Re: Apache Benchmark SNI SSL

[Yann Ylavic]

On Sat, Jul 2, 2016 at 2:02 PM, Kean Johnston  wrote:
> On 2016-07-01 5:22 PM, Yann Ylavic wrote:
>>
>> http://home.apache.org/~ylavic/patches/httpd-2.4.x-ab_sni.patch.
>
> This line worries me:
>
> +#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
>
> That assumes that SSL_set_tlsext_host_name will always be implemented as a
> macro by OpenSSL, which is not a safe assumption.

This is the same check as in httpd, and it's so not very critical I guess.

>
> Is SSL_CTRL_SET_TLSEXT_HOSTNAME not a more appropriate macro to check?

Actually SSL_set_tlsext_host_name is defined in term of SSL_ctrl(..,
SSL_CTRL_SET_TLSEXT_HOSTNAME, ...) so if/when they decide to make it a
real function, they'll likely remove SSL_CTRL_SET_TLSEXT_HOSTNAME
altogether, and we'll break too...

Regards,
Yann.


>
>

Re: Apache Benchmark SNI SSL

[Kean Johnston]

On 2016-07-01 5:22 PM, Yann Ylavic wrote:

http://home.apache.org/~ylavic/patches/httpd-2.4.x-ab_sni.patch.

This line worries me:

+#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)

That assumes that SSL_set_tlsext_host_name will always be implemented as a 
macro by OpenSSL, which is not a safe assumption.


Is SSL_CTRL_SET_TLSEXT_HOSTNAME not a more appropriate macro to check?

Re: Apache Benchmark SNI SSL

[Yann Ylavic]

On Fri, Jul 1, 2016 at 4:05 PM, William A Rowe Jr  wrote:
> Yup, no extra steps for correct behavior.
>
> I'd support a ''surpress SNI' flag, and/or an explicit SNI arg, much like
> openssl s_client -- just for testing. But that should be the exceptional
> case.

Done, so that one can also test renegotiations when no SNI is given
but multiple vhosts listening on the same port don't use the same SSL
parameters.

Full patch (vs latest 2.4.x) at
http://home.apache.org/~ylavic/patches/httpd-2.4.x-ab_sni.patch.

Thanks everyone for the feedbacks.

Re: Apache Benchmark SNI SSL

[William A Rowe Jr]

Yup, no extra steps for correct behavior.

I'd support a ''surpress SNI' flag, and/or an explicit SNI arg, much like
openssl s_client -- just for testing. But that should be the exceptional
case.
On Jul 1, 2016 8:33 AM, "Reindl Harald"  wrote:



Am 01.07.2016 um 15:23 schrieb Yann Ylavic:

> On Fri, Jul 1, 2016 at 3:17 PM, Yann Ylavic  wrote:
>
>> On Fri, Jul 1, 2016 at 3:02 PM, Reindl Harald 
>> wrote:
>>
>>>
>>> Am 01.07.2016 um 14:41 schrieb Yann Ylavic:
>>>

 The -I does not take any argument, it tells ab to use iether the -H
 "Host: ..." if any, or the host from the given URL otherwise

>>>
>>> but why is there a param needed instead just send the SNI header from the
>>> given URL like any browser does?
>>>
>>
>> You may want to use an IP (or another DNS name) in the URL and still
>> reach the right (Virtual)Host on the server by specifying a -H "Host:
>> ...".
>>
>> The -H "Host:" existed already, and if it's used it has to be taken
>> for the SNI, that's how the server will elect the appropriate
>> VirtualHost if multiple ones listen on the same port.
>>
>
> Oh, I probably misunderstood your remark, you probably meant this
> should be the defaut when TLS is available and used (per -f).
>
> Good point, will look at it
>

exactly - it's all present what is needed to send the host-header and in
case of TLS that's just the same which is needed for the SNI header without
the need to tell "ab" it should use SNI by introducing a new param

Re: Apache Benchmark SNI SSL

[Reindl Harald]

Am 01.07.2016 um 15:23 schrieb Yann Ylavic:

On Fri, Jul 1, 2016 at 3:17 PM, Yann Ylavic  wrote:

On Fri, Jul 1, 2016 at 3:02 PM, Reindl Harald  wrote:


Am 01.07.2016 um 14:41 schrieb Yann Ylavic:


The -I does not take any argument, it tells ab to use iether the -H
"Host: ..." if any, or the host from the given URL otherwise


but why is there a param needed instead just send the SNI header from the
given URL like any browser does?


