Re: Client Authentication POST Problem
On Sat, Dec 25, 2004 at 10:52:27PM -0500, Cliff Woolley wrote: > On Sat, 25 Dec 2004, Adolfo Bello wrote: > > > I heartily agree. > > Unfortunately, I've been waiting for more than a year for this problem > > to be fixed in Apache 2.0.x :-( > > This bug was opened on 2002-09-06 > > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 > > Usually the trick to getting something really done around here is to keep > reminding somebody until it really gets their attention. :) Anyway I'll > forward this on to [EMAIL PROTECTED], and maybe we'll get a taker. It's a particularly annoying problem. The solution in mod_ssl-for-1.3 is not really ideal (it allows a DoS attack of sorts); I spent some time working on a better solution for 2.0 but it didn't seem feasible in the end. It remains on my list of "hard problems to fix" as time permits... joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication POST Problem
On Sat, 2004-12-25 at 22:52 -0500, Cliff Woolley wrote: > On Sat, 25 Dec 2004, Adolfo Bello wrote: > > > I heartily agree. > > Unfortunately, I've been waiting for more than a year for this problem > > to be fixed in Apache 2.0.x :-( > > This bug was opened on 2002-09-06 > > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 > > Usually the trick to getting something really done around here is to keep > reminding somebody until it really gets their attention. :) Anyway I'll > forward this on to [EMAIL PROTECTED], and maybe we'll get a taker. > > --Cliff Wow, that would be really great!!! New hopes to get Back to the Future ;-) Thanks. Adolfo Bello __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication POST Problem
On Sat, 25 Dec 2004, Adolfo Bello wrote: > I heartily agree. > Unfortunately, I've been waiting for more than a year for this problem > to be fixed in Apache 2.0.x :-( > This bug was opened on 2002-09-06 > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 Usually the trick to getting something really done around here is to keep reminding somebody until it really gets their attention. :) Anyway I'll forward this on to [EMAIL PROTECTED], and maybe we'll get a taker. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication POST Problem
On Sat, 2004-12-25 at 21:53 -0500, Cliff Woolley wrote: > On Sat, 25 Dec 2004, Adolfo Bello wrote: > > > It just doesn't work in Apache 2.0.x. > > Use Apache 1.3.x. > > That doesn't sound like very good advice... if something is broken in > Apache 2.0.x, we should just fix it. :-/ > > --Cliff I heartily agree. Unfortunately, I've been waiting for more than a year for this problem to be fixed in Apache 2.0.x :-( This bug was opened on 2002-09-06 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 Happy Holidays, Adolfo Bello __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication POST Problem
On Sat, 25 Dec 2004, Adolfo Bello wrote: > It just doesn't work in Apache 2.0.x. > Use Apache 1.3.x. That doesn't sound like very good advice... if something is broken in Apache 2.0.x, we should just fix it. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication POST Problem
On Sat, 2004-12-25 at 15:37 -0500, David T. Ashley wrote: > Hi, > > I installed Bugzilla, and the directory it is in has the > > VerifyClient require > > and all the Apache directives set in the httpd.conf file. It works fine > (the browsers makes me choose a client certificate) but when I submit a form > into Bugzilla I get an error to the effect that POST is not allowed, and > this appears in the Apache logs: > > [Fri Dec 24 19:59:24 2004] [error] SSL Re-negotiation in conjunction with > POST > method not supported!\nhint: try SSLOptions +OptRenegotiate > > I tried the fix recommended in the log message, but it doesn't work. I > seemed to make it through one form OK, but then the next one got me the same > error message, both displayed by the browser and in the Apache logs. > > Any other suggestions? > > Thanks, Dave. It just doesn't work in Apache 2.0.x. Use Apache 1.3.x. Adolfo Bello __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Client Authentication POST Problem
