Re: [VOTE] Release Apache httpd 2.4.17 as GA
On Fri, Oct 9, 2015 at 7:40 PM, Jim Jagielskiwrote: > The pre-release test tarballs for Apache httpd 2.4.17 can be found > at the usual place: > > http://httpd.apache.org/dev/dist/ > > I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. > > [X] +1: Good to go * md5/sha1/asc => OK * Debian 8.2 (Jessie) - Linux 3.14.15-2 - autoconf 2.69-8 - automake 1.14.1-4 - libtool 2.4.2-1.11 - gcc 4.9.2-10 - libc6 2.19-18+deb8u1 - openssl 1.0.1k-3+deb8u1 - pcre 8.35-3.3 => All tests passed. * Debian 7.9 (Wheezy) - Linux 3.2.68-1+deb7u4 - autoconf 2.69-1 - automake 1.11.6-1 - libtool 2.4.2-1.1 - gcc 4.7.2-5 - libc6 2.13-38+deb7u8 - openssl 1.0.1e-2+deb7u17 - pcre 8.30-5 => All passed passed. * Debian 6.0.10 (Squeeze) - Linux 2.6.32-48squeeze13 - autoconf 2.67-2 - automake 1.11.1-1+squeeze11 - libtool 2.2.6b-2 - gcc 4.4.5-8 - libc6 2.11.3-4+deb6u6 - openssl 0.9.8o-4squeeze21 - pcre 8.02-1.1 => No regression. Thanks Jim!
Bug report for Apache httpd-2 [2015/10/11]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 7483|Ass|Enh|2002-03-26|Add FileAction directive to assign a cgi interpret| | 8713|Inf|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity| | 8867|Opn|Cri|2002-05-07|exports.c generation fails when using a symlink to| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |11294|New|Enh|2002-07-30|desired vhost_alias option| |11580|Opn|Enh|2002-08-09|generate Content-Location headers | |12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long| |12680|New|Enh|2002-09-16|Digest authentication with integrity protection | |13599|Inf|Nor|2002-10-14|autoindex formating broken for multibyte sequences| |13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation | |14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR| |14496|New|Enh|2002-11-13|Cannot upgrade any version on Windows. Must uninst| |14922|Inf|Enh|2002-11-28| is currently hardcoded to 'apache2' | |15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne| |16761|Inf|Nor|2003-02-04|CustomLog with pipe spawns process during config | |16802|New|Enh|2003-02-05|Additional AllowOverride directive "Restrict" | |16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.| |17107|New|Min|2003-02-16|Windows should not install printenv | |17114|New|Enh|2003-02-17|Please add strip and install-strip targets to Make| |17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi| |17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header| |18325|New|Enh|2003-03-25|PAM support for suEXEC| |18334|Inf|Cri|2003-03-25|Server crashes when authenticating users against L| |18497|New|Min|2003-03-30|configure --help gives wrong default for sysconfdi| |19043|New|Min|2003-04-15|Interesting interaction between cern_meta module a| |19670|New|Enh|2003-05-05|content type header supplied upon PUT is thrown aw| |20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment | |21253|New|Nor|2003-07-01|Mime magic doesn't continue if type is specifed fo| |21260|New|Nor|2003-07-02|CacheMaxExpire directive not enforced ! | |21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut| |22138|Inf|Cri|2003-08-05|Webdav is not preccessing special chars right.| |22237|New|Enh|2003-08-08|option to disable ServerSignature on index pages | |22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down| |22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7| |22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header | |23167|Inf|Cri|2003-09-14|--enable-layout never goes to apr apr-util| |23181|New|Nor|2003-09-15|Status 304 (Not modified) and chunking leads to an| |23238|New|Cri|2003-09-18|non-async-signal-safe operations from signal handl| |23330|New|Enh|2003-09-22|Enhance ApacheMonitor to view and control Tomcat s| |23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54| |24031|New|Enh|2003-10-23|Passphrase protected private key in SSLProxyMachin| |24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32| |24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact| |24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g| |25014|New|Enh|2003-11-26|A flexible interface for mod_log_config | |25201|New|Enh|2003-12-04|Provide Cache Purge operation | |25240|Inf|Enh|2003-12-05|SSL Library Error: 336105671 logged as information| |25435|New|Enh|2003-12-11|sethandler and directoryindex not playing nice| |25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files | |25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP | |25543|Inf|Nor|2003-12-15|mod_proxy_ajp overwrites existing response headers|
Re: this expected?