You may want to use an IP (or another DNS name) in the URL and still
reach the right (Virtual)Host on the server by specifying a -H "Host:
...".

The -H "Host:" existed already, and if it's used it has to be taken
for the SNI, that's how the server will elect the appropriate
VirtualHost if multiple ones listen on the same port.


Oh, I probably misunderstood your remark, you probably meant this
should be the defaut when TLS is available and used (per -f).

Good point, will look at it


exactly - it's all present what is needed to send the host-header and in 
case of TLS that's just the same which is needed for the SNI header 
without the need to tell "ab" it should use SNI by introducing a new param




signature.asc
Description: OpenPGP digital signature

Re: Apache Benchmark SNI SSL

[Yann Ylavic]

On Fri, Jul 1, 2016 at 3:17 PM, Yann Ylavic  wrote:
> On Fri, Jul 1, 2016 at 3:02 PM, Reindl Harald  wrote:
>>
>> Am 01.07.2016 um 14:41 schrieb Yann Ylavic:
>>>
>>> The -I does not take any argument, it tells ab to use iether the -H
>>> "Host: ..." if any, or the host from the given URL otherwise
>>
>> but why is there a param needed instead just send the SNI header from the
>> given URL like any browser does?
>
> You may want to use an IP (or another DNS name) in the URL and still
> reach the right (Virtual)Host on the server by specifying a -H "Host:
> ...".
>
> The -H "Host:" existed already, and if it's used it has to be taken
> for the SNI, that's how the server will elect the appropriate
> VirtualHost if multiple ones listen on the same port.

Oh, I probably misunderstood your remark, you probably meant this
should be the defaut when TLS is available and used (per -f).

Good point, will look at it.

>
> Regards,
> Yann.

Re: Apache Benchmark SNI SSL

[Yann Ylavic]

On Fri, Jul 1, 2016 at 3:02 PM, Reindl Harald  wrote:
>
> Am 01.07.2016 um 14:41 schrieb Yann Ylavic:
>>
>> The -I does not take any argument, it tells ab to use iether the -H
>> "Host: ..." if any, or the host from the given URL otherwise
>
> but why is there a param needed instead just send the SNI header from the
> given URL like any browser does?

You may want to use an IP (or another DNS name) in the URL and still
reach the right (Virtual)Host on the server by specifying a -H "Host:
...".

The -H "Host:" existed already, and if it's used it has to be taken
for the SNI, that's how the server will elect the appropriate
VirtualHost if multiple ones listen on the same port.

Regards,
Yann.

Re: Apache Benchmark SNI SSL

[Reindl Harald]

Am 01.07.2016 um 14:41 schrieb Yann Ylavic:

On Fri, Jul 1, 2016 at 1:44 PM, Pietro Paolini  wrote:


On 1 July 2016 at 11:18, Pietro Paolini  wrote:


Is it correct ? It does not look good to me.

 -while ((status = apr_getopt(opt,
"n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:"
+while ((status = apr_getopt(opt,
"n:c:t:s:b:T:p:u:v:lrkVhwixI:y:z:C:H:P:A:g:X:de:SqB:m:"

The x option has lost its argument, the new option you have introduced
uses an argument but the :

+fprintf(stderr, "-I Use TLS Server Name Indication (SNI)
extension\n");

Does not tell that.


Right, it was fixed in a follow up (http://svn.apache.org/r1750855).


That will do the job, as it stands right now it will be working if given a
-I option with a random argument, for example :

./support/ab -I randomstring  -c 1 -n 1 https://whatever/url

The I argument is actually not used.