Hi, I installed Bugzilla, and the directory it is in has the VerifyClient require and all the Apache directives set in the httpd.conf file. It works fine (the browsers makes me choose a client certificate) but when I submit a form into Bugzilla I get an error to the effect that POST is not allowed, and this appears in the Apache logs: [Fri Dec 24 19:59:24 2004] [error] SSL Re-negotiation in conjunction with POST method not supported!\nhint: try SSLOptions +OptRenegotiate I tried the fix recommended in the log message, but it doesn't work. I seemed to make it through one form OK, but then the next one got me the same error message, both displayed by the browser and in the Apache logs. Any other suggestions? Thanks, Dave. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
I changed to shm from dbm, but it doesn't seem to solve my problem. The thing I don't understand is why unselecting "show friendly http error pages" somehow lets the form post be downgraded. Does apache use some sort of redirect header to downgrade the request, and MSIE interprets that header as an error? --peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 25, 2001 9:08 AM To: [EMAIL PROTECTED] Subject: RE: MSIE POST problem try the shm version, eg: SSLSessionCacheshm:/var/run/ssl_scache(512000) Seems to work better for everyone. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] >-Original Message- >From: Peter Morelli [mailto:[EMAIL PROTECTED]] >Sent: 25 October 2001 16:37 >To: '[EMAIL PROTECTED]' >Subject: RE: MSIE POST problem > > >Yes, using the dbm version... > >--pete > >-Original Message- >From: David Rees [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, October 24, 2001 6:55 PM >To: '[EMAIL PROTECTED]' >Subject: Re: MSIE POST problem > > >On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote: >> Sorry, I have the same situation after using those config >lines. I had >seen >> them on the mailing list before, but just to be sure I've >just retested >> them. No change. Same symptoms and solutions... > >And you do have a ssl session cache defined? > >-Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
try the shm version, eg: SSLSessionCacheshm:/var/run/ssl_scache(512000) Seems to work better for everyone. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] >-Original Message- >From: Peter Morelli [mailto:[EMAIL PROTECTED]] >Sent: 25 October 2001 16:37 >To: '[EMAIL PROTECTED]' >Subject: RE: MSIE POST problem > > >Yes, using the dmb version... > >--pete > >-Original Message- >From: David Rees [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, October 24, 2001 6:55 PM >To: '[EMAIL PROTECTED]' >Subject: Re: MSIE POST problem > > >On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote: >> Sorry, I have the same situation after using those config >lines. I had >seen >> them on the mailing list before, but just to be sure I've >just retested >> them. No change. Same symptoms and solutions... > >And you do have a ssl session cache defined? > >-Dave >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
Yes, using the dmb version... --pete -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 6:55 PM To: '[EMAIL PROTECTED]' Subject: Re: MSIE POST problem On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote: > Sorry, I have the same situation after using those config lines. I had seen > them on the mailing list before, but just to be sure I've just retested > them. No change. Same symptoms and solutions... And you do have a ssl session cache defined? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MSIE POST problem
On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote: > Sorry, I have the same situation after using those config lines. I had seen > them on the mailing list before, but just to be sure I've just retested > them. No change. Same symptoms and solutions... And you do have a ssl session cache defined? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
Sorry, I have the same situation after using those config lines. I had seen them on the mailing list before, but just to be sure I've just retested them. No change. Same symptoms and solutions... --pete -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:03 PM To: '[EMAIL PROTECTED]' Subject: Re: MSIE POST problem On Wed, Oct 24, 2001 at 03:47:11PM -0700, Peter Morelli wrote: > I've done a little more testing, and it seems like turning OFF the "Show > friendly http error pages" option in MSIE allows apache/mod_ssl to downgrade > the connection to HTTP/1.0 correctly. Turning it back on again leads to a > situation where it is NOT downgraded, and you get the "server not found" > page. Again, this is only for file uploads. It seems that recent versions (5.x+) of MSIE don't like being downgrade to HTTP/1.0. Try this config in place of your current SetEnvIf or BrowserMatch directive: BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown You may be able to get away without having the second line entirely, but I haven't tested it myself. Let us know how it works out. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MSIE POST problem
