now they
pass the ssl_Auth hook (which is OK since the SSL configuration
between the handshaken and this request has not changed).

Didn't look whether the test is still relevent (not much time for now,
sorry), but it might not be.
Hope this helps...

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Eric Covener]

On Sun, Oct 11, 2015 at 9:32 AM, Rainer Jung  wrote:
> The problems is that the test hangs after test 1 when waiting for the result
> of 2. On Solaris 8 the behavior changes a bit, there test 2 succeeds, but
> 3-5 receive an empty result. The difference might be due to slight perl test
> differences. I suspect a common root cause.


Seen on AIX too, but I am struggling with some non system openssl
1.0.2 issues though (between httpd, framework, and 32-bit perl modules
that use the native code) and can't even re-run at the moment.

Re: SSLProxyMachineCertificateFile: file '.../t/conf/ssl/ca/asf/proxy/client_ok.pem' does not exist or is empty

[Rainer Jung]

Am 11.10.2015 um 16:08 schrieb Eric Covener:

I am trying to run the test framework with ssl and http2 on AIX.

There is no system openssl 1.0.2, and the system perl is 32-bit and
also rather old.

I have a 32-bit and 64-bit openssl squirreld away in ~. I initially
had some problems with httpd under the test framework and openssl
command line tools in my path, as well as some CPAN modules to be
forced to use the new openssl.  AFAICT they are all resolved.

But where I'm at now is this complaint at startup:

SSLProxyMachineCertificateFile: file
'/home/covener/SRC/httpd-framework/t/conf/ssl/ca/asf/proxy/client_ok.pem'
does not exist or is empty


That directory is empty, but no errors are issued after t/TEST -clean
and t/TEST and even removing everything under t/conf and svn up'ing.

Any ideas on debugging this?


I've got three pem files there:

6275 Oct 11 12:04 t/conf/ssl/ca/asf/proxy/client_ok.pem
5808 Oct 11 12:04 t/conf/ssl/ca/asf/proxy/client_revoked.pem
5813 Oct 11 12:04 t/conf/ssl/ca/asf/proxy/client_snakeoil.pem

The generation e.g. of the ok file happens at the test startup. I get 
the following output (maybe because of t/TEST -v):


[   info] openssl genrsa -out keys/client_ok.pem  2048
Generating RSA private key, 2048 bit long modulus
..+++
.+++
e is 65537 (0x10001)
[   info] openssl req -new -key keys/client_ok.pem -out 
csr/client_ok.csr -passin pass:httpd -passout pass:httpd -config 
conf/client_ok.cnf
[   info] openssl ca -policy policy_anything -in csr/client_ok.csr -out 
certs/client_ok.crt -passin pass:httpd -config conf/client_ok.cnf -batch 
 -extensions client_ok_ext

Using configuration from conf/client_ok.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName   :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'California'
localityName  :ASN.1 12:'San Francisco'
organizationName  :ASN.1 12:'ASF'
organizationalUnitName:ASN.1 12:'httpd-test'
commonName:ASN.1 12:'client_ok'
emailAddress  :IA5STRING:'test-...@httpd.apache.org'
Certificate is to be certified until Oct 10 10:04:20 2016 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[   info] openssl pkcs12 -export -in certs/client_ok.crt -inkey 
keys/client_ok.pem -out export/client_ok.p12 -passin pass:httpd -passout 
pass:httpd

[   info] generating proxy cert: proxy/client_ok.pem


I think they are generated using

Apache-Test/lib/Apache/TestSSLCA.pm

which contains the following line:

my $openssl = $ENV{APACHE_TEST_OPENSSL_CMD} || 'openssl';

So maybe setting APACHE_TEST_OPENSSL_CMD to the full path of your 1.0.2 
openssl commandline binary will help.


Regards,

Rainer

SSLProxyMachineCertificateFile: file '.../t/conf/ssl/ca/asf/proxy/client_ok.pem' does not exist or is empty

[Eric Covener]

I am trying to run the test framework with ssl and http2 on AIX.

