Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-21 Thread Dennis Clarke 

On 09/21/2018 09:52 AM, Daniel Ruggeri wrote:

I've updated the proposed, generated announcements here:
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.html
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.txt

A quick proofread would be appreciated - this should be the exact
messages that will be sent/published.



Here is my nickle worth.

The first and second links are "404" types and should be :

https://dist.apache.org/repos/dist/release/httpd/CHANGES_2.4

then

https://dist.apache.org/repos/dist/release/httpd/CHANGES_2.4.35


There may be changes to 
https://httpd.apache.org/security/vulnerabilities_24.html also.


Then this paragraph bugs me :

This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features
may require the 1.6.x version of both APR and APR-Util. The APR
libraries must be upgraded for all features of httpd to operate
correctly.

To me Apache httpd is the big dog of web services platforms in the open
world and so I have to wonder what features go missing and what features
get enabled with the latest and greatest apr and apr-util bits. Feels 
like yet another text link notes.txt or similar. Worse, that means an

actual test build and check of httpd with older apr bits. How horrific
would it be to merely change the language of that paragraph and draw a
line in the sand thus :


This release requires the Apache Portable Runtime (APR) and also
the Apache Portable Runtime Utility. The APR libraries must be
upgraded for all features of httpd to operate correctly.


Otherwise I have no idea what works and what won't work with a tree of
possible intermix versions of apr-util and apr.

Otherwise it looks all fine to me.

Dennis

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-21 Thread Joe Orton 
On Fri, Sep 21, 2018 at 08:52:32AM -0500, Daniel Ruggeri wrote:
> I've updated the proposed, generated announcements here:
> https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.html
> https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.txt
> 
> A quick proofread would be appreciated - this should be the exact
> messages that will be sent/published.

Looks good to me, thanks Daniel.

Regards, Joe

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-21 Thread Daniel Ruggeri 
I've updated the proposed, generated announcements here:
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.html
https://dist.apache.org/repos/dist/dev/httpd/Announcement2.4.txt

A quick proofread would be appreciated - this should be the exact
messages that will be sent/published.

-- 
Daniel Ruggeri

On 9/19/2018 5:54 AM, Joe Orton wrote:
> On Tue, Sep 18, 2018 at 11:19:10AM -0500, William A Rowe Jr wrote:
>> On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  wrote:
>>> You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3
>>> merge is integrated for 2.4.x, yeah, I wouldn't worry about that.
>> But I think this is worth highlighting in our Announcement, that we would
>> strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
>> could tease the forthcoming 2.4 release as building against 1.1.1/TLS 1.3.)
> Good idea.  How about this, to insert after the "This release requires 
> the Apache Portable Runtime (APR)," paragraph?
>
> """ 
> This release is compatible with OpenSSL versions from 0.9.8a to 
> 1.1.0 only, and does not support TLSv1.3.  Future releases of httpd 2.4 
> are expected to add compatibility with OpenSSL 1.1.1 and enable support 
> for TLSv1.3. 
> """
>
> Regards, Joe

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-19 Thread William A Rowe Jr 
On Wed, Sep 19, 2018 at 6:56 AM Joe Orton  wrote:

> On Wed, Sep 19, 2018 at 01:19:29PM +0200, Apache Lounge wrote:
> > Are there  examples what (maybe) does not work with OpenSSL 1.1.1 ?
>
> Have you run the test suite? The flipped setting of SSL_MODE_AUTO_RETRY
> is expected to break TLSv1.2 as well, that problem is consistent with
> the hangs Daniel reported here.
>

Note this applies specifically to the timing and scope of httpd auth under
TLS.


> > openssl.org says that the new 1.1.1 is binary and API/ABI compatible
> with
> > OpenSSL 1.1.0.
>
> For some apps that might be true, I think it's a bit of a stretch, but
> it's not really worth arguing about.
>

And note that 1.1.1a may address some deficiencies in 1.1.1 release
w.r.t. compatibility. Although this specific one was asked-and-answered,
with enough pushback from various projects, such defaults (at least for the
behavior of TLS 1.2) may be reconsidered.

+1 on the proposed statement.