On Wed, Oct 24, 2001 at 03:47:11PM -0700, Peter Morelli wrote: > I've done a little more testing, and it seems like turning OFF the "Show > friendly http error pages" option in MSIE allows apache/mod_ssl to downgrade > the connection to HTTP/1.0 correctly. Turning it back on again leads to a > situation where it is NOT downgraded, and you get the "server not found" > page. Again, this is only for file uploads. It seems that recent versions (5.x+) of MSIE don't like being downgrade to HTTP/1.0. Try this config in place of your current SetEnvIf or BrowserMatch directive: BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown You may be able to get away without having the second line entirely, but I haven't tested it myself. Let us know how it works out. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
I've done a little more testing, and it seems like turning OFF the "Show friendly http error pages" option in MSIE allows apache/mod_ssl to downgrade the connection to HTTP/1.0 correctly. Turning it back on again leads to a situation where it is NOT downgraded, and you get the "server not found" page. Again, this is only for file uploads. --pete -Original Message- From: Peter Morelli Sent: Wednesday, October 24, 2001 11:59 AM To: '[EMAIL PROTECTED]' Subject: MSIE POST problem I'm having quite a perplexing problem, and I was hoping someone could give me a hint here on this list. First, my environment: - Solaris 2.6 - Apache 1.3.20 - modssl 2.8.4 - openssl 0.9.6b - Weblogic 5.1 - MSIE 5.5 sp1 I'm using apache to frontend WebLogic through a BEA provided module. My problem: It seems similar to some of the archived posts on this list as well as a section of the FAQ, as it is the "Server not found" error from MSIE. I start out with a form retrieved over regular HTTP, and post a file upload to a HTTPS URL. However, even after enabling the various fixes (SetEnvIf to downgrade, etc) detailed in the FAQ and past posts, it still doesn't work. I invariably get a server not found page. However, if I go to IE's Tools->Internet Options->Advanced and uncheck "Show friendly HTTP error messages", everything seems to work fine. Very weird. The error posts never even show up in my apache or weblogic logs, though after I turned the modssl log up to debug I can see some activity, and snoop picks up the packets between machines. Some other variables: - I use self generated certificates, which generate an accept certificate box in IE when it does work - Non-standard ports: 8110 for http, 8115 for https, in a Virtual hosts. The SetEnvIf downgrade is out in the main server config. - When I do standard form posts (just fields) this problem rarely crops up, if ever. - From the modssl debug logs, it looks like the multi-part form request (file upload) establishes a regular ssl connection, which closes with a standard shutdown, while a regular post does downgrade and uses an unclean shutdown... I have tried MANY different configurations, and I can't seem to get it to work. Any help would be greatly appreciated, as I'd rather not go back to serving http with weblogic (which doesn't seem to have a problem with IE). --peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
MSIE POST problem
I'm having quite a perplexing problem, and I was hoping someone could give me a hint here on this list. First, my environment: - Solaris 2.6 - Apache 1.3.20 - modssl 2.8.4 - openssl 0.9.6b - Weblogic 5.1 - MSIE 5.5 sp1 I'm using apache to frontend WebLogic through a BEA provided module. My problem: It seems similar to some of the archived posts on this list as well as a section of the FAQ, as it is the "Server not found" error from MSIE. I start out with a form retrieved over regular HTTP, and post a file upload to a HTTPS URL. However, even after enabling the various fixes (SetEnvIf to downgrade, etc) detailed in the FAQ and past posts, it still doesn't work. I invariably get a server not found page. However, if I go to IE's Tools->Internet Options->Advanced and uncheck "Show friendly HTTP error