Thanks, Kaspar, that did it. -clean does not seem to reset it, removed dir and restored from svn. All PASS now. //Stefan > Am 11.10.2015 um 07:45 schrieb Kaspar Brand: > > On 10.10.2015 20:14, Stefan Eissing wrote: >> Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl >> 1.0.2d): >> >> t/ssl/varlookup.t ... 1/81 # Failed test 55 in >> t/ssl/varlookup.t at line 105 fail #55 >> # Failed test 56 in t/ssl/varlookup.t at line 105 fail #56 >> # Failed test 57 in t/ssl/varlookup.t at line 105 fail #57 >> # Failed test 58 in t/ssl/varlookup.t at line 105 fail #58 >> # Failed test 75 in t/ssl/varlookup.t at line 105 fail #75 >> # Failed test 76 in t/ssl/varlookup.t at line 105 fail #76 >> t/ssl/varlookup.t ... Failed 6/81 subtests > > Can you quickly confirm that t/conf/ssl/ca/asf/certs/client_ok.crt (or > any other cert in this directory) is older than > Apache-Test/lib/Apache/TestSSLCA.pm in that test framework installation? > If so, the above failures are a consequence of r1705534 and r1705535, > and TEST -clean should help in getting a fresh collection of certs (if > it doesn't remove the t/conf/ssl/ca directory, it can just be rm'ed > manually). > > Kaspar
2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
I get a test failure for 2.4.17 in the mod_nntp_like_ssl part. Te failure happens on Solaris. Note that the nntp tests are disabled by default on Linux because of problems with the kernel accept filter, so that many of you wont run this test and thus not observe the problem. The problems is that the test hangs after test 1 when waiting for the result of 2. On Solaris 8 the behavior changes a bit, there test 2 succeeds, but 3-5 receive an empty result. The difference might be due to slight perl test differences. I suspect a common root cause. Maybe the problem is due to some unclean brigade handling in mod_nntp_like_ssl (in light of recent dev list discussions)? Or mod_http2 is simply incompatible with mod_nntp_like_ssl and we should disable that test if mod_http2 is loaded? Trace 8 log comparison between good runs (without having mod_http2 loaded) and bad runs (having mod_http2 loaded): Good run (no mod_http2) - end of handshake and immediately write 52 bytes [Sun Oct 11 14:53:47.911105 2015] [ssl:trace3] [pid 23096:tid 27] ssl_engine_kernel.c(1810): [client 127.0.0.1:50990] OpenSSL: Handshake: done [Sun Oct 11 14:53:47.911142 2015] [ssl:debug] [pid 23096:tid 27] ssl_engine_kernel.c(1855): [client 127.0.0.1:50990] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Sun Oct 11 14:53:47.911212 2015] [ssl:trace4] [pid 23096:tid 27] ssl_engine_io.c(2088): [client 127.0.0.1:50990] OpenSSL: write 52/52 bytes to BIO#2861b8 [mem: 2bd45b] (BIO dump follows) Bad run (including mod_http2) - end of handshake [Sun Oct 11 14:54:38.550476 2015] [ssl:trace3] [pid 23133:tid 50] ssl_engine_kernel.c(1810): [client 127.0.0.1:50994] OpenSSL: Handshake: done [Sun Oct 11 14:54:38.550520 2015] [ssl:debug] [pid 23133:tid 50] ssl_engine_kernel.c(1855): [client 127.0.0.1:50994] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Sun Oct 11 14:54:38.550555 2015] [core:trace6] [pid 23133:tid 50] core_filters.c(523): [client 127.0.0.1:50994] core_output_filter: flushing because of FLUSH bucket - one minute established connection, but nothing else [Sun Oct 11 14:54:39.274796 2015] [mpm_event:trace6] [pid 23133:tid 53] event.c(1577): connections: 1 (clogged: 0 write-completion: 0 keep-alive: 0 lingering: 0 suspended: 0) ... - timeout after one minute and write 52 bytes [Sun Oct 11 14:55:38.551174 2015] [ssl:trace4] [pid 23133:tid 50] ssl_engine_io.c(2099): [client 127.0.0.1:50994] OpenSSL: I/O error, 5 bytes expected to read on BIO#273480 [mem: 3624e3] [Sun Oct 11 14:55:38.551253 2015] [ssl:info] [pid 23133:tid 50] (70007)The timeout specified has expired: [client 127.0.0.1:50994] AH01991: SSL input filter read failed. [Sun Oct 11 14:55:38.551316 2015] [http2:debug] [pid 23133:tid 50] h2_h2.c(189): (70007)The timeout specified has expired: [client 127.0.0.1:50994] h2_h2, error reading 24 bytes speculative [Sun Oct 11 14:55:38.551344 2015] [http2:trace1] [pid 23133:tid 50] h2_h2.c(205): [client 127.0.0.1:50994] h2_h2, declined [Sun Oct 11 14:55:38.551433 2015] [ssl:trace4] [pid 23133:tid 50] ssl_engine_io.c(2088): [client 127.0.0.1:50994] OpenSSL: write 52/52 bytes to BIO#282488 [mem: 36a633] (BIO dump follows) Regards, Rainer
2.4.17 test failure for mod_http2 (test 30-31, misdirected)
# testing : GET https://localhost:8532/misdirected # expected: 421 # received: '404' not ok 30 # Failed test 30 in t/modules/http2.t at line 129 fail #6 # testing : GET https://localhost:8532/misdirected # expected: 421 # received: '404' not ok 31 Is this expected for 2.4? I didn't find anything about this in the trace8 error log. Any hints how to debug? I was using OpenSSL 1.0.2c in the client (Perl Test Framework) and 1.0.2d in the server. Regards, Rainer
Re: 2.4.17 test failure for mod_http2 (test 30-31, misdirected)