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-19 Thread Joe Orton 
On Wed, Sep 19, 2018 at 01:19:29PM +0200, Apache Lounge wrote:
> Are there  examples what (maybe) does not work with OpenSSL 1.1.1 ?

Have you run the test suite? The flipped setting of SSL_MODE_AUTO_RETRY 
is expected to break TLSv1.2 as well, that problem is consistent with 
the hangs Daniel reported here.

> openssl.org says that the new 1.1.1 is binary and API/ABI compatible with
> OpenSSL 1.1.0.

For some apps that might be true, I think it's a bit of a stretch, but 
it's not really worth arguing about.

Regards, Joe

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-19 Thread Apache Lounge 




Are there  examples what (maybe) does not work with OpenSSL 1.1.1 ?

Build 2.4.35 with OpenSSL 1.1.1, no issues seen/reported.

More then A week ago I ask already the community to test 2.4.34 with 
OpenSSL 1.1.1

also no issue reported.

Plan to ship 2.4.35 with OpenSSL1.1.1

With our announcement I put the note:

Apache 2.4.35 does not support yet TLSv1.3, expected in 2.4.36 
release..


Note:
openssl.org says that the new 1.1.1 is binary and API/ABI compatible 
with OpenSSL 1.1.0.

I can confirm that sofar and also windows PHP-guys.






On Wednesday 19/09/2018 at 12:54, Joe Orton  wrote:

On Tue, Sep 18, 2018 at 11:19:10AM -0500, William A Rowe Jr wrote:


On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  wrote:


You'll likely see issues testing against OpenSSL 1.1.1 until the 
TLSv1.3

merge is integrated for 2.4.x, yeah, I wouldn't worry about that.


But I think this is worth highlighting in our Announcement, that we 
would

strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
could tease the forthcoming 2.4 release as building against 1.1.1/TLS 
1.3.)


Good idea.  How about this, to insert after the "This release requires
the Apache Portable Runtime (APR)," paragraph?

"""
This release is compatible with OpenSSL versions from 0.9.8a to
1.1.0 only, and does not support TLSv1.3.  Future releases of httpd 
2.4
are expected to add compatibility with OpenSSL 1.1.1 and enable 
support

for TLSv1.3.
"""

Regards, Joe

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-19 Thread Stefan Eissing 
+1

> Am 19.09.2018 um 12:54 schrieb Joe Orton :
> 
> On Tue, Sep 18, 2018 at 11:19:10AM -0500, William A Rowe Jr wrote:
>> On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  wrote:
>>> You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3
>>> merge is integrated for 2.4.x, yeah, I wouldn't worry about that.
>> 
>> But I think this is worth highlighting in our Announcement, that we would
>> strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
>> could tease the forthcoming 2.4 release as building against 1.1.1/TLS 1.3.)
> 
> Good idea.  How about this, to insert after the "This release requires 
> the Apache Portable Runtime (APR)," paragraph?
> 
> """ 
> This release is compatible with OpenSSL versions from 0.9.8a to 
> 1.1.0 only, and does not support TLSv1.3.  Future releases of httpd 2.4 
> are expected to add compatibility with OpenSSL 1.1.1 and enable support 
> for TLSv1.3. 
> """
> 
> Regards, Joe

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-19 Thread Ruediger Pluem 



On 09/19/2018 12:54 PM, Joe Orton wrote:
> On Tue, Sep 18, 2018 at 11:19:10AM -0500, William A Rowe Jr wrote:
>> On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  wrote:
>>> You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3
>>> merge is integrated for 2.4.x, yeah, I wouldn't worry about that.
>>
>> But I think this is worth highlighting in our Announcement, that we would
>> strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
>> could tease the forthcoming 2.4 release as building against 1.1.1/TLS 1.3.)
> 
> Good idea.  How about this, to insert after the "This release requires 
> the Apache Portable Runtime (APR)," paragraph?
> 
> """ 
> This release is compatible with OpenSSL versions from 0.9.8a to 
> 1.1.0 only, and does not support TLSv1.3.  Future releases of httpd 2.4 
> are expected to add compatibility with OpenSSL 1.1.1 and enable support 
> for TLSv1.3. 
> """

+1

Regards

Rüdiger

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-19 Thread Joe Orton 
On Tue, Sep 18, 2018 at 11:19:10AM -0500, William A Rowe Jr wrote:
> On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  wrote:
> > You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3
> > merge is integrated for 2.4.x, yeah, I wouldn't worry about that.
> 
> But I think this is worth highlighting in our Announcement, that we would
> strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
> could tease the forthcoming 2.4 release as building against 1.1.1/TLS 1.3.)