messages", everything seems to work fine. Very weird. The error posts never even show up in my apache or weblogic logs, though after I turned the modssl log up to debug I can see some activity, and snoop picks up the packets between machines. Some other variables: - I use self generated certificates, which generate an accept certificate box in IE when it does work - Non-standard ports: 8110 for http, 8115 for https, in a Virtual hosts. The SetEnvIf downgrade is out in the main server config. - When I do standard form posts (just fields) this problem rarely crops up, if ever. - From the modssl debug logs, it looks like the multi-part form request (file upload) establishes a regular ssl connection, which closes with a standard shutdown, while a regular post does downgrade and uses an unclean shutdown... I have tried MANY different configurations, and I can't seem to get it to work. Any help would be greatly appreciated, as I'd rather not go back to serving http with weblogic (which doesn't seem to have a problem with IE). --peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Re-negotiation/POST Problem Question
Hello, Thank you for your response! I recompiled mod-ssl & Apache with the SSL_EXPERIMENTAL switch enabled and this fixed the problem. BTW, congratulations on your recent wedding! Just out of curiosity, do you know how to develop a root CA certificate that can be recognized by HotJava? I have one in cacert format for Netscape and one in DER format for MSIE. Thanks again, Murrah Boswell [EMAIL PROTECTED] Ralf S. Engelschall wrote: > > On Mon, Mar 27, 2000, OTR Comm wrote: > > > I get the following in my error log: > > > > [Mon Mar 27 19:53:00 2000] [error] mod_ssl: SSL Re-negotiation in > > conjunction with POST method not supported! > > > > I assume that this is the problem that Ralf Engelschall was addressing > > with the patch that he posted last year? > > > > If his patch will correct this problem, could someone please tell me how > > to apply it? > > How to apply? The patch for a long time was part of the experimental > code in mod_ssl and since 2.6.0 you have it already enabled by default > (it is no longer declared experimental). So all you have to do is to > upgrade to a recent mod_ssl 2.6 version. If you have an ancient version > running, there is no chance to put this in, because the patch was not a > trivial one which could be back-ported to older versions. > > > I have the message that he posted with the patch code in it, but I have > > never applied enough patches to remember how to do it. > > As I said, to apply this old patch to an old mod_ssl version > will certainly require patching. Consider upgrading mod_ssl > and you get the stuff without fiddling. > > > I also assume that after I install the patch, I have to recompile > > mod-ssl and Apache, correct? > > Yes. >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Re-negotiation/POST Problem Question
On Mon, Mar 27, 2000, OTR Comm wrote: > I get the following in my error log: > > [Mon Mar 27 19:53:00 2000] [error] mod_ssl: SSL Re-negotiation in > conjunction with POST method not supported! > > I assume that this is the problem that Ralf Engelschall was addressing > with the patch that he posted last year? > > If his patch will correct this problem, could someone please tell me how > to apply it? How to apply? The patch for a long time was part of the experimental code in mod_ssl and since 2.6.0 you have it already enabled by default (it is no longer declared experimental). So all you have to do is to upgrade to a recent mod_ssl 2.6 version. If you have an ancient version running, there is no chance to put this in, because the patch was not a trivial one which could be back-ported to older versions. > I have the message that he posted with the patch code in it, but I have > never applied enough patches to remember how to do it. As I said, to apply this old patch to an old mod_ssl version will certainly require patching. Consider upgrading mod_ssl and you get the stuff without fiddling. > I also assume that after I install the patch, I have to recompile > mod-ssl and Apache, correct? Yes. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Re-negotiation/POST Problem Question