There is no system openssl 1.0.2, and the system perl is 32-bit and
also rather old.

I have a 32-bit and 64-bit openssl squirreld away in ~. I initially
had some problems with httpd under the test framework and openssl
command line tools in my path, as well as some CPAN modules to be
forced to use the new openssl.  AFAICT they are all resolved.

But where I'm at now is this complaint at startup:

SSLProxyMachineCertificateFile: file
'/home/covener/SRC/httpd-framework/t/conf/ssl/ca/asf/proxy/client_ok.pem'
does not exist or is empty


That directory is empty, but no errors are issued after t/TEST -clean
and t/TEST and even removing everything under t/conf and svn up'ing.

Any ideas on debugging this?

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Rainer Jung]

Am 11.10.2015 um 19:08 schrieb Yann Ylavic:

On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing
 wrote:

Ok, analyzed the code. Here is what seems to be happening:

- mod_http2, in the connection hook, does a blocking, speculative read to
   a) make sure the ALPN has been triggered
   b) check for the magic 24 bytes h2 preface in case H2Direct is on
   This works fine for HTTP/1.1 or protocols where the client starts sending 
bytes right away.
   If the client waits for something from the server first, it gives a timeout. 
This seems to be the NNTP case.


Does it make any sense to enable h2 on NNTP?


For now I disabled the nntp over ssl test when mod_http2 is loaded 
(disabled in the test file) so that the test suite does not hang.


I guess we don't want to test h2 and NNTP on the same requests, but it 
would be ideal, if the modules would not disturb each other, if they 
serve different vhosts in the same Apache. If that's not possible and 
doesn't actually indicate a bigger problem, I'm personally fine with 
that incompatibility with protocols that show "server sends first" behavior.


Regards,

Rainer

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Stefan Eissing]

> Am 11.10.2015 um 19:19 schrieb Rainer Jung :
> 
> Am 11.10.2015 um 19:08 schrieb Yann Ylavic:
>> On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing
>>  wrote:
>>> Ok, analyzed the code. Here is what seems to be happening:
>>> 
>>> - mod_http2, in the connection hook, does a blocking, speculative read to
>>>   a) make sure the ALPN has been triggered
>>>   b) check for the magic 24 bytes h2 preface in case H2Direct is on
>>>   This works fine for HTTP/1.1 or protocols where the client starts sending 
>>> bytes right away.
>>>   If the client waits for something from the server first, it gives a 
>>> timeout. This seems to be the NNTP case.
>> 
>> Does it make any sense to enable h2 on NNTP?
> 
> For now I disabled the nntp over ssl test when mod_http2 is loaded (disabled 
> in the test file) so that the test suite does not hang.
> 
> I guess we don't want to test h2 and NNTP on the same requests, but it would 
> be ideal, if the modules would not disturb each other, if they serve 
> different vhosts in the same Apache. If that's not possible and doesn't 
> actually indicate a bigger problem, I'm personally fine with that 
> incompatibility with protocols that show "server sends first" behavior.

Agreed. What we need is a way to make sure that any ALPN handling is done for 
later connection hooks. Then mod_http2 will only need to sniff when H2Direct is 
enabled.

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Yann Ylavic]

On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing
 wrote:
> Ok, analyzed the code. Here is what seems to be happening:
>
> - mod_http2, in the connection hook, does a blocking, speculative read to
>   a) make sure the ALPN has been triggered
>   b) check for the magic 24 bytes h2 preface in case H2Direct is on
>   This works fine for HTTP/1.1 or protocols where the client starts sending 
> bytes right away.
>   If the client waits for something from the server first, it gives a 
> timeout. This seems to be the NNTP case.

Does it make any sense to enable h2 on NNTP?

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Yann Ylavic]

On Sun, Oct 11, 2015 at 7:11 PM, Stefan Eissing
 wrote:
> Don't think so. But loading the module should do no harm, I think. And it 
> does now.

Isn't configuring H2Direct on which harms?

Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Reindl Harald]

Am 11.10.2015 um 21:07 schrieb Yann Ylavic:

On Sun, Oct 11, 2015 at 8:59 PM, Reindl Harald  wrote:


Google only showed discussions, Bugzilla and so on and finding the new
directive is hard - maybe the hint should made it into the changelog for GA
release


Yes you're right, I should have mentioned that directive in the CHANGES entry.
Unfortunately I'm afraid it's too late now, the 2.4.17 tag is frozen.
Hopefully the (new) documentation will quickly be indexed...


no problem since it's diabled by default


"ab -c 100 -n 5 http://small-image.gif; did not make me that happy 
after a short test on a quadcore machine, after some time httpd stopped 
to respond for a tinay statical image with a few bytes


# SO_REUSEPORT support
# = 2.4.17>
#  ListenCoresBucketsRatio 4
# 



signature.asc
Description: OpenPGP digital signature

Re: A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c

[Stefan Eissing]

Fixed in r1708002.

> Am 10.10.2015 um 22:31 schrieb NormW :
> 
> On 11/10/2015 4:45 AM, Stefan Eissing wrote:
>> Ok, will add that. This is only in trunk. 2.4.x should compile for you.
> Correct.
> Norm.
>> 
>>> Am 10.10.2015 um 13:31 schrieb NormW :
>>> 
>>> H,
 CC   h2_worker.c
 CC   h2_workers.c
 CC   mod_http2.c
 GEN  obj_release/mod_http2_link.opt
 LINK obj_release/mod_http2.nlm
 ### mwldnlm Linker Error:
 #   Undefined symbol: APR_BUCKET_IS_MMAP in
 #   h2_util.o
>>> 
>>> In apr-util\include\apr_buckets.h:
 #if APR_HAS_MMAP
 /**
 * Determine if a bucket is a MMAP bucket
 * @param e The bucket to inspect
 * @return true or false
 */
 #define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap)
 #endif
>>> 
>>> :-( MMAP is (sadly) not a feature of NetWare. If the http2 experts assert 
>>> the entire http2 module is a dud without MMAP support, I am not in a 
>>> position or mind to oppose dropping NetWare 'support' for http2 entirely.
>>> 
>>> Alternatively, something like this in h2_util.c MAY be good enough :
}
 ++ #if APR_HAS_MMAP
else if (APR_BUCKET_IS_MMAP(b)) {
btype = "mmap";
}
 ++ #endif
>>> 
>>> Norm
>> 
> 

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Stefan Eissing]

Ok, in ssl_engine_io.c, lines 1426+ I see a hint:

/* XXX: we could actually move ssl_io_filter_handshake to an
 * ap_hook_process_connection but would still need to call it for
 * AP_MODE_INIT for protocols that may upgrade the connection
 * rather than have SSLEngine On configured.
 */
if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) {
return ssl_io_filter_error(f, bb, status);
}

The handshake handling gets triggered on a filter, so it all happens on READs 
(or WRITEs), which explains why connection hooks do not see it. This is quite 
some code which looks like we do not want to touch for a "quick fix". Also, 
there is no quick fix inside mod_http2 as before handshake, the SNI might also 
not be there yet, thus the vhost cannot be determined. etc.

For the current release, I think we should leave it as it is and advise that 
current mod_http2 is incompatible with things like nntp.

For the next release, I'd like the server to perform the handshake at a defined 
time, so other modules can rely on protocols being selected and correct vhost 
being known before the first read/write.

//Stefan

> Am 11.10.2015 um 19:30 schrieb Stefan Eissing :
> 
> What is the penalty of invoking SSL_do_handshake(ssl) on the server side for 
> a new connection? We do this on renegotiate and upgrade cases...
> 
>> Am 11.10.2015 um 19:23 schrieb Stefan Eissing :
>> 
>> 
>>> Am 11.10.2015 um 19:19 schrieb Rainer Jung :
>>> 
>>> Am 11.10.2015 um 19:08 schrieb Yann Ylavic:
 On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing
  wrote:
> Ok, analyzed the code. Here is what seems to be happening:
> 
> - mod_http2, in the connection hook, does a blocking, speculative read to
> a) make sure the ALPN has been triggered
> b) check for the magic 24 bytes h2 preface in case H2Direct is on
> This works fine for HTTP/1.1 or protocols where the client starts sending 
> bytes right away.
> If the client waits for something from the server first, it gives a 
> timeout. This seems to be the NNTP case.
 