Good idea.  How about this, to insert after the "This release requires 
the Apache Portable Runtime (APR)," paragraph?

""" 
This release is compatible with OpenSSL versions from 0.9.8a to 
1.1.0 only, and does not support TLSv1.3.  Future releases of httpd 2.4 
are expected to add compatibility with OpenSSL 1.1.1 and enable support 
for TLSv1.3. 
"""

Regards, Joe

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-18 Thread William A Rowe Jr 
On Tue, Sep 18, 2018 at 1:56 PM Ruediger Pluem  wrote:

>
> > You'll likely see issues testing against OpenSSL 1.1.1 until the
> TLSv1.3
> > merge is integrated for 2.4.x, yeah, I wouldn't worry about that.
> >
> >
> > But I think this is worth highlighting in our Announcement, that we would
> > strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
>
> Don't we see this issues with OpenSSL 1.1.0 as well?
>

Not that I'm aware of, these weren't changed in 1.1.0. Have been using
it for over a year without such issues. This is all the side effect of the
1.1.0 -> 1.1.1 default auth callback behavior change, IIUC.


> > could tease the forthcoming 2.4 release as building against 1.1.1/TLS
> 1.3.)
> >
> > Thoughts?
>
> Makes sense.
>

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-18 Thread Ruediger Pluem 



On 09/18/2018 06:19 PM, William A Rowe Jr wrote:
> On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  > wrote:
> 
> On Mon, Sep 17, 2018 at 06:16:34PM -0500, Daniel Ruggeri wrote:
> >Sorry - I know it wasn't a very good report. I was just seeing if
> > anyone has experienced a similar holdup. In fact, I let it run while
> > tending to other things and came back to see it had completed (but
> > failed), so perhaps it's not hung, but rather very slow.
> >
> > I'm using Debian 9 (stretch) in a container running on a 3.16.51-3
> > kernel. OpenSSL 1.1.1 is inside as well as several other dependencies...
> > these are the "latests" that my build scripts grabbed:
> 
> You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3
> merge is integrated for 2.4.x, yeah, I wouldn't worry about that.
> 
> 
> But I think this is worth highlighting in our Announcement, that we would
> strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we

Don't we see this issues with OpenSSL 1.1.0 as well?

> could tease the forthcoming 2.4 release as building against 1.1.1/TLS 1.3.)
> 
> Thoughts?

Makes sense.

Regards

Rüdiger

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-18 Thread William A Rowe Jr 
On Tue, Sep 18, 2018 at 2:43 AM Joe Orton  wrote:

> On Mon, Sep 17, 2018 at 06:16:34PM -0500, Daniel Ruggeri wrote:
> >Sorry - I know it wasn't a very good report. I was just seeing if
> > anyone has experienced a similar holdup. In fact, I let it run while
> > tending to other things and came back to see it had completed (but
> > failed), so perhaps it's not hung, but rather very slow.
> >
> > I'm using Debian 9 (stretch) in a container running on a 3.16.51-3
> > kernel. OpenSSL 1.1.1 is inside as well as several other dependencies...
> > these are the "latests" that my build scripts grabbed:
>
> You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3
> merge is integrated for 2.4.x, yeah, I wouldn't worry about that.


But I think this is worth highlighting in our Announcement, that we would
strongly caution users to build 2.4.35 against OpenSSL 1.1.0. (And we
could tease the forthcoming 2.4 release as building against 1.1.1/TLS 1.3.)

Thoughts?