Hello, I get the following in my error log: [Mon Mar 27 19:53:00 2000] [error] mod_ssl: SSL Re-negotiation in conjunction with POST method not supported! I assume that this is the problem that Ralf Engelschall was addressing with the patch that he posted last year? If his patch will correct this problem, could someone please tell me how to apply it? I have the message that he posted with the patch code in it, but I have never applied enough patches to remember how to do it. I also assume that after I install the patch, I have to recompile mod-ssl and Apache, correct? Could someone please help me here? Thanks, Murrah Boswell [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SV: SV: File POST problem using MSIE
> -Ursprungligt meddelande- > Från: Frankewitsch [mailto:[EMAIL PROTECTED]] > > > > Anyone tried uploading large files (>1Mb) using POST, SSL > > and IE? Any suggestions for a workaround? > > Only a comment: > We experienced a problem of uploading large files from IE5 to > a server (type > not known, URL http://www.amia.org/) afaik *without* SSL a > few month ago. > May be I've not followed up the whole thread: Have you > tested, that IE does > this work even without SSL-enabled? > thomas Yepp, it works works without SSL enabled. I guess you'll get timeout problems uploading very large files using a low bandwidth. Fredrik Johansson Deneb AB __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: SV: File POST problem using MSIE
> > Anyone tried uploading large files (>1Mb) using POST, SSL > and IE? Any suggestions for a workaround? Only a comment: We experienced a problem of uploading large files from IE5 to a server (type not known, URL http://www.amia.org/) afaik *without* SSL a few month ago. May be I've not followed up the whole thread: Have you tested, that IE does this work even without SSL-enabled? thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SV: SV: File POST problem using MSIE
On Mon, Oct 25, 1999, Johansson, Fredrik wrote: > [...] > > > The SSL_EXPERIMENTAL directive makes no difference in this case. > > > > Are you sure? That is, have you really tested it? > > We compiled the mod_ssl dll on Win32 with SLL_EXPERIMENTAL defined. We have > also made sure to test the new dll. > [...] DLL? Win32? Ok, then it's clear that you might have problems. I assumed you're testing under Unix. I never tried this on Win32. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SV: SV: File POST problem using MSIE
> -Ursprungligt meddelande- > Från: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]] > Skickat: den 19 oktober 1999 11:31 > Till: [EMAIL PROTECTED] > Ämne: Re: SV: File POST problem using MSIE > > > On Tue, Oct 19, 1999, Johansson, Fredrik wrote: > > > The SSL_EXPERIMENTAL directive makes no difference in this case. > > Are you sure? That is, have you really tested it? We compiled the mod_ssl dll on Win32 with SLL_EXPERIMENTAL defined. We have also made sure to test the new dll. > > Isn´t it spooky that it works if we use SSLLogLevel debug? > > This usually indicates that you've a timing problem > somewhere. Because > "SSLLogLevel debug" produces MB's of log entries and this way > slows down the > server dramatically. That's the main difference for you. > > > Our test application is a simple servlet which only reads > the request data > > from the input stream. > > Perhaps this servlet has a timing problem. Or mod_jserv or > whatever you're using... We have the exact same problem using PHP3 for file upload using SSL. As before, Netscape works fine with all files but IE can only POST small files smaller than ~20k. Anyone tried uploading large files (>1Mb) using POST, SSL and IE? Any suggestions for a workaround? Regards, Fredrik Johansson Deneb AB >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SV: File POST problem using MSIE
On Tue, Oct 19, 1999, Johansson, Fredrik wrote: > The SSL_EXPERIMENTAL directive makes no difference in this case. Are you sure? That is, have you really tested it? > Isn´t it spooky that it works if we use SSLLogLevel debug? This usually indicates that you've a timing problem somewhere. Because "SSLLogLevel debug" produces MB's of log entries and this way slows down the server dramatically. That's the main difference for you. > Our test application is a simple servlet which only reads the request data > from the input stream. Perhaps this servlet has a timing problem. Or mod_jserv or whatever you're using... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SV: File POST problem using MSIE
