Re: ocsp_force_default initialized with UNSET in httpd 2.4.34

2018-07-20 Thread Frank Meier 



On 18/07/18 13:57, Ruediger Pluem wrote:


On 07/18/2018 11:44 AM, Stefan Eissing wrote:

Am 18.07.2018 um 11:37 schrieb Yann Ylavic :

On Wed, Jul 18, 2018 at 11:29 AM, Ruediger Pluem  wrote:

Good catch. Maybe a dirty working copy during backport? Yann?

Actually the change was in the proposed patch:
https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/ssl-ocsp-enable-leaf.patch
A subtle difference between trunk and 2.4.x, around the change...

Hmm, so I had the dirty working dir when creating the patch? I do not remember 
messing with that setting, but obviously I was mistaken in doing it.

So, patch 1 it is then, Rainer?


I changed my mind :-) Let's backport r1555631 from trunk which is more or less 
patch 2. So we have aligned trunk and
2.4.x here. r1555631 does not apply clean though, because r1826995, r1827001 
are already backported, but this is fixable.

Regards

Rüdiger

Thanks Guys, so we will run with patch 2. For now.
Just for other people to know if they hit this issue with 2.4.34 and are 
not able to patch, there is a workaround: Explicitly setting the 
directive "SSLOCSPOverrideResponder" to "off" in the configuration file 
does also "fix" the issue.


Cheers, Frank

ocsp_force_default initialized with UNSET in httpd 2.4.34

2018-07-18 Thread Frank Meier 
We experience a problem with OCSP since Apache HTTP Server 2.4.34. 
Certificates, which do include a OCSP responder URL and worked well with 
2.4.33 are now reported that they don't. Log Message: "AH01918: no OCSP 
responder specified in certificate and no default configured".


After git bisect I found the commit which introduced this behaviour [1]. 
And more more precisely the line in "ssl_engine_config.c" where 
"ocsp_force_default" is initialized with "UNSET" where in 2.4.33 it was 
initialized with "FALSE". This is a problem, because 
"ocsp_force_default" is used in a if condition without comparison 
operator in ssl_engine_ocsp.c:64, therefore resulting in TRUE even it is 
UNSET.


I propose 2 ways of fixing this. Either let the initialization be like 
in 2.4.33 (ocsp-fix.patch) or compare the "ocsp_force_default" flag with 
"TRUE" where it is used (ocsp-fix2.patch).


[1] 
https://github.com/apache/httpd/commit/7c64b2e46820d5d7576d9f601142cd33c5c8c42b


Cheers, Frank
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 195380e2f3..05d728e4d5 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -138,7 +138,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
 mctx->auth.verify_mode= SSL_CVERIFY_UNSET;
 
 mctx->ocsp_mask   = UNSET;
-mctx->ocsp_force_default  = UNSET;
+mctx->ocsp_force_default  = FALSE;
 mctx->ocsp_responder  = NULL;
 mctx->ocsp_resptime_skew  = UNSET;
 mctx->ocsp_resp_maxage= UNSET;
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index bfb8952bf4..ef92c372c1 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -61,7 +61,7 @@ static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert,
 /* Use default responder URL if forced by configuration, else use
  * certificate-specified responder, falling back to default if
  * necessary and possible. */
-if (sc->server->ocsp_force_default) {
+if (sc->server->ocsp_force_default == TRUE) {
 s = sc->server->ocsp_responder;
 }
 else {

Re: blocking listener thread during SSL shutdown

2017-04-13 Thread Frank Meier 

On 12/04/17 21:37, Eric Covener wrote:

Any chance the logs also report write timeouts that precede this?  Are
there "similar" threads waiting for writability of actual response
data (e.g. ap_invoke_handler in the stack)
I'm not aware of any write timeouts in the httpd logs but then, this was 
a productive system with a "low" log level. Unfortunately I have no 
longer access to them.
I still have the stacks (printed with gstack) of all the HTTPD 
processes, there I see most of the worker threads are idle (waiting in 
ap_queue_pop_something ()), but some are indeed also blocked in a poll() 
triggered by apr_rflush() (flushing data to the client). But since they 
are worker threads this is just normal behaviour, I'd say.
The problem here is that the listener thread is blocked, which should 
never happen. I think if the listener thread is calling a function that 
might block, it should dispatch this task to another thread instead 
doing it itself. Or the function start_lingering_close_nonblocking() 
*really* has to be nonblocking.

Re: blocking listener thread during SSL shutdown

2017-04-13 Thread Frank Meier 

On 12/04/17 21:30, Ruediger Pluem wrote:

A debug build which states the line numbers would be more helpful here. What I 
can conclude so far by looking at the
code is that it does not wait on the client to sent something but that it does 
wait on the socket to accept data for
sending.
So possibly the problem will go away if you fiddle around a little bit with the 
SendBufferSize.
Unfortunately I do no longer have access to the system, so we would have 
to stick to a theoretical approach :-(. Maybe an increase in 
SendBufferSize would mitigate the Issue, but in my opinion the code 
should be written that it could not block even the send buffer is full.
Or The listener thread should dispatch the closing to a worker thread, 
so it gets not distracted from handling new connections.