>
>

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-18 Thread Joe Orton 
On Mon, Sep 17, 2018 at 06:16:34PM -0500, Daniel Ruggeri wrote:
>    Sorry - I know it wasn't a very good report. I was just seeing if
> anyone has experienced a similar holdup. In fact, I let it run while
> tending to other things and came back to see it had completed (but
> failed), so perhaps it's not hung, but rather very slow.
> 
> I'm using Debian 9 (stretch) in a container running on a 3.16.51-3
> kernel. OpenSSL 1.1.1 is inside as well as several other dependencies...
> these are the "latests" that my build scripts grabbed:

You'll likely see issues testing against OpenSSL 1.1.1 until the TLSv1.3 
merge is integrated for 2.4.x, yeah, I wouldn't worry about that.

Regards, Joe

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-17 Thread Daniel Ruggeri 


On 9/17/2018 2:20 PM, Rainer Jung wrote:
> Am 17.09.2018 um 20:59 schrieb Daniel Ruggeri:
>> Hi, all;
>>     I have been delayed executing the automation because the test
>> suite seems to be hanging for me. This appears to be consistently
>> during t/ssl/varlookup.t as that is the only process other than httpd
>> running in this container during the hang. When killing httpd, the
>> failures reported start at test 35 with err "Failed test 35 in
>> t/ssl/varlookup.t at line 109 fail #35" and continue to 83.
>
> Which platform, which version of OpenSSL?
>

Hi, Rainer;
   Sorry - I know it wasn't a very good report. I was just seeing if
anyone has experienced a similar holdup. In fact, I let it run while
tending to other things and came back to see it had completed (but
failed), so perhaps it's not hung, but rather very slow.

I'm using Debian 9 (stretch) in a container running on a 3.16.51-3
kernel. OpenSSL 1.1.1 is inside as well as several other dependencies...
these are the "latests" that my build scripts grabbed:
system:
  kernel:
    name: Linux
    release: 3.16.0-4-amd64
    version: #1 SMP Debian 3.16.51-3 (2017-12-13)
    machine: x86_64

  libraries:
    openssl: "1.1.1"
    openldap: "2.4.46"
    apr: "1.6.5"
    apr-util: "1.6.1"
    iconv: "1.2.2"
    brotli: "1.0.5"
    nghttp2: "1.33.0"
    zlib: "1.2.11"
    pcre: "8.42"
    libxml2: "2.9.8"
    php: "5.6.38"
    lua: "5.3.5"
    curl: "7.61.1"

...which reminds me... time to update my kernel :-)

>>     If anyone has experience with this area of the test suite,
>> pointers definitely welcome. Otherwise, I'll start poking at it.
>
> You can run the tests with
>
> t/TEST -v -order=repeat
>
> which might give more insight.
>
> My passing tests for 2.4.34 e.g. logged
>
> ...
> # testing : SSL_CIPHER_EXPORT
> # expected: 'false'
> # received: 'false'
> ok 35
> # testing : SSL_CIPHER_ALGKEYSIZE
> # expected: qr/^\d+$/
> # received: '128'
> ok 36
> # testing : SSL_CIPHER_USEKEYSIZE
> # expected: qr/^\d+$/
> # received: '128'
> ok 37
> # testing : SSL_SECURE_RENEG
> # expected: qr/^(false|true)$/
> # received: 'true'
> ok 38
> ...
>
> and the comments always belong to the "ok" or "not ok" line that
> follows the comments. So test 35 was the "SSL_CIPHER_EXPORT" test at
> that time. I doubt it actually has to do with that.
>
> You might look at the thread stacks (with the gdb "bt" command or
> similar) of the hanging httpd processes to gather more info.
>
> Any errors in the httpd error log, like "deadlock detected" etc.?

Nothing stood out, but I did not debug too deeply. I'll let this next
test run completely and do some poking around. Perhaps I was just
impatient... but I don't recall the suite taking that long to run.

Depending on how this goes, I may pause T until I can confirm an issue
on my test rig, the server or the test code. If anyone else is able to
build and verify that TLS w/ 2.4.x branch works A-OK for them, I'd be
fine with proceeding - just being abundantly cautious.

>
> Regards,
>
> Rainer

-- 
Daniel Ruggeri

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-17 Thread Rainer Jung 

Am 17.09.2018 um 20:59 schrieb Daniel Ruggeri:

Hi, all;
    I have been delayed executing the automation because the test suite 
seems to be hanging for me. This appears to be consistently during 
t/ssl/varlookup.t as that is the only process other than httpd running 
in this container during the hang. When killing httpd, the failures 
reported start at test 35 with err "Failed test 35 in t/ssl/varlookup.t 
at line 109 fail #35" and continue to 83.