Am 11.10.2015 um 16:04 schrieb Rainer Jung: # testing : GET https://localhost:8532/misdirected # expected: 421 # received: '404' not ok 30 # Failed test 30 in t/modules/http2.t at line 129 fail #6 # testing : GET https://localhost:8532/misdirected # expected: 421 # received: '404' not ok 31 Is this expected for 2.4? I didn't find anything about this in the trace8 error log. Any hints how to debug? I was using OpenSSL 1.0.2c in the client (Perl Test Framework) and 1.0.2d in the server. Don't know whether it is related, but there is a small delta between trunk modules/ssl/ssl_engine_kernel.c and 2.4.x: --- 2.4.x/modules/ssl/ssl_engine_kernel.c +++ trunk/modules/ssl/ssl_engine_kernel.c @@ -554,6 +529,8 @@ */ if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) || (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { +SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver); + /* remember old state */ verify_old = SSL_get_verify_mode(ssl); /* configure new state */ @@ -617,8 +623,6 @@ && renegotiate && ((verify & SSL_VERIFY_PEER) || (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { -SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver); - #define MODSSL_CFG_CA_NE(f, sc1, sc2) \ (sc1->server->auth.f && \ (!sc2->server->auth.f || \ Regards, Rainer
Re: 2.4.17 test failure for mod_http2 (test 30-31, misdirected)
On Sun, Oct 11, 2015 at 4:24 PM, Rainer Jungwrote: > Am 11.10.2015 um 16:04 schrieb Rainer Jung: >> >> # testing : GET https://localhost:8532/misdirected >> # expected: 421 >> # received: '404' >> not ok 30 >> # Failed test 30 in t/modules/http2.t at line 129 fail #6 >> # testing : GET https://localhost:8532/misdirected >> # expected: 421 >> # received: '404' >> not ok 31 >> >> Is this expected for 2.4? I didn't find anything about this in the >> trace8 error log. >> >> Any hints how to debug? I was using OpenSSL 1.0.2c in the client (Perl >> Test Framework) and 1.0.2d in the server. > > > Don't know whether it is related, but there is a small delta between trunk > modules/ssl/ssl_engine_kernel.c and 2.4.x: > > --- 2.4.x/modules/ssl/ssl_engine_kernel.c > +++ trunk/modules/ssl/ssl_engine_kernel.c > @@ -554,6 +529,8 @@ > */ > if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) || > (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { > +SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver); > + > /* remember old state */ > verify_old = SSL_get_verify_mode(ssl); > /* configure new state */ > @@ -617,8 +623,6 @@ > && renegotiate > && ((verify & SSL_VERIFY_PEER) || > (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { > -SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver); > - > #define MODSSL_CFG_CA_NE(f, sc1, sc2) \ > (sc1->server->auth.f && \ > (!sc2->server->auth.f || \ This change (hunk) may be the one which changed the 421 behaviour: --- 2.4.x/modules/ssl/ssl_engine_kernel.c (original) +++ 2.4.x/modules/ssl/ssl_engine_kernel.c Mon Sep 28 13:06:31 2015 @@ -196,11 +195,12 @@ int ssl_hook_ReadReq(request_rec *r) " provided in HTTP request", servername); return HTTP_BAD_REQUEST; } -rv = apr_parse_addr_port(, _id, , r->hostname, r->pool); -if (rv != APR_SUCCESS || scope_id) { -return HTTP_BAD_REQUEST; -} -if (strcasecmp(host, servername)) { +if (r->server != handshakeserver) { +/* + * We are really not in Kansas anymore... + * The request does not select the virtual host that was + * selected by the SNI. + */ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032) "Hostname %s provided via SNI and hostname %s provided" " via HTTP are different", servername, host); Previously we issued 421 based on the handshaken Host header vs the current one, we now only control that request is still on the same server. So with no or the default vhost which can handle different requested Host, there previously could be "refused" with 421 whereas now they pass the ssl_Auth hook (which is OK since the SSL configuration between the handshaken and this request has not changed). Didn't look whether the test is still relevent (not much time for now, sorry), but it might not be. Hope this helps...
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
On Sun, Oct 11, 2015 at 9:32 AM, Rainer Jungwrote: > The problems is that the test hangs after test 1 when waiting for the result > of 2. On Solaris 8 the behavior changes a bit, there test 2 succeeds, but > 3-5 receive an empty result. The difference might be due to slight perl test > differences. I suspect a common root cause. Seen on AIX too, but I am struggling with some non system openssl 1.0.2 issues though (between httpd, framework, and 32-bit perl modules that use the native code) and can't even re-run at the moment.