 Does it make any sense to enable h2 on NNTP?
>>> 
>>> For now I disabled the nntp over ssl test when mod_http2 is loaded 
>>> (disabled in the test file) so that the test suite does not hang.
>>> 
>>> I guess we don't want to test h2 and NNTP on the same requests, but it 
>>> would be ideal, if the modules would not disturb each other, if they serve 
>>> different vhosts in the same Apache. If that's not possible and doesn't 
>>> actually indicate a bigger problem, I'm personally fine with that 
>>> incompatibility with protocols that show "server sends first" behavior.
>> 
>> Agreed. What we need is a way to make sure that any ALPN handling is done 
>> for later connection hooks. Then mod_http2 will only need to sniff when 
>> H2Direct is enabled.
> 

Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Yann Ylavic]

On Sun, Oct 11, 2015 at 9:14 PM, Reindl Harald  wrote:
>
> "ab -c 100 -n 5 http://small-image.gif; did not make me that happy after
> a short test on a quadcore machine, after some time httpd stopped to respond
> for a tinay statical image with a few bytes

Hm, with 4 cores and a ratio of 4, there is only one bucket per
listener, which is the same as the default.
Did you try the same test without the directive or with a ratio of 0?
(I rather suspect a connectivity issue with ab).

Re: 2.4.17 test failure for mod_http2 (test 30-31, misdirected)

[Yann Ylavic]

On Sun, Oct 11, 2015 at 5:43 PM, Yann Ylavic  wrote:
>
> Didn't look whether the test is still relevent (not much time for now,
> sorry), but it might not be.

Took a quick look, I think for this tests to be relevent, the
corresponding requests would have to reach different vhosts than the
previous requests, which seems not be the case...

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Stefan Eissing]

Hmm, will look into this. The module does a speculative non_blocking read on 
the connection. 

That happens only if H2Direct is "on", which I enabled to allow test when the 
client does not have ALPN.

Then it can detect on the first 24 bytes if the client starts talking h2 right 
away. Is doing a speculative read messing up the handshake? 

This is not a usual config. 

