Re: New segfault with 2.4.20 with mod_perl

[Takashi Sato]

r->useragent_addr is assigned on ap_read_request (http_core.c),
called from ap_process_http_(async_)connection
called from process_connection hook (APR_HOOK_REALLY_LAST).

The SEGV occured on process_connection hook, maybe before
ap_process_http_(async_)connection,

#11 0x7fd44f91fd4f in modperl_callback_connection (idx=, c=,
run_mode=) at modperl_callback.c:359
#12 0x55feaf10cdf0 in ap_run_process_connection
(c=c@entry=0x7fd4461f22b8) at connection.c:42
#13 0x55feaf10d340 in ap_process_connection
(c=c@entry=0x7fd4461f22b8, csd=csd@entry=0x7fd4461f20a0)
at connection.c:226

so r->useragent_addr had not been assigned any value.

Re: Allow SSLProxy* config in context?

[Christian Folini]

Rainer,

There is a commercial apache-based reverse proxy in Switzerland 
(with substantial market share) which is able to use / create
a client certificate _per_ session.

So the client connects to the RP, performs authentication. When
creating the session serverside, the RP creates a client cert and
fills it with information received from the client and binds this
cert to the session. Then it connects to the backend and uses this
dynamic client cert in the handshake.

I realise this is way beyond what Apache is capable of doing. But
when looking into the limitations of SSLProxy..., one might consider
an architecture, that would allow this. Maybe not immediately, but
sometime down the road.

Best,

Christian


-- 
Seek simplicity, and distrust it.
-- Alfred North Whitehead

Re: Allow SSLProxy* config in context?

[Daniel Ruggeri]

On 4/13/2016 2:22 PM, Rainer Jung wrote:
>
> We could pass the worker name from mod_proxy to mod_ssl via a
> connection note, similar to currently already passing the SNI name via
> the connection note proxy-request-hostname.

+1 on the connection note idea, but see below about having to inform the
callback function about too much information

On 4/13/2016 10:04 AM, Graham Leggett wrote:
> What I had in mind was a syntax where the certs were named, for example:
>
> SSLProxyCertificate foo /path/to/foo.cert
>
> Followed somewhere else by:
>
> 
>   SSLProxyEnable foo
> 

On one hand, this is an attractive idea because we have already
conditioned users/administrators to think about naming things via config
as you can do with authn providers and aliases.

On another hand, there are two gotchas I see. Giving something a name in
the configuration does not necessarily mean anything to the file or
certificate store because they aren't married in the same way that authn
providers and their aliases are. That is, if a different team/individual
manages the certificate store than the server configuration, the two
would have to keep in sync with additions or removals. This can be a
PITA if you have a short certificate lifecycle and have to renew often.
PLUS, there are cases where there may be many certificates in the file.
Combine that with the previous point and you could have a nightmare.

Perhaps in addition to or instead of aliases via config, something more
"dynamic" could be used where a DN, CN or some other attribute about the
cert that was parsed during startup becomes the representation?


   ...
  #As today
   SSLProxyMachineCertificateFile /path/to/file
   
  #Plus new stuff
  SSLProxyMachineCertificateCN myIdentity
  #or
  SSLProxyMachineCertificateDN /C=US/ST=Missouri/L=St.
Louis/O=BitNebula/CN=DanielRuggeri.bitnebula.com
   


This could be a really clean solution because the proxy can just pass
this name or DN to the ssl module in a note and the ssl module could
make the selection of certs from that data.

Stashing this (completely untested and thrown together) code around line
1778 in modules/ssl/ssl_engine_kernel.c could be all that's needed in
mod_ssl
char *preferred_name;
..
if (preferred_name) {
for (i = 0; i < sk_X509_INFO_num(certs); i++) {
X509_NAME *name;
info = sk_X509_INFO_value(certs, i);
name = X509_get_subject_name(inf->x509);

for(j = 0; j < X509_NAME_entry_count(name); j++) {
const char *this_name = //something
if (strcmp(preferred_name, this_name) == 0) {
modssl_proxy_info_log(c, info, APLOGNO(02279)
  "found acceptable cert");

modssl_set_cert_info(info, x509, pkey);
return TRUE;
}
}
}
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(00)
SSLPROXY_CERT_CB_LOG_FMT
"server configuration requested certificate name %s"
"but it was not found in the certificate store",
preferred_name);
}



I haven't cracked open the proxy code to see what it would take to
collapse this down to a per proxy/worker/etc, but it doesn't seem like
terrible endeavor.