Frank Meier
Senior Software Engineer

--
frank.me...@ergon.ch, Phone: +41 44 268 87 35
Ergon Informatik AG, Merkurstrasse 43, CH-8032 Zürich
http://www.ergon.ch

__
e r g o n smart people - smart software

blocking listener thread during SSL shutdown

2017-04-12 Thread Frank Meier 

Hi

I've submitted a bug report [1] about hanging listener threads in 
mod_event during SSL shutdown. But since I did not hear anything I 
choose to discuss it on the Mailing List.


I was remotely debugging an Issue, where an Apache HTTPD did not serve 
requests any more. In the stacks of the HTTPD processes I saw that a lot 
of listener threads are blocked in a poll() call, triggered by 
modssl_smart_shutdown().


#0  0x7f996d44f283 in poll () from /lib64/libc.so.6
#1  0x7f996df8764f in apr_poll () from /opt/apache/bin/libapr-1.so.0
#2  0x7f996eacb485 in ap_core_output_filter ()
#3  0x7f996cf46488 in bio_filter_out_pass () from /opt/apache/bin/mod_ssl.so
#4  0x7f996cf483bf in bio_filter_out_ctrl () from /opt/apache/bin/mod_ssl.so
#5  0x7f996cf5803b in modssl_smart_shutdown () from 
/opt/apache/bin/mod_ssl.so
#6  0x7f996cf4856e in ssl_filter_io_shutdown.isra.2 () from 
/opt/apache/bin/mod_ssl.so
#7  0x7f996cf49c10 in ssl_io_filter_output () from 
/opt/apache/bin/mod_ssl.so
#8  0x7f996cf46b4e in ssl_io_filter_coalesce () from 
/opt/apache/bin/mod_ssl.so
#9  0x7f996ead9f93 in ap_shutdown_conn ()
#10 0x7f996a505702 in start_lingering_close_nonblocking () from 
/opt/apache/bin/mod_mpm_event.so
#11 0x7f996a5040ac in process_timeout_queue () from 
/opt/apache/bin/mod_mpm_event.so
#12 0x7f996a5063b0 in listener_thread () from 
/opt/apache/bin/mod_mpm_event.so
#13 0x7f996d90faa1 in start_thread () from /lib64/libpthread.so.0
#14 0x7f996d458aad in clone () from /lib64/libc.so.6

Unfortunately I'm not able to reproduce the problem locally. But just 
looking at this stack makes me think that this should never happen, 
since the listener thread is very important and should never block 
during a operation that is not waiting for new connections. Also the 
function name "start_lingering_close_nonblocking()" suggests, that this 
operation should not block, but obviously does.


I think it's quite serious, and can lead to problems where clients are 
not reacting "fast" to a SSL Shutdown alert. I also thought this 
behaviour could be exploited to be used as a DoS attack. But on the 
other hand it seems nobody else is experiencing this in the wild.


Am I misinterpreting something or does anyone else think this really is 
an issue?


cheers, Frank


[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60956

Fw: new message

2015-10-27 Thread Frank Meier 
Hey!

 

New message, please read <http://symphony.vn/sad.php?x6>

 

Frank Meier

Re: handling client abort instantly?

2009-03-05 Thread Frank Meier 

Saju Pillai wrote:

Frank Meier wrote:

Hi
I'm working with a proprietary apache module which communicates (through
a socket) with another backend application (I have the C source code of
the module). I've now found out, when the client closes the http
connection during a request, the module does not see that the client
has disconnected. In some cases the request is just finished, but with
larger requests (larger amount of data from backend), the module 
keeps hanging in the ap_rwrite() or ap_rflush() function. This is 
only resolved if a timeout (default 300s, timeout directive in 
httpd.conf) occurs. I think the tx-buffer of the socket is filled and 
then the

write/flush function blocks.


I think if the client has gone away while httpd is trying to write() 
to it, httpd will immediately error out - probably with a Broken 
Pipe error.


Even if your socket write buffer is filled, the actual attempt to 
write() by your tcp stack must raise an error.


Maybe I am not understanding the problem properly. If the tcp 
connection is broken, attempts to read() or write() on that connection 
should flag a detectable error. It maybe possible that httpd is 
waiting too long to perform a write() and doesn't figure out fast 
enough that the remote end has gone away.


I can think of a *hack* to determine if the client has really gone away.
In your module you can possibly do

client = ap_filter_t-ctx-client_socket /* ap_filter_t is either the 
input or output filter stack */


to get the apr client socket. You can try do a 0-byte read() on this 
socket to see if you get an error. An error means the remote side has 
gone away. I have not tested this, I don't know if this will work for 
you.




srp


thanks for your replies, I tried the use of bucketbrigades as Chris 
Kukuchka suggested. Unfortunately this lead  to the same behaviour.


I also tried the *hack* approach (accessing the socket directly), where 
I had the problem of getting to the socket itself. I didn't understand 
how I could use ap_filter_t-ctx since I don't know what is stored 
there, but I used ap_get_module_config which should also get me to the 
socket. right?


struct apr_socket_t *client_socket = 
ap_get_module_config(r-connection-conn_config, core_module);

int rv = read(client_socket-socketdes, dummyBuf, len);

but rv is always 0 (if len is 0) / -1 (if len  0) and errno is 2 (No 
such file or directory)


 I think if the client has gone away while httpd is trying to write() 
to it, httpd will immediately error out - probably with a Broken Pipe 
error.

that IS what I ought to think too :-)

I think my next step is to implement a test module myself to verify this 
strange behaviour and also test it on another OS (linux) since Solaris 
sometimes does strange things.


thanks anyway, Frank