//stefan

> Am 11.10.2015 um 15:32 schrieb Rainer Jung :
> 
> I get a test failure for 2.4.17 in the mod_nntp_like_ssl part. Te failure 
> happens on Solaris. Note that the nntp tests are disabled by default on Linux 
> because of problems with the kernel accept filter, so that many of you wont 
> run this test and thus not observe the problem.
> 
> The problems is that the test hangs after test 1 when waiting for the result 
> of 2. On Solaris 8 the behavior changes a bit, there test 2 succeeds, but 3-5 
> receive an empty result. The difference might be due to slight perl test 
> differences. I suspect a common root cause.
> 
> Maybe the problem is due to some unclean brigade handling in 
> mod_nntp_like_ssl (in light of recent dev list discussions)? Or mod_http2 is 
> simply incompatible with mod_nntp_like_ssl and we should disable that test if 
> mod_http2 is loaded?
> 
> Trace 8 log comparison between good runs (without having mod_http2 loaded) 
> and bad runs (having mod_http2 loaded):
> 
> Good run (no mod_http2)
> 
> - end of handshake and immediately write 52 bytes
> 
> [Sun Oct 11 14:53:47.911105 2015] [ssl:trace3] [pid 23096:tid 27] 
> ssl_engine_kernel.c(1810): [client 127.0.0.1:50990] OpenSSL: Handshake: done
> [Sun Oct 11 14:53:47.911142 2015] [ssl:debug] [pid 23096:tid 27] 
> ssl_engine_kernel.c(1855): [client 127.0.0.1:50990] AH02041: Protocol: 
> TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> [Sun Oct 11 14:53:47.911212 2015] [ssl:trace4] [pid 23096:tid 27] 
> ssl_engine_io.c(2088): [client 127.0.0.1:50990] OpenSSL: write 52/52 bytes to 
> BIO#2861b8 [mem: 2bd45b] (BIO dump follows)
> 
> 
> Bad run (including mod_http2)
> 
> - end of handshake
> 
> [Sun Oct 11 14:54:38.550476 2015] [ssl:trace3] [pid 23133:tid 50] 
> ssl_engine_kernel.c(1810): [client 127.0.0.1:50994] OpenSSL: Handshake: done
> [Sun Oct 11 14:54:38.550520 2015] [ssl:debug] [pid 23133:tid 50] 
> ssl_engine_kernel.c(1855): [client 127.0.0.1:50994] AH02041: Protocol: 
> TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> [Sun Oct 11 14:54:38.550555 2015] [core:trace6] [pid 23133:tid 50] 
> core_filters.c(523): [client 127.0.0.1:50994] core_output_filter: flushing 
> because of FLUSH bucket
> 
> - one minute established connection, but nothing else
> 
> [Sun Oct 11 14:54:39.274796 2015] [mpm_event:trace6] [pid 23133:tid 53] 
> event.c(1577): connections: 1 (clogged: 0 write-completion: 0 keep-alive: 0 
> lingering: 0 suspended: 0)
> ...
> 
> - timeout after one minute and write 52 bytes
> 
> [Sun Oct 11 14:55:38.551174 2015] [ssl:trace4] [pid 23133:tid 50] 
> ssl_engine_io.c(2099): [client 127.0.0.1:50994] OpenSSL: I/O error, 5 bytes 
> expected to read on BIO#273480 [mem: 3624e3]
> [Sun Oct 11 14:55:38.551253 2015] [ssl:info] [pid 23133:tid 50] (70007)The 
> timeout specified has expired: [client 127.0.0.1:50994] AH01991: SSL input 
> filter read failed.
> [Sun Oct 11 14:55:38.551316 2015] [http2:debug] [pid 23133:tid 50] 
> h2_h2.c(189): (70007)The timeout specified has expired: [client 
> 127.0.0.1:50994] h2_h2, error reading 24 bytes speculative
> [Sun Oct 11 14:55:38.551344 2015] [http2:trace1] [pid 23133:tid 50] 
> h2_h2.c(205): [client 127.0.0.1:50994] h2_h2, declined
> [Sun Oct 11 14:55:38.551433 2015] [ssl:trace4] [pid 23133:tid 50] 
> ssl_engine_io.c(2088): [client 127.0.0.1:50994] OpenSSL: write 52/52 bytes to 
> BIO#282488 [mem: 36a633] (BIO dump follows)
> 
> Regards,
> 
> Rainer

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Stefan Eissing]

Ok, analyzed the code. Here is what seems to be happening:

- mod_http2, in the connection hook, does a blocking, speculative read to
  a) make sure the ALPN has been triggered
  b) check for the magic 24 bytes h2 preface in case H2Direct is on
  This works fine for HTTP/1.1 or protocols where the client starts sending 
bytes right away.
  If the client waits for something from the server first, it gives a timeout. 
This seems to be the NNTP case.

A. The important part is to get the ALPN triggered without a blocking read. Any 
advice from our TLS experts?
B. When that is solved, the check for the 24 bytes can be folder deeper to just 
happen on a H2Direct enabled server/vhost.

The fix for A ideally should be placed into mod_ssl, saving other 
protocol-selection code to mess with it, I think. But for the short term, I'd 
be happy with any advice on how to fix it in mod_http2 alone.