Re: SSLProxyMachineCertificateFile: file '.../t/conf/ssl/ca/asf/proxy/client_ok.pem' does not exist or is empty
Am 11.10.2015 um 16:08 schrieb Eric Covener: I am trying to run the test framework with ssl and http2 on AIX. There is no system openssl 1.0.2, and the system perl is 32-bit and also rather old. I have a 32-bit and 64-bit openssl squirreld away in ~. I initially had some problems with httpd under the test framework and openssl command line tools in my path, as well as some CPAN modules to be forced to use the new openssl. AFAICT they are all resolved. But where I'm at now is this complaint at startup: SSLProxyMachineCertificateFile: file '/home/covener/SRC/httpd-framework/t/conf/ssl/ca/asf/proxy/client_ok.pem' does not exist or is empty That directory is empty, but no errors are issued after t/TEST -clean and t/TEST and even removing everything under t/conf and svn up'ing. Any ideas on debugging this? I've got three pem files there: 6275 Oct 11 12:04 t/conf/ssl/ca/asf/proxy/client_ok.pem 5808 Oct 11 12:04 t/conf/ssl/ca/asf/proxy/client_revoked.pem 5813 Oct 11 12:04 t/conf/ssl/ca/asf/proxy/client_snakeoil.pem The generation e.g. of the ok file happens at the test startup. I get the following output (maybe because of t/TEST -v): [ info] openssl genrsa -out keys/client_ok.pem 2048 Generating RSA private key, 2048 bit long modulus ..+++ .+++ e is 65537 (0x10001) [ info] openssl req -new -key keys/client_ok.pem -out csr/client_ok.csr -passin pass:httpd -passout pass:httpd -config conf/client_ok.cnf [ info] openssl ca -policy policy_anything -in csr/client_ok.csr -out certs/client_ok.crt -passin pass:httpd -config conf/client_ok.cnf -batch -extensions client_ok_ext Using configuration from conf/client_ok.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'California' localityName :ASN.1 12:'San Francisco' organizationName :ASN.1 12:'ASF' organizationalUnitName:ASN.1 12:'httpd-test' commonName:ASN.1 12:'client_ok' emailAddress :IA5STRING:'test-...@httpd.apache.org' Certificate is to be certified until Oct 10 10:04:20 2016 GMT (365 days) Write out database with 1 new entries Data Base Updated [ info] openssl pkcs12 -export -in certs/client_ok.crt -inkey keys/client_ok.pem -out export/client_ok.p12 -passin pass:httpd -passout pass:httpd [ info] generating proxy cert: proxy/client_ok.pem I think they are generated using Apache-Test/lib/Apache/TestSSLCA.pm which contains the following line: my $openssl = $ENV{APACHE_TEST_OPENSSL_CMD} || 'openssl'; So maybe setting APACHE_TEST_OPENSSL_CMD to the full path of your 1.0.2 openssl commandline binary will help. Regards, Rainer
SSLProxyMachineCertificateFile: file '.../t/conf/ssl/ca/asf/proxy/client_ok.pem' does not exist or is empty
I am trying to run the test framework with ssl and http2 on AIX. There is no system openssl 1.0.2, and the system perl is 32-bit and also rather old. I have a 32-bit and 64-bit openssl squirreld away in ~. I initially had some problems with httpd under the test framework and openssl command line tools in my path, as well as some CPAN modules to be forced to use the new openssl. AFAICT they are all resolved. But where I'm at now is this complaint at startup: SSLProxyMachineCertificateFile: file '/home/covener/SRC/httpd-framework/t/conf/ssl/ca/asf/proxy/client_ok.pem' does not exist or is empty That directory is empty, but no errors are issued after t/TEST -clean and t/TEST and even removing everything under t/conf and svn up'ing. Any ideas on debugging this?
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
Am 11.10.2015 um 19:08 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissingwrote: Ok, analyzed the code. Here is what seems to be happening: - mod_http2, in the connection hook, does a blocking, speculative read to a) make sure the ALPN has been triggered b) check for the magic 24 bytes h2 preface in case H2Direct is on This works fine for HTTP/1.1 or protocols where the client starts sending bytes right away. If the client waits for something from the server first, it gives a timeout. This seems to be the NNTP case. Does it make any sense to enable h2 on NNTP? For now I disabled the nntp over ssl test when mod_http2 is loaded (disabled in the test file) so that the test suite does not hang. I guess we don't want to test h2 and NNTP on the same requests, but it would be ideal, if the modules would not disturb each other, if they serve different vhosts in the same Apache. If that's not possible and doesn't actually indicate a bigger problem, I'm personally fine with that incompatibility with protocols that show "server sends first" behavior. Regards, Rainer
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
> Am 11.10.2015 um 19:19 schrieb Rainer Jung: > > Am 11.10.2015 um 19:08 schrieb Yann Ylavic: >> On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing >> wrote: >>> Ok, analyzed the code. Here is what seems to be happening: >>> >>> - mod_http2, in the connection hook, does a blocking, speculative read to >>> a) make sure the ALPN has been triggered >>> b) check for the magic 24 bytes h2 preface in case H2Direct is on >>> This works fine for HTTP/1.1 or protocols where the client starts sending >>> bytes right away. >>> If the client waits for something from the server first, it gives a >>> timeout. This seems to be the NNTP case. >> >> Does it make any sense to enable h2 on NNTP? > > For now I disabled the nntp over ssl test when mod_http2 is loaded (disabled > in the test file) so that the test suite does not hang. > > I guess we don't want to test h2 and NNTP on the same requests, but it would > be ideal, if the modules would not disturb each other, if they serve > different vhosts in the same Apache. If that's not possible and doesn't > actually indicate a bigger problem, I'm personally fine with that > incompatibility with protocols that show "server sends first" behavior. Agreed. What we need is a way to make sure that any ALPN handling is done for later connection hooks. Then mod_http2 will only need to sniff when H2Direct is enabled.
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissingwrote: > Ok, analyzed the code. Here is what seems to be happening: > > - mod_http2, in the connection hook, does a blocking, speculative read to > a) make sure the ALPN has been triggered > b) check for the magic 24 bytes h2 preface in case H2Direct is on > This works fine for HTTP/1.1 or protocols where the client starts sending > bytes right away. > If the client waits for something from the server first, it gives a > timeout. This seems to be the NNTP case. Does it make any sense to enable h2 on NNTP?
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
On Sun, Oct 11, 2015 at 7:11 PM, Stefan Eissingwrote: > Don't think so. But loading the module should do no harm, I think. And it > does now. Isn't configuring H2Direct on which harms?