-- 
Daniel Ruggeri

Re: New segfault with 2.4.20 with mod_perl

[William A Rowe Jr]

I wrote the patch for ap_get_useragent_host, but am not familiar
with the details of the report.  Researching...




On Wed, Apr 13, 2016 at 5:33 PM, Stefan Fritsch  wrote:

> Hi,
>
> I got a report about a new crash in mod_perl tests with 2.4.20:
>
> (gdb) bt
> #0  apr_getnameinfo (hostname=hostname@entry=0x7fd4461ee368,
> sockaddr=0x0, flags=flags@entry=0)
> at /tmp/buildd/apr-1.5.2/network_io/unix/sockaddr.c:663
> #1  0x55feaf0f513a in ap_get_useragent_host
> (r=r@entry=0x7fd4461ee0a0, type=type@entry=3,
> str_is_ip=str_is_ip@entry=0x7fd44740c9c4) at core.c:990
> #2  0x7fd4519d7212 in find_allowdeny (r=r@entry=0x7fd4461ee0a0,
> method=method@entry=0, a=,
> a=) at mod_access_compat.c:279
> #3  0x7fd4519d74b2 in check_dir_access (r=0x7fd4461ee0a0) at
> mod_access_compat.c:332
> #4  0x55feaf0f8f30 in ap_run_access_checker
> (r=r@entry=0x7fd4461ee0a0) at request.c:87
> #5  0x7fd448a6f7dd in XS_Apache2__RequestRec_run_access_checker
> (my_perl=0x55feb2964a20, cv=)
> at HookRun.c:235
>
> Does this ring a bell with anyone?
>
> More info is at
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820824
>
> Cheers,
> Stefan
>
>

New segfault with 2.4.20 with mod_perl

[Stefan Fritsch]

Hi,

I got a report about a new crash in mod_perl tests with 2.4.20:

(gdb) bt
#0  apr_getnameinfo (hostname=hostname@entry=0x7fd4461ee368, 
sockaddr=0x0, flags=flags@entry=0)
at /tmp/buildd/apr-1.5.2/network_io/unix/sockaddr.c:663
#1  0x55feaf0f513a in ap_get_useragent_host 
(r=r@entry=0x7fd4461ee0a0, type=type@entry=3, 
str_is_ip=str_is_ip@entry=0x7fd44740c9c4) at core.c:990
#2  0x7fd4519d7212 in find_allowdeny (r=r@entry=0x7fd4461ee0a0, 
method=method@entry=0, a=, 
a=) at mod_access_compat.c:279
#3  0x7fd4519d74b2 in check_dir_access (r=0x7fd4461ee0a0) at 
mod_access_compat.c:332
#4  0x55feaf0f8f30 in ap_run_access_checker 
(r=r@entry=0x7fd4461ee0a0) at request.c:87
#5  0x7fd448a6f7dd in XS_Apache2__RequestRec_run_access_checker 
(my_perl=0x55feb2964a20, cv=)
at HookRun.c:235

Does this ring a bell with anyone?

More info is at

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820824

Cheers,
Stefan

Re: [Bug 53555] Scoreboard full error with event/ssl

[Stefan Fritsch]

On Monday 11 April 2016 18:12:43, Eric Covener wrote:
> On Mon, Apr 11, 2016 at 4:59 PM,   wrote:
> > ServerLimit >= 10 * MaxRequestWorkers / ThreadsPerChild
> 
> Hi Stefan -- I am curious -- prior to the recent patches, just
> having the extra capacity in ServerLimit didn't help / didn't help
> as much?

No, without the patches attached to the PR, ServerLimit does not play 
any role for this issue. Only the scoreboard entries up to 
(MaxRequestWorkers / ThreadsPerChild) will ever be used.