//Stefan


> Am 11.10.2015 um 18:26 schrieb Stefan Eissing :
> 
> Hmm, will look into this. The module does a speculative non_blocking read on 
> the connection. 
> 
> That happens only if H2Direct is "on", which I enabled to allow test when the 
> client does not have ALPN.
> 
> Then it can detect on the first 24 bytes if the client starts talking h2 
> right away. Is doing a speculative read messing up the handshake? 
> 
> This is not a usual config. 
> 
> //stefan
> 
>> Am 11.10.2015 um 15:32 schrieb Rainer Jung :
>> 
>> I get a test failure for 2.4.17 in the mod_nntp_like_ssl part. Te failure 
>> happens on Solaris. Note that the nntp tests are disabled by default on 
>> Linux because of problems with the kernel accept filter, so that many of you 
>> wont run this test and thus not observe the problem.
>> 
>> The problems is that the test hangs after test 1 when waiting for the result 
>> of 2. On Solaris 8 the behavior changes a bit, there test 2 succeeds, but 
>> 3-5 receive an empty result. The difference might be due to slight perl test 
>> differences. I suspect a common root cause.
>> 
>> Maybe the problem is due to some unclean brigade handling in 
>> mod_nntp_like_ssl (in light of recent dev list discussions)? Or mod_http2 is 
>> simply incompatible with mod_nntp_like_ssl and we should disable that test 
>> if mod_http2 is loaded?
>> 
>> Trace 8 log comparison between good runs (without having mod_http2 loaded) 
>> and bad runs (having mod_http2 loaded):
>> 
>> Good run (no mod_http2)
>> 
>> - end of handshake and immediately write 52 bytes
>> 
>> [Sun Oct 11 14:53:47.911105 2015] [ssl:trace3] [pid 23096:tid 27] 
>> ssl_engine_kernel.c(1810): [client 127.0.0.1:50990] OpenSSL: Handshake: done
>> [Sun Oct 11 14:53:47.911142 2015] [ssl:debug] [pid 23096:tid 27] 
>> ssl_engine_kernel.c(1855): [client 127.0.0.1:50990] AH02041: Protocol: 
>> TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>> [Sun Oct 11 14:53:47.911212 2015] [ssl:trace4] [pid 23096:tid 27] 
>> ssl_engine_io.c(2088): [client 127.0.0.1:50990] OpenSSL: write 52/52 bytes 
>> to BIO#2861b8 [mem: 2bd45b] (BIO dump follows)
>> 
>> 
>> Bad run (including mod_http2)
>> 
>> - end of handshake
>> 
>> [Sun Oct 11 14:54:38.550476 2015] [ssl:trace3] [pid 23133:tid 50] 
>> ssl_engine_kernel.c(1810): [client 127.0.0.1:50994] OpenSSL: Handshake: done
>> [Sun Oct 11 14:54:38.550520 2015] [ssl:debug] [pid 23133:tid 50] 
>> ssl_engine_kernel.c(1855): [client 127.0.0.1:50994] AH02041: Protocol: 
>> TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>> [Sun Oct 11 14:54:38.550555 2015] [core:trace6] [pid 23133:tid 50] 
>> core_filters.c(523): [client 127.0.0.1:50994] core_output_filter: flushing 
>> because of FLUSH bucket
>> 
>> - one minute established connection, but nothing else
>> 
>> [Sun Oct 11 14:54:39.274796 2015] [mpm_event:trace6] [pid 23133:tid 53] 
>> event.c(1577): connections: 1 (clogged: 0 write-completion: 0 keep-alive: 0 
>> lingering: 0 suspended: 0)
>> ...
>> 
>> - timeout after one minute and write 52 bytes
>> 
>> [Sun Oct 11 14:55:38.551174 2015] [ssl:trace4] [pid 23133:tid 50] 
>> ssl_engine_io.c(2099): [client 127.0.0.1:50994] OpenSSL: I/O error, 5 bytes 
>> expected to read on BIO#273480 [mem: 3624e3]
>> [Sun Oct 11 14:55:38.551253 2015] [ssl:info] [pid 23133:tid 50] (70007)The 
>> timeout specified has expired: [client 127.0.0.1:50994] AH01991: SSL input 
>> filter read failed.
>> [Sun Oct 11 14:55:38.551316 2015] [http2:debug] [pid 23133:tid 50] 
>> h2_h2.c(189): (70007)The timeout specified has expired: [client 
>> 127.0.0.1:50994] h2_h2, error reading 24 bytes speculative
>> [Sun Oct 11 14:55:38.551344 2015] [http2:trace1] [pid 23133:tid 50] 
>> h2_h2.c(205): [client 127.0.0.1:50994] h2_h2, declined
>> [Sun Oct 11 14:55:38.551433 2015] [ssl:trace4] [pid 23133:tid 50] 
>> ssl_engine_io.c(2088): [client 127.0.0.1:50994] OpenSSL: write 52/52 bytes 
>> to BIO#282488 [mem: 36a633] (BIO dump follows)
>> 
>> Regards,
>> 
>> Rainer