Re: [VOTE] Release Apache httpd 2.4.17 as GA
Am 11.10.2015 um 21:07 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 8:59 PM, Reindl Haraldwrote: Google only showed discussions, Bugzilla and so on and finding the new directive is hard - maybe the hint should made it into the changelog for GA release Yes you're right, I should have mentioned that directive in the CHANGES entry. Unfortunately I'm afraid it's too late now, the 2.4.17 tag is frozen. Hopefully the (new) documentation will quickly be indexed... no problem since it's diabled by default "ab -c 100 -n 5 http://small-image.gif; did not make me that happy after a short test on a quadcore machine, after some time httpd stopped to respond for a tinay statical image with a few bytes # SO_REUSEPORT support # = 2.4.17> # ListenCoresBucketsRatio 4 # signature.asc Description: OpenPGP digital signature
Re: A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c
Fixed in r1708002. > Am 10.10.2015 um 22:31 schrieb NormW: > > On 11/10/2015 4:45 AM, Stefan Eissing wrote: >> Ok, will add that. This is only in trunk. 2.4.x should compile for you. > Correct. > Norm. >> >>> Am 10.10.2015 um 13:31 schrieb NormW : >>> >>> H, CC h2_worker.c CC h2_workers.c CC mod_http2.c GEN obj_release/mod_http2_link.opt LINK obj_release/mod_http2.nlm ### mwldnlm Linker Error: # Undefined symbol: APR_BUCKET_IS_MMAP in # h2_util.o >>> >>> In apr-util\include\apr_buckets.h: #if APR_HAS_MMAP /** * Determine if a bucket is a MMAP bucket * @param e The bucket to inspect * @return true or false */ #define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap) #endif >>> >>> :-( MMAP is (sadly) not a feature of NetWare. If the http2 experts assert >>> the entire http2 module is a dud without MMAP support, I am not in a >>> position or mind to oppose dropping NetWare 'support' for http2 entirely. >>> >>> Alternatively, something like this in h2_util.c MAY be good enough : } ++ #if APR_HAS_MMAP else if (APR_BUCKET_IS_MMAP(b)) { btype = "mmap"; } ++ #endif >>> >>> Norm >> >
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
Ok, in ssl_engine_io.c, lines 1426+ I see a hint: /* XXX: we could actually move ssl_io_filter_handshake to an * ap_hook_process_connection but would still need to call it for * AP_MODE_INIT for protocols that may upgrade the connection * rather than have SSLEngine On configured. */ if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) { return ssl_io_filter_error(f, bb, status); } The handshake handling gets triggered on a filter, so it all happens on READs (or WRITEs), which explains why connection hooks do not see it. This is quite some code which looks like we do not want to touch for a "quick fix". Also, there is no quick fix inside mod_http2 as before handshake, the SNI might also not be there yet, thus the vhost cannot be determined. etc. For the current release, I think we should leave it as it is and advise that current mod_http2 is incompatible with things like nntp. For the next release, I'd like the server to perform the handshake at a defined time, so other modules can rely on protocols being selected and correct vhost being known before the first read/write. //Stefan > Am 11.10.2015 um 19:30 schrieb Stefan Eissing: > > What is the penalty of invoking SSL_do_handshake(ssl) on the server side for > a new connection? We do this on renegotiate and upgrade cases... > >> Am 11.10.2015 um 19:23 schrieb Stefan Eissing : >> >> >>> Am 11.10.2015 um 19:19 schrieb Rainer Jung : >>> >>> Am 11.10.2015 um 19:08 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing wrote: > Ok, analyzed the code. Here is what seems to be happening: > > - mod_http2, in the connection hook, does a blocking, speculative read to > a) make sure the ALPN has been triggered > b) check for the magic 24 bytes h2 preface in case H2Direct is on > This works fine for HTTP/1.1 or protocols where the client starts sending > bytes right away. > If the client waits for something from the server first, it gives a > timeout. This seems to be the NNTP case. Does it make any sense to enable h2 on NNTP? >>> >>> For now I disabled the nntp over ssl test when mod_http2 is loaded >>> (disabled in the test file) so that the test suite does not hang. >>> >>> I guess we don't want to test h2 and NNTP on the same requests, but it >>> would be ideal, if the modules would not disturb each other, if they serve >>> different vhosts in the same Apache. If that's not possible and doesn't >>> actually indicate a bigger problem, I'm personally fine with that >>> incompatibility with protocols that show "server sends first" behavior. >> >> Agreed. What we need is a way to make sure that any ALPN handling is done >> for later connection hooks. Then mod_http2 will only need to sniff when >> H2Direct is enabled. >
Re: [VOTE] Release Apache httpd 2.4.17 as GA
On Sun, Oct 11, 2015 at 9:14 PM, Reindl Haraldwrote: > > "ab -c 100 -n 5 http://small-image.gif; did not make me that happy after > a short test on a quadcore machine, after some time httpd stopped to respond > for a tinay statical image with a few bytes Hm, with 4 cores and a ratio of 4, there is only one bucket per listener, which is the same as the default. Did you try the same test without the directive or with a ratio of 0? (I rather suspect a connectivity issue with ab).
Re: 2.4.17 test failure for mod_http2 (test 30-31, misdirected)
On Sun, Oct 11, 2015 at 5:43 PM, Yann Ylavicwrote: > > Didn't look whether the test is still relevent (not much time for now, > sorry), but it might not be. Took a quick look, I think for this tests to be relevent, the corresponding requests would have to reach different vhosts than the previous requests, which seems not be the case...