The state in 2.4 is that scoreboard entries of processes where some 
threads have already terminated would get re-used, but there is no 
code that terminate threads before the whole process terminates.

In trunk, I have added logic to terminate threads as soon as possible 
during graceful finishing of a process. But the reason for that is 
that I want old processes to use as few resources as possible. I am 
not sure that new processes re-using the scoreboard entries of those 
threads is a good idea. In the worst case, you could get 
ThreadsPerChild processes that each use one worker slot in the 
scoreboard area of a single process.

Maybe it would be better to remove the logic to re-use scoreboard 
slots of processes which have already terminated some threads. 
Instead, one could use the scoreboard area abore (MaxRequestWorkers / 
ThreadsPerChild) more aggressively, and maybe even allocate some 
additional slack space at startup. There could be these config knobs:

- the max number of fully active processes (ServerLimit)

- the max number of gracefully finishing processes ("OldServerLimit"?)

- what to do if OldServerLimit is reached during a graceful restart:
  * reduce the max number of fully active processes accordingly
  * kill off old processes

- what to do if OldServerLimit during normal operation:
  * stop doing idle-cleanup of fully active processes [X]
  * kill off old processes

Hmm. Now that I think of it, I think we should really do [X] if there 
are too many old processes. The only question is how to define too 
many.

Any thoughts?

Re: allow newlines in T_ESCAPE_LOGITEM?

[Daniel Lescohier]

It's especially important when doing log processing on Apache Hadoop, if
you give uncompressed text files as input files to a Hadoop job, it'd split
large log files on newlines to be processed on multiple nodes.  That split
should be done on a record boundary.

On Wed, Apr 13, 2016 at 5:16 PM, Yann Ylavic  wrote:

> On Wed, Apr 13, 2016 at 11:08 PM, Eric Covener  wrote:
> > On Wed, Apr 13, 2016 at 5:05 PM, Daniel Lescohier
> >  wrote:
> >> Isn't T_ESCAPE_LOGITEM also used by mod_log_config's use of
> >> ap_escape_logitem?  We rely on the API that data from HTTP requests
> that are
> >> logged in our mod_log_config logfiles are newline-escaped, so that one
> line
> >> in the logfile is parsed as one log entry.  Our parsers first split on
> >> newline to get records, then splits the fields of the record on the
> field
> >> delimiter to get fields, then it unescapes the backslash-escapes to get
> the
> >> original data for that field.
> >
> > You make a good point, it couldn't change and affect current callers
> > of ap_escape_logitem().
>
> IMHO, even ErrorLog shouldn't contain splitted lines (w/o "[date]
> [level] [pid]" prefix).
>

Re: allow newlines in T_ESCAPE_LOGITEM?

[Yann Ylavic]

On Wed, Apr 13, 2016 at 11:08 PM, Eric Covener  wrote:
> On Wed, Apr 13, 2016 at 5:05 PM, Daniel Lescohier
>  wrote:
>> Isn't T_ESCAPE_LOGITEM also used by mod_log_config's use of
>> ap_escape_logitem?  We rely on the API that data from HTTP requests that are
>> logged in our mod_log_config logfiles are newline-escaped, so that one line
>> in the logfile is parsed as one log entry.  Our parsers first split on
>> newline to get records, then splits the fields of the record on the field
>> delimiter to get fields, then it unescapes the backslash-escapes to get the
>> original data for that field.
>
> You make a good point, it couldn't change and affect current callers
> of ap_escape_logitem().

IMHO, even ErrorLog shouldn't contain splitted lines (w/o "[date]
[level] [pid]" prefix).

Re: allow newlines in T_ESCAPE_LOGITEM?

[Eric Covener]

On Wed, Apr 13, 2016 at 5:05 PM, Daniel Lescohier
 wrote:
> Isn't T_ESCAPE_LOGITEM also used by mod_log_config's use of
> ap_escape_logitem?  We rely on the API that data from HTTP requests that are
> logged in our mod_log_config logfiles are newline-escaped, so that one line
> in the logfile is parsed as one log entry.  Our parsers first split on
> newline to get records, then splits the fields of the record on the field
> delimiter to get fields, then it unescapes the backslash-escapes to get the
> original data for that field.