The SSL_EXPERIMENTAL directive makes no difference in this case. Isn´t it spooky that it works if we use SSLLogLevel debug? Our test application is a simple servlet which only reads the request data from the input stream. > -Ursprungligt meddelande- > Från: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]] > Skickat: den 18 oktober 1999 20:52 > Till: [EMAIL PROTECTED] > Ämne: Re: File POST problem using MSIE > > > On Mon, Oct 18, 1999, Johansson, Fredrik wrote: > > > We have encountered a problem concerning the file upload > browser feature in > > MSIE (4 and 5) together with SSL. The transfer hangs, and > never completes, > > if the file (i.e. POST request) is larger than ~30kB. > Everything works fine > > when SSL is disabled. Needles to say but it works just fine > with Netscape. > > > > An interesting thing is that if we turn on debug level > logging for the ssl > > engine, the upload completes, but takes a lot of time and > disk space. > > > > We have found some information on an issue with MSIE and > IIS sending SSLV3 > > packets which are to large. There is supposed to exist a > config directive > > for SSLeay called SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER. > Anybody succeeded in > > enabling it? > > > > We use: > > Apache 1.3.9 > > mod_ssl 2.4.2-1.3.9 > > win32 platform > > > > Anybody else seen anything like this? > > First, did you have SSL_EXPERIMENTAL enabled when compiling > mod_ssl or are > you're not using the experimental code. If you're not using > the experimental > code, POST requests will certainly fail under lots of > situations. You've to at > least enable SSL_EXPERIMENTAL to get POST working correctly. > If you already > have the experimental code enabled, I've currently no clue > why it doesn't > work. >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: File POST problem using MSIE
Johansson, Do you run into this problem when using SSL + CGI file upload script? Or is it restrictive to just POSTing files for upload. "Johansson, Fredrik" wrote: > > Greetings. > > We have encountered a problem concerning the file upload browser feature in > MSIE (4 and 5) together with SSL. The transfer hangs, and never completes, > if the file (i.e. POST request) is larger than ~30kB. Everything works fine > when SSL is disabled. Needles to say but it works just fine with Netscape. > > An interesting thing is that if we turn on debug level logging for the ssl > engine, the upload completes, but takes a lot of time and disk space. > > We have found some information on an issue with MSIE and IIS sending SSLV3 > packets which are to large. There is supposed to exist a config directive > for SSLeay called SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER. Anybody succeeded in > enabling it? > > We use: > Apache 1.3.9 > mod_ssl 2.4.2-1.3.9 > win32 platform > > Anybody else seen anything like this? > > == > Fredrik Johansson > Deneb AB > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Colin Faber Perl programer, Systems administration fpsn.net, Inc. [EMAIL PROTECTED] www.fpsn.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: File POST problem using MSIE
On Mon, Oct 18, 1999, Johansson, Fredrik wrote: > We have encountered a problem concerning the file upload browser feature in > MSIE (4 and 5) together with SSL. The transfer hangs, and never completes, > if the file (i.e. POST request) is larger than ~30kB. Everything works fine > when SSL is disabled. Needles to say but it works just fine with Netscape. > > An interesting thing is that if we turn on debug level logging for the ssl > engine, the upload completes, but takes a lot of time and disk space. > > We have found some information on an issue with MSIE and IIS sending SSLV3 > packets which are to large. There is supposed to exist a config directive > for SSLeay called SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER. Anybody succeeded in > enabling it? > > We use: > Apache 1.3.9 > mod_ssl 2.4.2-1.3.9 > win32 platform > > Anybody else seen anything like this? First, did you have SSL_EXPERIMENTAL enabled when compiling mod_ssl or are you're not using the experimental code. If you're not using the experimental code, POST requests will certainly fail under lots of situations. You've to at least enable SSL_EXPERIMENTAL to get POST working correctly. If you already have the experimental code enabled, I've currently no clue why it doesn't work. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
File POST problem using MSIE