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
Hmm, will look into this. The module does a speculative non_blocking read on the connection. That happens only if H2Direct is "on", which I enabled to allow test when the client does not have ALPN. Then it can detect on the first 24 bytes if the client starts talking h2 right away. Is doing a speculative read messing up the handshake? This is not a usual config. //stefan > Am 11.10.2015 um 15:32 schrieb Rainer Jung: > > I get a test failure for 2.4.17 in the mod_nntp_like_ssl part. Te failure > happens on Solaris. Note that the nntp tests are disabled by default on Linux > because of problems with the kernel accept filter, so that many of you wont > run this test and thus not observe the problem. > > The problems is that the test hangs after test 1 when waiting for the result > of 2. On Solaris 8 the behavior changes a bit, there test 2 succeeds, but 3-5 > receive an empty result. The difference might be due to slight perl test > differences. I suspect a common root cause. > > Maybe the problem is due to some unclean brigade handling in > mod_nntp_like_ssl (in light of recent dev list discussions)? Or mod_http2 is > simply incompatible with mod_nntp_like_ssl and we should disable that test if > mod_http2 is loaded? > > Trace 8 log comparison between good runs (without having mod_http2 loaded) > and bad runs (having mod_http2 loaded): > > Good run (no mod_http2) > > - end of handshake and immediately write 52 bytes > > [Sun Oct 11 14:53:47.911105 2015] [ssl:trace3] [pid 23096:tid 27] > ssl_engine_kernel.c(1810): [client 127.0.0.1:50990] OpenSSL: Handshake: done > [Sun Oct 11 14:53:47.911142 2015] [ssl:debug] [pid 23096:tid 27] > ssl_engine_kernel.c(1855): [client 127.0.0.1:50990] AH02041: Protocol: > TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > [Sun Oct 11 14:53:47.911212 2015] [ssl:trace4] [pid 23096:tid 27] > ssl_engine_io.c(2088): [client 127.0.0.1:50990] OpenSSL: write 52/52 bytes to > BIO#2861b8 [mem: 2bd45b] (BIO dump follows) > > > Bad run (including mod_http2) > > - end of handshake > > [Sun Oct 11 14:54:38.550476 2015] [ssl:trace3] [pid 23133:tid 50] > ssl_engine_kernel.c(1810): [client 127.0.0.1:50994] OpenSSL: Handshake: done > [Sun Oct 11 14:54:38.550520 2015] [ssl:debug] [pid 23133:tid 50] > ssl_engine_kernel.c(1855): [client 127.0.0.1:50994] AH02041: Protocol: > TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > [Sun Oct 11 14:54:38.550555 2015] [core:trace6] [pid 23133:tid 50] > core_filters.c(523): [client 127.0.0.1:50994] core_output_filter: flushing > because of FLUSH bucket > > - one minute established connection, but nothing else > > [Sun Oct 11 14:54:39.274796 2015] [mpm_event:trace6] [pid 23133:tid 53] > event.c(1577): connections: 1 (clogged: 0 write-completion: 0 keep-alive: 0 > lingering: 0 suspended: 0) > ... > > - timeout after one minute and write 52 bytes > > [Sun Oct 11 14:55:38.551174 2015] [ssl:trace4] [pid 23133:tid 50] > ssl_engine_io.c(2099): [client 127.0.0.1:50994] OpenSSL: I/O error, 5 bytes > expected to read on BIO#273480 [mem: 3624e3] > [Sun Oct 11 14:55:38.551253 2015] [ssl:info] [pid 23133:tid 50] (70007)The > timeout specified has expired: [client 127.0.0.1:50994] AH01991: SSL input > filter read failed. > [Sun Oct 11 14:55:38.551316 2015] [http2:debug] [pid 23133:tid 50] > h2_h2.c(189): (70007)The timeout specified has expired: [client > 127.0.0.1:50994] h2_h2, error reading 24 bytes speculative > [Sun Oct 11 14:55:38.551344 2015] [http2:trace1] [pid 23133:tid 50] > h2_h2.c(205): [client 127.0.0.1:50994] h2_h2, declined > [Sun Oct 11 14:55:38.551433 2015] [ssl:trace4] [pid 23133:tid 50] > ssl_engine_io.c(2088): [client 127.0.0.1:50994] OpenSSL: write 52/52 bytes to > BIO#282488 [mem: 36a633] (BIO dump follows) > > Regards, > > Rainer
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
Ok, analyzed the code. Here is what seems to be happening: - mod_http2, in the connection hook, does a blocking, speculative read to a) make sure the ALPN has been triggered b) check for the magic 24 bytes h2 preface in case H2Direct is on This works fine for HTTP/1.1 or protocols where the client starts sending bytes right away. If the client waits for something from the server first, it gives a timeout. This seems to be the NNTP case. A. The important part is to get the ALPN triggered without a blocking read. Any advice from our TLS experts? B. When that is solved, the check for the 24 bytes can be folder deeper to just happen on a H2Direct enabled server/vhost. The fix for A ideally should be placed into mod_ssl, saving other protocol-selection code to mess with it, I think. But for the short term, I'd be happy with any advice on how to fix it in mod_http2 alone. //Stefan > Am 