You make a good point, it couldn't change and affect current callers
of ap_escape_logitem().

Re: allow newlines in T_ESCAPE_LOGITEM?

[Daniel Lescohier]

Isn't T_ESCAPE_LOGITEM also used by mod_log_config's use of
ap_escape_logitem?  We rely on the API that data from HTTP requests that
are logged in our mod_log_config logfiles are newline-escaped, so that one
line in the logfile is parsed as one log entry.  Our parsers first split on
newline to get records, then splits the fields of the record on the field
delimiter to get fields, then it unescapes the backslash-escapes to get the
original data for that field.

On Wed, Apr 13, 2016 at 3:43 PM, Eric Covener  wrote:

> Currently newlines get backslash-escaped if written to the errorlog.
> This is via server/gen_test_char.c and stems from an ancient vuln
> about escape sequences in log files potentially affecting peoples
> terminals when cat'ed.
>
> On a few occasions I have worked with some libraries that return a
> newline-formatted buffer that I'd love to dump to the error log
> without scanning and splitting up into multiple log entries.
>
> I also occasionally see \n's from third-party mods once in a while.
>
> Any opinions on punching a hole for \n in T_ESCAPE_LOGITEM?
>

Re: svn commit: r1732275 - in /httpd/httpd/branches/2.4.x: ./ include/ap_mmn.h include/http_connection.h include/scoreboard.h modules/generators/mod_status.c modules/ssl/ssl_engine_kernel.c server/con

[Jim Jagielski]

The old behavior was expected, and very, very useful. It
was made that way for a reason.

+1 on reverting to old behavior...

> On Apr 13, 2016, at 4:04 PM, Yann Ylavic  wrote:
> 
> On Thu, Feb 25, 2016 at 11:27 AM,   wrote:
>> Author: icing
>> Date: Thu Feb 25 10:27:27 2016
>> New Revision: 1732275
>> 
>> URL: http://svn.apache.org/viewvc?rev=1732275&view=rev
>> Log:
>> merging pre_close_connection hook, prep_lingering_close and 
>> ap_update_child() additions from trunk
>> 
>> Modified:
> []
>>httpd/httpd/branches/2.4.x/server/scoreboard.c
> []
>> 
>> Modified: httpd/httpd/branches/2.4.x/server/scoreboard.c
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/scoreboard.c?rev=1732275&r1=1732274&r2=1732275&view=diff
>> ==
>> --- httpd/httpd/branches/2.4.x/server/scoreboard.c (original)
>> +++ httpd/httpd/branches/2.4.x/server/scoreboard.c Thu Feb 25 10:27:27 2016
>> @@ -32,6 +32,7 @@
>> #include "http_main.h"
>> #include "http_core.h"
>> #include "http_config.h"
>> +#include "http_protocol.h"
>> #include "ap_mpm.h"
>> 
>> #include "scoreboard.h"
>> @@ -457,7 +458,9 @@ static int update_child_status_internal(
>> int thread_num,
>> int status,
>> conn_rec *c,
>> -request_rec *r)
>> +server_rec *s,
>> +request_rec *r,
>> +const char *descr)
>> {
>> int old_status;
>> worker_score *ws;
> []
>> @@ -489,28 +495,44 @@ static int update_child_status_internal(
>> }
>> ws->conn_count = 0;
>> ws->conn_bytes = 0;
>> +ws->last_used = apr_time_now();
>> }
>> -if (r) {
>> -const char *client = ap_get_remote_host(c, r->per_dir_config,
>> - REMOTE_NOLOOKUP, NULL);
>> -if (!client || !strcmp(client, c->client_ip)) {
>> -apr_cpystrn(ws->client, r->useragent_ip, 
>> sizeof(ws->client));
>> +if (status == SERVER_READY) {
>> +ws->client[0]='\0';
>> +ws->vhost[0]='\0';
>> +ws->request[0]='\0';
>> +ws->protocol[0]='\0';
>> +}
> 
> This seems to have changed mod_status' output.
> Prior to this change the previous values were displayed until the
> worker was reused for another connection/request, now it is reset as
> soon as the worker is idle (i.e. each connection/request end).
> 
> I prefer the new behaviour, but there are some concerns on users@...