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Stefan Eissing]

Don't think so. But loading the module should do no harm, I think. And it does 
now.

I am not familiar with the NNTP use case. Is this always an NNTP-only server 
then?

> Am 11.10.2015 um 19:08 schrieb Yann Ylavic :
> 
> On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing
>  wrote:
>> Ok, analyzed the code. Here is what seems to be happening:
>> 
>> - mod_http2, in the connection hook, does a blocking, speculative read to
>>  a) make sure the ALPN has been triggered
>>  b) check for the magic 24 bytes h2 preface in case H2Direct is on
>>  This works fine for HTTP/1.1 or protocols where the client starts sending 
>> bytes right away.
>>  If the client waits for something from the server first, it gives a 
>> timeout. This seems to be the NNTP case.
> 
> Does it make any sense to enable h2 on NNTP?

Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded

[Stefan Eissing]

What is the penalty of invoking SSL_do_handshake(ssl) on the server side for a 
new connection? We do this on renegotiate and upgrade cases...

> Am 11.10.2015 um 19:23 schrieb Stefan Eissing :
> 
> 
>> Am 11.10.2015 um 19:19 schrieb Rainer Jung :
>> 
>> Am 11.10.2015 um 19:08 schrieb Yann Ylavic:
>>> On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing
>>>  wrote:
 Ok, analyzed the code. Here is what seems to be happening:
 
 - mod_http2, in the connection hook, does a blocking, speculative read to
  a) make sure the ALPN has been triggered
  b) check for the magic 24 bytes h2 preface in case H2Direct is on
  This works fine for HTTP/1.1 or protocols where the client starts sending 
 bytes right away.
  If the client waits for something from the server first, it gives a 
 timeout. This seems to be the NNTP case.
>>> 
>>> Does it make any sense to enable h2 on NNTP?
>> 
>> For now I disabled the nntp over ssl test when mod_http2 is loaded (disabled 
>> in the test file) so that the test suite does not hang.
>> 
>> I guess we don't want to test h2 and NNTP on the same requests, but it would 
>> be ideal, if the modules would not disturb each other, if they serve 
>> different vhosts in the same Apache. If that's not possible and doesn't 
>> actually indicate a bigger problem, I'm personally fine with that 
>> incompatibility with protocols that show "server sends first" behavior.
> 
> Agreed. What we need is a way to make sure that any ALPN handling is done for 
> later connection hooks. Then mod_http2 will only need to sniff when H2Direct 
> is enabled.

Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Yann Ylavic]

On Sun, Oct 11, 2015 at 8:45 PM, Reindl Harald  wrote:
>
> Am 09.10.2015 um 19:40 schrieb Jim Jagielski:
>>
>> The pre-release test tarballs for Apache httpd 2.4.17 can be found
>> at the usual place:
>>
>> http://httpd.apache.org/dev/dist/
>>
>> I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA.
>>
>> [ ] +1: Good to go
>> [ ] +0: meh
>> [ ] -1: Danger Will Robinson. And why
>
>
> +1 on Fedora 21 / 22 x86_64
>
> one question:
> MPMs: Support SO_REUSEPORT to create multiple duplicated listener
>
> does that get automatic enabled on recent Linux kernels or is there any
> configuration needed to enable it?