11.10.2015 um 18:26 schrieb Stefan Eissing: > > Hmm, will look into this. The module does a speculative non_blocking read on > the connection. > > That happens only if H2Direct is "on", which I enabled to allow test when the > client does not have ALPN. > > Then it can detect on the first 24 bytes if the client starts talking h2 > right away. Is doing a speculative read messing up the handshake? > > This is not a usual config. > > //stefan > >> Am 11.10.2015 um 15:32 schrieb Rainer Jung : >> >> I get a test failure for 2.4.17 in the mod_nntp_like_ssl part. Te failure >> happens on Solaris. Note that the nntp tests are disabled by default on >> Linux because of problems with the kernel accept filter, so that many of you >> wont run this test and thus not observe the problem. >> >> The problems is that the test hangs after test 1 when waiting for the result >> of 2. On Solaris 8 the behavior changes a bit, there test 2 succeeds, but >> 3-5 receive an empty result. The difference might be due to slight perl test >> differences. I suspect a common root cause. >> >> Maybe the problem is due to some unclean brigade handling in >> mod_nntp_like_ssl (in light of recent dev list discussions)? Or mod_http2 is >> simply incompatible with mod_nntp_like_ssl and we should disable that test >> if mod_http2 is loaded? >> >> Trace 8 log comparison between good runs (without having mod_http2 loaded) >> and bad runs (having mod_http2 loaded): >> >> Good run (no mod_http2) >> >> - end of handshake and immediately write 52 bytes >> >> [Sun Oct 11 14:53:47.911105 2015] [ssl:trace3] [pid 23096:tid 27] >> ssl_engine_kernel.c(1810): [client 127.0.0.1:50990] OpenSSL: Handshake: done >> [Sun Oct 11 14:53:47.911142 2015] [ssl:debug] [pid 23096:tid 27] >> ssl_engine_kernel.c(1855): [client 127.0.0.1:50990] AH02041: Protocol: >> TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) >> [Sun Oct 11 14:53:47.911212 2015] [ssl:trace4] [pid 23096:tid 27] >> ssl_engine_io.c(2088): [client 127.0.0.1:50990] OpenSSL: write 52/52 bytes >> to BIO#2861b8 [mem: 2bd45b] (BIO dump follows) >> >> >> Bad run (including mod_http2) >> >> - end of handshake >> >> [Sun Oct 11 14:54:38.550476 2015] [ssl:trace3] [pid 23133:tid 50] >> ssl_engine_kernel.c(1810): [client 127.0.0.1:50994] OpenSSL: Handshake: done >> [Sun Oct 11 14:54:38.550520 2015] [ssl:debug] [pid 23133:tid 50] >> ssl_engine_kernel.c(1855): [client 127.0.0.1:50994] AH02041: Protocol: >> TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) >> [Sun Oct 11 14:54:38.550555 2015] [core:trace6] [pid 23133:tid 50] >> core_filters.c(523): [client 127.0.0.1:50994] core_output_filter: flushing >> because of FLUSH bucket >> >> - one minute established connection, but nothing else >> >> [Sun Oct 11 14:54:39.274796 2015] [mpm_event:trace6] [pid 23133:tid 53] >> event.c(1577): connections: 1 (clogged: 0 write-completion: 0 keep-alive: 0 >> lingering: 0 suspended: 0) >> ... >> >> - timeout after one minute and write 52 bytes >> >> [Sun Oct 11 14:55:38.551174 2015] [ssl:trace4] [pid 23133:tid 50] >> ssl_engine_io.c(2099): [client 127.0.0.1:50994] OpenSSL: I/O error, 5 bytes >> expected to read on BIO#273480 [mem: 3624e3] >> [Sun Oct 11 14:55:38.551253 2015] [ssl:info] [pid 23133:tid 50] (70007)The >> timeout specified has expired: [client 127.0.0.1:50994] AH01991: SSL input >> filter read failed. >> [Sun Oct 11 14:55:38.551316 2015] [http2:debug] [pid 23133:tid 50] >> h2_h2.c(189): (70007)The timeout specified has expired: [client >> 127.0.0.1:50994] h2_h2, error reading 24 bytes speculative >> [Sun Oct 11 14:55:38.551344 2015] [http2:trace1] [pid 23133:tid 50] >> h2_h2.c(205): [client 127.0.0.1:50994] h2_h2, declined >> [Sun Oct 11 14:55:38.551433 2015] [ssl:trace4] [pid 23133:tid 50] >> ssl_engine_io.c(2088): [client 127.0.0.1:50994] OpenSSL: write 52/52 bytes >> to BIO#282488 [mem: 36a633] (BIO dump follows) >> >> Regards, >> >> Rainer
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
Don't think so. But loading the module should do no harm, I think. And it does now. I am not familiar with the NNTP use case. Is this always an NNTP-only server then? > Am 11.10.2015 um 19:08 schrieb Yann Ylavic: > > On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing > wrote: >> Ok, analyzed the code. Here is what seems to be happening: >> >> - mod_http2, in the connection hook, does a blocking, speculative read to >> a) make sure the ALPN has been triggered >> b) check for the magic 24 bytes h2 preface in case H2Direct is on >> This works fine for HTTP/1.1 or protocols where the client starts sending >> bytes right away. >> If the client waits for something from the server first, it gives a >> timeout. This seems to be the NNTP case. > > Does it make any sense to enable h2 on NNTP?