The -I does not take any argument, it tells ab to use iether the -H
"Host: ..." if any, or the host from the given URL otherwise


but why is there a param needed instead just send the SNI header from 
the given URL like any browser does?






signature.asc
Description: OpenPGP digital signature

Re: Apache Benchmark SNI SSL

[Yann Ylavic]

On Fri, Jul 1, 2016 at 1:44 PM, Pietro Paolini  wrote:
>
> On 1 July 2016 at 11:18, Pietro Paolini  wrote:
>>
>> Is it correct ? It does not look good to me.
>>
>>  -while ((status = apr_getopt(opt,
>> "n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:"
>> +while ((status = apr_getopt(opt,
>> "n:c:t:s:b:T:p:u:v:lrkVhwixI:y:z:C:H:P:A:g:X:de:SqB:m:"
>>
>> The x option has lost its argument, the new option you have introduced
>> uses an argument but the :
>>
>> +fprintf(stderr, "-I Use TLS Server Name Indication (SNI)
>> extension\n");
>>
>> Does not tell that.

Right, it was fixed in a follow up (http://svn.apache.org/r1750855).

>
> That will do the job, as it stands right now it will be working if given a
> -I option with a random argument, for example :
>
> ./support/ab -I randomstring  -c 1 -n 1 https://whatever/url
>
> The I argument is actually not used.

The -I does not take any argument, it tells ab to use iether the -H
"Host: ..." if any, or the host from the given URL otherwise.

Regards,
Yann.

Re: Apache Benchmark SNI SSL

[Pietro Paolini]

On 1 July 2016 at 11:18, Pietro Paolini  wrote:

>
>
> On 30 June 2016 at 19:55, Yann Ylavic  wrote:
>
>> On Thu, Jun 30, 2016 at 7:21 PM, Pietro Paolini
>>  wrote:
>> >
>> > I have built the httpd-2-.4.20 tarball but the problem is still there,
>> has
>> > it been fixed in newer version ? is there a workaround for that ?
>>
>> SNI handling just added to ab in http://svn.apache.org/r1750854.
>> It will be part of some future release when accepted by the community,
>> meanwhile maybe you can patch your current release with the commit
>> above.
>>
>> Regards,
>> Yann.
>>
>
> Is it correct ? It does not look good to me.
>
>  -while ((status = apr_getopt(opt,
> "n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:"
> +while ((status = apr_getopt(opt,
> "n:c:t:s:b:T:p:u:v:lrkVhwixI:y:z:C:H:P:A:g:X:de:SqB:m:"
>
> The x option has lost its argument, the new option you have introduced
> uses an argument but the :
>
> +fprintf(stderr, "-I Use TLS Server Name Indication (SNI)
> extension\n");
>
> Does not tell that.
>
> The ab tool print the helper and quits without doing anything, I have
> applied the patch on the top of the httpd-2.4.20 though, I am working a bit
> on that, even though given my poor knowledge of the project itself I do not
> think I can't go anywhere but hardcoding:
>
> +SSL_set_tlsext_host_name(c->ssl, "myserverhost");
>
> If I can be of any help - such testing - feel free to drag me in.
>
> Thanks,
> Pietro
>
>
> To fix the patch you just need to
>

 -while ((status = apr_getopt(opt,
"n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:"
 +while ((status = apr_getopt(opt,
"n:c:t:s:b:T:p:u:v:lrkVhwiIx:y:z:C:H:P:A:g:X:de:SqB:m:"


That will do the job, as it stands right now it will be working if given a
-I option with a random argument, for example :

./support/ab -I randomstring  -c 1 -n 1 https://whatever/url

The I argument is actually not used.

Cheers,
P.

-- 


Notice:  This email is confidential and may contain copyright material of 
members of the Ocado Group. Opinions and views expressed in this message 
may not necessarily reflect the opinions and views of the members of the 
Ocado Group. 

 

If you are not the intended recipient, please notify us immediately and 
delete all copies of this message. Please note that it is your 
responsibility to scan this message for viruses. 

 

Fetch and Sizzle are trading names of Speciality Stores Limited, a member 
of the Ocado Group.

 

References to the “Ocado Group” are to Ocado Group plc (registered in 
England and Wales with number 7098618) and its subsidiary undertakings (as 
that expression is defined in the Companies Act 2006) from time to time.  
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square, 
Hatfield Business Park, Hatfield, Herts. AL10 9NE.