Re: svn commit: r1732275 - in /httpd/httpd/branches/2.4.x: ./ include/ap_mmn.h include/http_connection.h include/scoreboard.h modules/generators/mod_status.c modules/ssl/ssl_engine_kernel.c server/con

[Yann Ylavic]

On Thu, Feb 25, 2016 at 11:27 AM,   wrote:
> Author: icing
> Date: Thu Feb 25 10:27:27 2016
> New Revision: 1732275
>
> URL: http://svn.apache.org/viewvc?rev=1732275&view=rev
> Log:
> merging pre_close_connection hook, prep_lingering_close and ap_update_child() 
> additions from trunk
>
> Modified:
[]
> httpd/httpd/branches/2.4.x/server/scoreboard.c
[]
>
> Modified: httpd/httpd/branches/2.4.x/server/scoreboard.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/scoreboard.c?rev=1732275&r1=1732274&r2=1732275&view=diff
> ==
> --- httpd/httpd/branches/2.4.x/server/scoreboard.c (original)
> +++ httpd/httpd/branches/2.4.x/server/scoreboard.c Thu Feb 25 10:27:27 2016
> @@ -32,6 +32,7 @@
>  #include "http_main.h"
>  #include "http_core.h"
>  #include "http_config.h"
> +#include "http_protocol.h"
>  #include "ap_mpm.h"
>
>  #include "scoreboard.h"
> @@ -457,7 +458,9 @@ static int update_child_status_internal(
>  int thread_num,
>  int status,
>  conn_rec *c,
> -request_rec *r)
> +server_rec *s,
> +request_rec *r,
> +const char *descr)
>  {
>  int old_status;
>  worker_score *ws;
[]
> @@ -489,28 +495,44 @@ static int update_child_status_internal(
>  }
>  ws->conn_count = 0;
>  ws->conn_bytes = 0;
> +ws->last_used = apr_time_now();
>  }
> -if (r) {
> -const char *client = ap_get_remote_host(c, r->per_dir_config,
> - REMOTE_NOLOOKUP, NULL);
> -if (!client || !strcmp(client, c->client_ip)) {
> -apr_cpystrn(ws->client, r->useragent_ip, sizeof(ws->client));
> +if (status == SERVER_READY) {
> +ws->client[0]='\0';
> +ws->vhost[0]='\0';
> +ws->request[0]='\0';
> +ws->protocol[0]='\0';
> +}

This seems to have changed mod_status' output.
Prior to this change the previous values were displayed until the
worker was reused for another connection/request, now it is reset as
soon as the worker is idle (i.e. each connection/request end).

I prefer the new behaviour, but there are some concerns on users@...

allow newlines in T_ESCAPE_LOGITEM?

[Eric Covener]

Currently newlines get backslash-escaped if written to the errorlog.
This is via server/gen_test_char.c and stems from an ancient vuln
about escape sequences in log files potentially affecting peoples
terminals when cat'ed.

On a few occasions I have worked with some libraries that return a
newline-formatted buffer that I'd love to dump to the error log
without scanning and splitting up into multiple log entries.

I also occasionally see \n's from third-party mods once in a while.

Any opinions on punching a hole for \n in T_ESCAPE_LOGITEM?

Re: Allow SSLProxy* config in context?

[Rainer Jung]

Am 13.04.2016 um 19:49 schrieb Rainer Jung:

Am 13.04.2016 um 17:04 schrieb Graham Leggett:

On 13 Apr 2016, at 12:40 PM, Rainer Jung  wrote:


I stumbled into a situation where a reverse proxy had two different
backends behind the same VHost of the proxy. Both backends demand
client certs as becomes more and more common for services today.
Unfortunately the CA which issues the client certs in both cases is
the same CA, but the demanded client cert is individual to the
backend services.