You need to configure this directive:
http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listencoresbucketsratio

Regards,
Yann.

Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Reindl Harald]

Am 11.10.2015 um 20:51 schrieb Yann Ylavic:

On Sun, Oct 11, 2015 at 8:45 PM, Reindl Harald  wrote:


Am 09.10.2015 um 19:40 schrieb Jim Jagielski:


The pre-release test tarballs for Apache httpd 2.4.17 can be found
at the usual place:

 http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA.

[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why



+1 on Fedora 21 / 22 x86_64

one question:
MPMs: Support SO_REUSEPORT to create multiple duplicated listener

does that get automatic enabled on recent Linux kernels or is there any
configuration needed to enable it?


You need to configure this directive:
http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listencoresbucketsratio


thanks!

Google only showed discussions, Bugzilla and so on and finding the new 
directive is hard - maybe the hint should made it into the changelog for 
GA release



will give it a try

however, 2.4.17 without touch configs looks fine



signature.asc
Description: OpenPGP digital signature

Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Yann Ylavic]

On Sun, Oct 11, 2015 at 8:59 PM, Reindl Harald  wrote:
>
> Google only showed discussions, Bugzilla and so on and finding the new
> directive is hard - maybe the hint should made it into the changelog for GA
> release

Yes you're right, I should have mentioned that directive in the CHANGES entry.
Unfortunately I'm afraid it's too late now, the 2.4.17 tag is frozen.
Hopefully the (new) documentation will quickly be indexed...

Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Rainer Jung]

Am 11.10.2015 um 21:14 schrieb Reindl Harald:



Am 11.10.2015 um 21:07 schrieb Yann Ylavic:

On Sun, Oct 11, 2015 at 8:59 PM, Reindl Harald
 wrote:


Google only showed discussions, Bugzilla and so on and finding the new
directive is hard - maybe the hint should made it into the changelog
for GA
release


Yes you're right, I should have mentioned that directive in the
CHANGES entry.
Unfortunately I'm afraid it's too late now, the 2.4.17 tag is frozen.
Hopefully the (new) documentation will quickly be indexed...


no problem since it's diabled by default


"ab -c 100 -n 5 http://small-image.gif; did not make me that happy
after a short test on a quadcore machine, after some time httpd stopped
to respond for a tinay statical image with a few bytes

# SO_REUSEPORT support
# = 2.4.17>
#  ListenCoresBucketsRatio 4
# 


You might run into problems if your server accumulates to many TIME_WAIT 
connections. Check their number in the "netstat -an" output.


ab without "-k" does in connection per request and if those are only 
used very short and the server is fast you can end up with a couple of 
10.000s of TIME_WAIT connections (independent of SO_REUSEPORT).


Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.17 as GA

[Reindl Harald]

Am 11.10.2015 um 21:25 schrieb Yann Ylavic:

On Sun, Oct 11, 2015 at 9:14 PM, Reindl Harald  wrote:


"ab -c 100 -n 5 http://small-image.gif; did not make me that happy after
a short test on a quadcore machine, after some time httpd stopped to respond
for a tinay statical image with a few bytes


Hm, with 4 cores and a ratio of 4, there is only one bucket per
listener, which is the same as the default.
Did you try the same test without the directive or with a ratio of 0?
(I rather suspect a connectivity issue with ab)


i did not test it much and honestly i am not able to make a decision 
based on 
http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listencoresbucketsratio 



without the directive all is unchanged and stable

0 is not accepted which i would consider a bug given
the docs days default  "ListenCoresBucketsRatio 0 (disabled)"
AH00526: Syntax error on line 48 of /etc/httpd/conf/httpd-core.conf:
ListenCoresBucketsRatio must be > 0

= 2.4.17>
 ListenCoresBucketsRatio 0

__

i just wanted to test the new feature on a 4.2.3 kernel

"ab" don't scale well but likely not a connectivity issue runnig it on 
the same machine like httpd




signature.asc
Description: OpenPGP digital signature