Re: Apache Benchmark SNI SSL

[Pietro Paolini]

On 30 June 2016 at 19:55, Yann Ylavic  wrote:

> On Thu, Jun 30, 2016 at 7:21 PM, Pietro Paolini
>  wrote:
> >
> > I have built the httpd-2-.4.20 tarball but the problem is still there,
> has
> > it been fixed in newer version ? is there a workaround for that ?
>
> SNI handling just added to ab in http://svn.apache.org/r1750854.
> It will be part of some future release when accepted by the community,
> meanwhile maybe you can patch your current release with the commit
> above.
>
> Regards,
> Yann.
>

Is it correct ? It does not look good to me.

 -while ((status = apr_getopt(opt,
"n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:"
+while ((status = apr_getopt(opt,
"n:c:t:s:b:T:p:u:v:lrkVhwixI:y:z:C:H:P:A:g:X:de:SqB:m:"

The x option has lost its argument, the new option you have introduced uses
an argument but the :

+fprintf(stderr, "-I Use TLS Server Name Indication (SNI)
extension\n");

Does not tell that.

The ab tool print the helper and quits without doing anything, I have
applied the patch on the top of the httpd-2.4.20 though, I am working a bit
on that, even though given my poor knowledge of the project itself I do not
think I can't go anywhere but hardcoding:

+SSL_set_tlsext_host_name(c->ssl, "myserverhost");

If I can be of any help - such testing - feel free to drag me in.

Thanks,
Pietro

-- 


Notice:  This email is confidential and may contain copyright material of 
members of the Ocado Group. Opinions and views expressed in this message 
may not necessarily reflect the opinions and views of the members of the 
Ocado Group. 

 

If you are not the intended recipient, please notify us immediately and 
delete all copies of this message. Please note that it is your 
responsibility to scan this message for viruses. 

 

Fetch and Sizzle are trading names of Speciality Stores Limited, a member 
of the Ocado Group.

 

References to the “Ocado Group” are to Ocado Group plc (registered in 
England and Wales with number 7098618) and its subsidiary undertakings (as 
that expression is defined in the Companies Act 2006) from time to time.  
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square, 
Hatfield Business Park, Hatfield, Herts. AL10 9NE.

Re: Apache Benchmark SNI SSL

[Reindl Harald]

Am 30.06.2016 um 20:55 schrieb Yann Ylavic:

On Thu, Jun 30, 2016 at 7:21 PM, Pietro Paolini
 wrote:


I have built the httpd-2-.4.20 tarball but the problem is still there, has
it been fixed in newer version ? is there a workaround for that ?


SNI handling just added to ab in http://svn.apache.org/r1750854.
It will be part of some future release when accepted by the community,
meanwhile maybe you can patch your current release with the commit
above


oh *that* explains why it's impossible to "ab" a apache trafficserver 
target (running as reverse proxy) while it just *looked like* it works 
on httpd-sni vhosts while likely do the benchmark always on the default host




signature.asc
Description: OpenPGP digital signature

Re: Apache Benchmark SNI SSL

[Yann Ylavic]

On Thu, Jun 30, 2016 at 7:21 PM, Pietro Paolini
 wrote:
>
> I have built the httpd-2-.4.20 tarball but the problem is still there, has
> it been fixed in newer version ? is there a workaround for that ?

SNI handling just added to ab in http://svn.apache.org/r1750854.
It will be part of some future release when accepted by the community,
meanwhile maybe you can patch your current release with the commit
above.

Regards,
Yann.