As far as I can see, this is currently not configurable. The
SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath
only work on the VHost level and the client cert detection algo in
ssl_callback_proxy_cert() chooses the first client cert it can find
which was issued b the right CA. No way to distinguish further.

To me it looks like the "right" way of handling SSLProxy* config
would be per . Did anyone else already encounter a similar
problem? Any thoughts or experiments on how to solve this for the
future?


I looked at this a while back.

The catch is that mod_ssl forces us to declare SSL certs and keys
server wide, not per directory, loaded and parsed at startup. We
however want to specify certs per directory.


Per directory or better in some new way per proxy backend (or proxy
worker, proxy balancer).


What I had in mind was a syntax where the certs were named, for example:

SSLProxyCertificate foo /path/to/foo.cert

Followed somewhere else by:


   SSLProxyEnable foo



I would also like to prevent using per dir config, directory walk etc.

Like (I think) proxy has it's backend config in per server structures
which are lists of backends with names, the proxy ssl config could be a
list of traditional ssl configs indexed by name. Name could be like you
suggest a name given via additional directive attributes, or simply the
balancer name (URL) given in the opening  tag of the proxy
container.

What I haven't yet investigated is, how easy one could pass the worker
or balancer name from mod_proxy to mod_ssl, so that mod_ssl can choose
the correct ssl proxy config (without coupling the proxy and ssl details
too close to each other). Another thing is getting a hand at the URL
when the SSLProxy* directive is handled inside  during directive
parsing. Maybe similar to how mod_proxy does it.

Yes, that looks like a deeper coupling of mod_ssl and mod_proxy, but the
whole use case of mod_ssl as an client currently is coupled to the proxy
setup, so it doesn't look wrong to "fully" support SSLProxy* per .


We could pass the worker name from mod_proxy to mod_ssl via a connection 
note, similar to currently already passing the SNI name via the 
connection note proxy-request-hostname.



I guess we need to prototype something.


Regards,

Rainer

Re: Allow SSLProxy* config in context?

[Rainer Jung]

Am 13.04.2016 um 17:04 schrieb Graham Leggett:

On 13 Apr 2016, at 12:40 PM, Rainer Jung  wrote:


I stumbled into a situation where a reverse proxy had two different backends 
behind the same VHost of the proxy. Both backends demand client certs as 
becomes more and more common for services today. Unfortunately the CA which 
issues the client certs in both cases is the same CA, but the demanded client 
cert is individual to the backend services.

As far as I can see, this is currently not configurable. The 
SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath only work on 
the VHost level and the client cert detection algo in ssl_callback_proxy_cert() 
chooses the first client cert it can find which was issued b the right CA. No 
way to distinguish further.

To me it looks like the "right" way of handling SSLProxy* config would be per 
. Did anyone else already encounter a similar problem? Any thoughts or experiments 
on how to solve this for the future?


I looked at this a while back.

The catch is that mod_ssl forces us to declare SSL certs and keys server wide, 
not per directory, loaded and parsed at startup. We however want to specify 
certs per directory.


Per directory or better in some new way per proxy backend (or proxy 
worker, proxy balancer).



What I had in mind was a syntax where the certs were named, for example:

SSLProxyCertificate foo /path/to/foo.cert

Followed somewhere else by:


   SSLProxyEnable foo



I would also like to prevent using per dir config, directory walk etc.

Like (I think) proxy has it's backend config in per server structures 
which are lists of backends with names, the proxy ssl config could be a 
list of traditional ssl configs indexed by name. Name could be like you 
suggest a name given via additional directive attributes, or simply the 
balancer name (URL) given in the opening  tag of the proxy 
container.


What I haven't yet investigated is, how easy one could pass the worker 
or balancer name from mod_proxy to mod_ssl, so that mod_ssl can choose 
the correct ssl proxy config (without coupling the proxy and ssl details 
too close to each other). Another thing is getting a hand at the URL 
when the SSLProxy* directive is handled inside  during directive 
parsing. Maybe similar to how mod_proxy does it.


Yes, that looks like a deeper coupling of mod_ssl and mod_proxy, but the 
whole use case of mod_ssl as an client currently is coupled to the proxy 
setup, so it doesn't look wrong to "fully" support SSLProxy* per .