Re: 2.4.17 test failure for mod_nntp_like_ssl when mod_http2 is loaded
What is the penalty of invoking SSL_do_handshake(ssl) on the server side for a new connection? We do this on renegotiate and upgrade cases... > Am 11.10.2015 um 19:23 schrieb Stefan Eissing: > > >> Am 11.10.2015 um 19:19 schrieb Rainer Jung : >> >> Am 11.10.2015 um 19:08 schrieb Yann Ylavic: >>> On Sun, Oct 11, 2015 at 7:00 PM, Stefan Eissing >>> wrote: Ok, analyzed the code. Here is what seems to be happening: - mod_http2, in the connection hook, does a blocking, speculative read to a) make sure the ALPN has been triggered b) check for the magic 24 bytes h2 preface in case H2Direct is on This works fine for HTTP/1.1 or protocols where the client starts sending bytes right away. If the client waits for something from the server first, it gives a timeout. This seems to be the NNTP case. >>> >>> Does it make any sense to enable h2 on NNTP? >> >> For now I disabled the nntp over ssl test when mod_http2 is loaded (disabled >> in the test file) so that the test suite does not hang. >> >> I guess we don't want to test h2 and NNTP on the same requests, but it would >> be ideal, if the modules would not disturb each other, if they serve >> different vhosts in the same Apache. If that's not possible and doesn't >> actually indicate a bigger problem, I'm personally fine with that >> incompatibility with protocols that show "server sends first" behavior. > > Agreed. What we need is a way to make sure that any ALPN handling is done for > later connection hooks. Then mod_http2 will only need to sniff when H2Direct > is enabled.
Re: [VOTE] Release Apache httpd 2.4.17 as GA
On Sun, Oct 11, 2015 at 8:45 PM, Reindl Haraldwrote: > > Am 09.10.2015 um 19:40 schrieb Jim Jagielski: >> >> The pre-release test tarballs for Apache httpd 2.4.17 can be found >> at the usual place: >> >> http://httpd.apache.org/dev/dist/ >> >> I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. >> >> [ ] +1: Good to go >> [ ] +0: meh >> [ ] -1: Danger Will Robinson. And why > > > +1 on Fedora 21 / 22 x86_64 > > one question: > MPMs: Support SO_REUSEPORT to create multiple duplicated listener > > does that get automatic enabled on recent Linux kernels or is there any > configuration needed to enable it? You need to configure this directive: http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listencoresbucketsratio Regards, Yann.
Re: [VOTE] Release Apache httpd 2.4.17 as GA
Am 11.10.2015 um 20:51 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 8:45 PM, Reindl Haraldwrote: Am 09.10.2015 um 19:40 schrieb Jim Jagielski: The pre-release test tarballs for Apache httpd 2.4.17 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why +1 on Fedora 21 / 22 x86_64 one question: MPMs: Support SO_REUSEPORT to create multiple duplicated listener does that get automatic enabled on recent Linux kernels or is there any configuration needed to enable it? You need to configure this directive: http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listencoresbucketsratio thanks! Google only showed discussions, Bugzilla and so on and finding the new directive is hard - maybe the hint should made it into the changelog for GA release will give it a try however, 2.4.17 without touch configs looks fine signature.asc Description: OpenPGP digital signature
Re: [VOTE] Release Apache httpd 2.4.17 as GA
On Sun, Oct 11, 2015 at 8:59 PM, Reindl Haraldwrote: > > Google only showed discussions, Bugzilla and so on and finding the new > directive is hard - maybe the hint should made it into the changelog for GA > release Yes you're right, I should have mentioned that directive in the CHANGES entry. Unfortunately I'm afraid it's too late now, the 2.4.17 tag is frozen. Hopefully the (new) documentation will quickly be indexed...
Re: [VOTE] Release Apache httpd 2.4.17 as GA
Am 11.10.2015 um 21:14 schrieb Reindl Harald: Am 11.10.2015 um 21:07 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 8:59 PM, Reindl Haraldwrote: Google only showed discussions, Bugzilla and so on and finding the new directive is hard - maybe the hint should made it into the changelog for GA release Yes you're right, I should have mentioned that directive in the CHANGES entry. Unfortunately I'm afraid it's too late now, the 2.4.17 tag is frozen. Hopefully the (new) documentation will quickly be indexed... no problem since it's diabled by default "ab -c 100 -n 5 http://small-image.gif; did not make me that happy after a short test on a quadcore machine, after some time httpd stopped to respond for a tinay statical image with a few bytes # SO_REUSEPORT support # = 2.4.17> # ListenCoresBucketsRatio 4 # You might run into problems if your server accumulates to many TIME_WAIT connections. Check their number in the "netstat -an" output. ab without "-k" does in connection per request and if those are only used very short and the server is fast you can end up with a couple of 10.000s of TIME_WAIT connections (independent of SO_REUSEPORT). Regards, Rainer
Re: [VOTE] Release Apache httpd 2.4.17 as GA
Am 11.10.2015 um 21:25 schrieb Yann Ylavic: On Sun, Oct 11, 2015 at 9:14 PM, Reindl Haraldwrote: "ab -c 100 -n 5 http://small-image.gif; did not make me that happy after a short test on a quadcore machine, after some time httpd stopped to respond for a tinay statical image with a few bytes Hm, with 4 cores and a ratio of 4, there is only one bucket per listener, which is the same as the default. Did you try the same test without the directive or with a ratio of 0? (I rather suspect a connectivity issue with ab) i did not test it much and honestly i am not able to make a decision based on http://httpd.apache.org/docs/2.4/mod/mpm_common.html#listencoresbucketsratio without the directive all is unchanged and stable 0 is not accepted which i would consider a bug given the docs days default "ListenCoresBucketsRatio 0 (disabled)" AH00526: Syntax error on line 48 of /etc/httpd/conf/httpd-core.conf: ListenCoresBucketsRatio must be > 0 = 2.4.17> ListenCoresBucketsRatio 0 __ i just wanted to test the new feature on a 4.2.3 kernel "ab" don't scale well but likely not a connectivity issue runnig it on the same machine like httpd signature.asc Description: OpenPGP digital signature