Which platform, which version of OpenSSL?

    If anyone has experience with this area of the test suite, pointers 
definitely welcome. Otherwise, I'll start poking at it.


You can run the tests with

t/TEST -v -order=repeat

which might give more insight.

My passing tests for 2.4.34 e.g. logged

...
# testing : SSL_CIPHER_EXPORT
# expected: 'false'
# received: 'false'
ok 35
# testing : SSL_CIPHER_ALGKEYSIZE
# expected: qr/^\d+$/
# received: '128'
ok 36
# testing : SSL_CIPHER_USEKEYSIZE
# expected: qr/^\d+$/
# received: '128'
ok 37
# testing : SSL_SECURE_RENEG
# expected: qr/^(false|true)$/
# received: 'true'
ok 38
...

and the comments always belong to the "ok" or "not ok" line that follows 
the comments. So test 35 was the "SSL_CIPHER_EXPORT" test at that time. 
I doubt it actually has to do with that.


You might look at the thread stacks (with the gdb "bt" command or 
similar) of the hanging httpd processes to gather more info.


Any errors in the httpd error log, like "deadlock detected" etc.?

Regards,

Rainer

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-17 Thread Daniel Ruggeri 

Hi, all;
   I have been delayed executing the automation because the test suite 
seems to be hanging for me. This appears to be consistently during 
t/ssl/varlookup.t as that is the only process other than httpd running 
in this container during the hang. When killing httpd, the failures 
reported start at test 35 with err "Failed test 35 in t/ssl/varlookup.t 
at line 109 fail #35" and continue to 83.


   If anyone has experience with this area of the test suite, pointers 
definitely welcome. Otherwise, I'll start poking at it.

--
Daniel Ruggeri

On 2018-09-17 10:01, Daniel Ruggeri wrote:

Hi, all;

STATUS is looking clean and my test suite is building/testing.
Assuming those tests work out and life is happy, I will T 2.4.35
from 2.4.x branch in a few hours.

I will also follow up in another couple weeks to T 2.4.36 if we can
work in some of the newer features by then.

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-17 Thread William A Rowe Jr 
On Mon, Sep 17, 2018 at 12:08 PM William A Rowe Jr 
wrote:

> I'm similarly examining the win32 cmake build in anticipation.
>
> Thus far, the only issue is the mis-inclusion of applink.c; this is broken
> with openssl 1.1.1. Looking now for a resolution.
>

There is an issue, but it seems squarely with openssl 1.1.1. Copying
applink.c from the source tree ms/ path to the target path openssl/include/
did resolve the issue. With the backport Jim committed to fix proxy lbmethod
logic, everything seems fine on Win32 CMake builds.

Interestingly, this is from a unix line-ending checkout of sources, using
cmake, on a case-sensitive ntfs tree. After a couple fixes to openssl 1.1.1
branch, it is all working.

Re: NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-17 Thread William A Rowe Jr 
I'm similarly examining the win32 cmake build in anticipation.

Thus far, the only issue is the mis-inclusion of applink.c; this is broken
with openssl 1.1.1. Looking now for a resolution.

On Mon, Sep 17, 2018 at 10:02 AM Daniel Ruggeri 
wrote:

> Hi, all;
>
> STATUS is looking clean and my test suite is building/testing. Assuming
> those tests work out and life is happy, I will T 2.4.35 from 2.4.x
> branch in a few hours.
>
> I will also follow up in another couple weeks to T 2.4.36 if we can
> work in some of the newer features by then.
>
> --
> Daniel Ruggeri
>

NOTICE: Intent to T 2.4.35 in the next few hours

2018-09-17 Thread Daniel Ruggeri 

Hi, all;

STATUS is looking clean and my test suite is building/testing. Assuming 
those tests work out and life is happy, I will T 2.4.35 from 2.4.x 
branch in a few hours.


I will also follow up in another couple weeks to T 2.4.36 if we can 
work in some of the newer features by then.


--
Daniel Ruggeri