Re: Apache Benchmark SNI SSL

[Stefan Eissing]

You might want to try adding the ppa by ondrej to your apt-get source and 
install a newer apache and opensll from there. That should give you an ab with 
openssl 1.0.2 linked.

 https://launchpad.net/%7Eondrej/+archive/ubuntu/apache2

> Am 30.06.2016 um 19:21 schrieb Pietro Paolini :
> 
> Hi all,
> 
> I apologise in advance, if this is not the right place where to post such 
> question.
> I have tried to use the ab tool which comes with the apache package of my 
> Ubuntu 14.04 distro to stress test a web server, such server lies behind a 
> CDN and the use of the TLS Server Name Indication is required.
> 
> Unfortunately my ab binary does not cope well with that and this is what I 
> get:
> 
> dpkg -l *apache2-utils*
> 
>  apache2-utils   2.4.7-1ubuntu4.1 amd64
> 
> 
> Benchmarking api.sit.cymesfood.osp.tech (be patient)...SSL handshake failed 
> (1).
> 139742942701280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 
> alert h
> andshake failure:s23_clnt.c:770:  
>  
> ..done
> 
> Googling the problem I found people with similar issues who have re-built the 
> apache source tarball after having applied some patches or manually having 
> modified the code.
> 
> https://blogs.oracle.com/meena/entry/apachebench_ab_and_sni
> 
> Such guide is based on httpd-2.3.11-beta
> 
> The issue with that is that I do not have much diff context to see where the 
> changes should be applied and the starting tarball is different httpd-2.3.11 
> vs httpd-2.4.20, furthermore  I though that asking directly the community 
> involved in the project could give me a better idea about what's needed.
> 
> I have built the httpd-2-.4.20 tarball but the problem is still there, has it 
> been fixed in newer version ? is there a workaround for that ?
> 
> Thanks,
> Pietro
> 
> Notice:  This email is confidential and may contain copyright material of 
> members of the Ocado Group. Opinions and views expressed in this message may 
> not necessarily reflect the opinions and views of the members of the Ocado 
> Group. 
>  
> If you are not the intended recipient, please notify us immediately and 
> delete all copies of this message. Please note that it is your responsibility 
> to scan this message for viruses. 
>  
> Fetch and Sizzle are trading names of Speciality Stores Limited, a member of 
> the Ocado Group.
>  
> References to the “Ocado Group” are to Ocado Group plc (registered in England 
> and Wales with number 7098618) and its subsidiary undertakings (as that 
> expression is defined in the Companies Act 2006) from time to time.  The 
> registered office of Ocado Group plc is Titan Court, 3 Bishops Square, 
> Hatfield Business Park, Hatfield, Herts. AL10 9NE.

Apache Benchmark SNI SSL

[Pietro Paolini]

Hi all,

I apologise in advance, if this is not the right place where to post such
question.
I have tried to use the ab tool which comes with the apache package of my
Ubuntu 14.04 distro to stress test a web server, such server lies behind a
CDN and the use of the TLS Server Name Indication is required.

Unfortunately my ab binary does not cope well with that and this is what I
get:

dpkg -l *apache2-utils*

 apache2-utils   2.4.7-1ubuntu4.1 amd64


Benchmarking api.sit.cymesfood.osp.tech (be patient)...SSL handshake failed
(1).
139742942701280:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert h
andshake
failure:s23_clnt.c:770:
..done

Googling the problem I found people with similar issues who have re-built
the apache source tarball after having applied some patches or manually
having modified the code.

https://blogs.oracle.com/meena/entry/apachebench_ab_and_sni

Such guide is based on httpd-2.3.11-beta

The issue with that is that I do not have much diff context to see where
the changes should be applied and the starting tarball is different
httpd-2.3.11 vs httpd-2.4.20, furthermore  I though that asking directly
the community involved in the project could give me a better idea about
what's needed.

I have built the httpd-2-.4.20 tarball but the problem is still there, has
it been fixed in newer version ? is there a workaround for that ?

Thanks,
Pietro

-- 


Notice:  This email is confidential and may contain copyright material of 
members of the Ocado Group. Opinions and views expressed in this message 
may not necessarily reflect the opinions and views of the members of the 
Ocado Group. 

 

If you are not the intended recipient, please notify us immediately and 
delete all copies of this message. Please note that it is your 
responsibility to scan this message for viruses. 

 

Fetch and Sizzle are trading names of Speciality Stores Limited, a member 
of the Ocado Group.

 

References to the “Ocado Group” are to Ocado Group plc (registered in 
England and Wales with number 7098618) and its subsidiary undertakings (as 
that expression is defined in the Companies Act 2006) from time to time.  
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square, 
Hatfield Business Park, Hatfield, Herts. AL10 9NE.