I guess we need to prototype something.

Regards,

Rainer

Re: Allow SSLProxy* config in context?

[Graham Leggett]

On 13 Apr 2016, at 12:40 PM, Rainer Jung  wrote:

> I stumbled into a situation where a reverse proxy had two different backends 
> behind the same VHost of the proxy. Both backends demand client certs as 
> becomes more and more common for services today. Unfortunately the CA which 
> issues the client certs in both cases is the same CA, but the demanded client 
> cert is individual to the backend services.
> 
> As far as I can see, this is currently not configurable. The 
> SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath only work 
> on the VHost level and the client cert detection algo in 
> ssl_callback_proxy_cert() chooses the first client cert it can find which was 
> issued b the right CA. No way to distinguish further.
> 
> To me it looks like the "right" way of handling SSLProxy* config would be per 
> . Did anyone else already encounter a similar problem? Any thoughts or 
> experiments on how to solve this for the future?

I looked at this a while back.

The catch is that mod_ssl forces us to declare SSL certs and keys server wide, 
not per directory, loaded and parsed at startup. We however want to specify 
certs per directory.

What I had in mind was a syntax where the certs were named, for example:

SSLProxyCertificate foo /path/to/foo.cert

Followed somewhere else by:


  SSLProxyEnable foo


Regards,
Graham
—

Revision to Release Question (esp rev 1692258)

[J Harri]

I need a change for httpd/mod_ssl that was committed to the project's source 
code repository back on 2015-07-22 ( 
https://svn.apache.org/viewvc?view=revision&revision=1692258). I checked the 
source tarball for the most current release, httpd 2.4.20, downloaded from 
https://httpd.apache.org/download.cgi and it does not contain the revision even 
though that release was just issued 2016-04-11. Nor can I find any httpd 2.2.x 
release that contains the revision.

How can I determine if and when a revision will be released?

Re: Allow SSLProxy* config in context?

[Stefan Eissing]

> Am 13.04.2016 um 12:55 schrieb Yann Ylavic :
> 
> On Wed, Apr 13, 2016 at 12:40 PM, Rainer Jung  wrote:
>> 
>> To me it looks like the "right" way of handling SSLProxy* config would be
>> per .
> 
> ++1

+1

> 
>> Did anyone else already encounter a similar problem? Any
>> thoughts or experiments on how to solve this for the future?
> 
> Not sure how to handle this since  is in mod_proxy whereas
> SSLProxy* are in mod_ssl.
>  is a dir_config still, not sure how we could make it
> available/shared in/with mod_ssl...

For the user it makes more sense to have Proxy settings inside . I 
always found the SSLProxy* confusing, although I can of course understand how 
implementation drove this...

-Stefan

Re: Allow SSLProxy* config in context?

[Yann Ylavic]

On Wed, Apr 13, 2016 at 12:40 PM, Rainer Jung  wrote:
>
> To me it looks like the "right" way of handling SSLProxy* config would be
> per .

++1

> Did anyone else already encounter a similar problem? Any
> thoughts or experiments on how to solve this for the future?

Not sure how to handle this since  is in mod_proxy whereas
SSLProxy* are in mod_ssl.
 is a dir_config still, not sure how we could make it
available/shared in/with mod_ssl...

Regards,
Yann.

Allow SSLProxy* config in context?

[Rainer Jung]

I stumbled into a situation where a reverse proxy had two different 
backends behind the same VHost of the proxy. Both backends demand client 
certs as becomes more and more common for services today. Unfortunately 
the CA which issues the client certs in both cases is the same CA, but 
the demanded client cert is individual to the backend services.


As far as I can see, this is currently not configurable. The 
SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath only 
work on the VHost level and the client cert detection algo in 
ssl_callback_proxy_cert() chooses the first client cert it can find 
which was issued b the right CA. No way to distinguish further.


To me it looks like the "right" way of handling SSLProxy* config would 
be per . Did anyone else already encounter a similar problem? Any 
thoughts or experiments on how to solve this for the future?


Regards,

Rainer