Greetings. We have encountered a problem concerning the file upload browser feature in MSIE (4 and 5) together with SSL. The transfer hangs, and never completes, if the file (i.e. POST request) is larger than ~30kB. Everything works fine when SSL is disabled. Needles to say but it works just fine with Netscape. An interesting thing is that if we turn on debug level logging for the ssl engine, the upload completes, but takes a lot of time and disk space. We have found some information on an issue with MSIE and IIS sending SSLV3 packets which are to large. There is supposed to exist a config directive for SSLeay called SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER. Anybody succeeded in enabling it? We use: Apache 1.3.9 mod_ssl 2.4.2-1.3.9 win32 platform Anybody else seen anything like this? == Fredrik Johansson Deneb AB __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Experimental: input sucking for POST problem
On Mon, Jul 26, 1999, Ralf S. Engelschall wrote: > As Matthias L. found out, the problems with POST requests in conjunction with > per-directory/location SSL renegotiations is that the pending POST request > body in the SSL BIO caused problems for the handshake. I've today spended four > hours in the morning and hacked together an experimental patch which does the > following: before the SSL handshake for renegotiations is performed it sucks > in all received data from the SSL BIO. Then the handshake is performed and > when Apache's BUFF code wants to read more from the BIO SSL we are aware of > the pre-sucked data. With this patch I was able to get a form working which > POSTs its data to a CGI (I was also to reproduce the I/O error problem before, > of course). > > Matthias, can you try this out, too? I'm still not convinced whether this is > the correct way (perhaps we can also maipulate the SSL BIO or whatever), but > it at least is a solution. I've less time these days and weeks, so I would > appreciate when you investigate more for us - starting from this first cut of > a solution. Thanks. Ok, I couldn't resist and have tried a second attempt, because the first attempt was not aware of HTTP chunking and other side-effects. Now I do a really tricky thing: I read the client body through Apache's standard API which is chunking-aware, but instead of processing the data it's just pushed into a suck-buffer attached to the request_rec. Later when mod_cgi again wants to read the client body it is served by the data in the suck buffer. This now works again fine for my test scripts and should be now a 98% correct solution (while the first patch was justa 50% solution). Nevertheless it need review and wider testing. So, forget my first patch from this morning and instead test the appended patch. Thanks. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Index: include/buff.h === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/include/buff.h,v retrieving revision 1.6 diff -u -r1.6 buff.h --- include/buff.h 1999/01/10 11:07:22 1.6 +++ include/buff.h 1999/07/26 13:17:25 @@ -182,6 +182,8 @@ #ifndef CHARSET_EBCDIC +#define ap_bpeekc(fb) ( ((fb)->incnt == 0) ? EOF : *((fb)->inptr) ) + #define ap_bgetc(fb) ( ((fb)->incnt == 0) ? ap_bfilbuf(fb) : \ ((fb)->incnt--, *((fb)->inptr++)) ) Index: modules/ssl/mod_ssl.h === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v retrieving revision 1.108 diff -u -r1.108 mod_ssl.h --- modules/ssl/mod_ssl.h 1999/07/25 11:24:13 1.108 +++ modules/ssl/mod_ssl.h 1999/07/26 11:30:25 @@ -715,6 +715,7 @@ void ssl_io_register(void); void ssl_io_unregister(void); long ssl_io_data_cb(BIO *, int, const char *, int, long, long); +void ssl_io_suck(request_rec *, SSL *); /* PRNG */ int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t); Index: modules/ssl/ssl_engine_io.c === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v retrieving revision 1.23 diff -u -r1.23 ssl_engine_io.c --- modules/ssl/ssl_engine_io.c 1999/05/04 07:58:53 1.23 +++ modules/ssl/ssl_engine_io.c 1999/07/26 13:24:36 @@ -64,6 +64,154 @@ -- Unknown*/ #include "mod_ssl.h" +/* _ +** +** I/O Request Body Sucking and Re-Injection +** _ +*/ + +#ifdef SSL_EXPERIMENTAL + +struct ssl_io_suck_st { +BOOL active; +char *bufptr; +int buflen; +char *pendptr; +int pendlen; +}; + +/* prepare request_rec structure for input sucking */ +static void ssl_io_suck_start(request_rec *r) +{ +struct ssl_io_suck_st *ss; + +ss = ap_ctx_get(r->ctx, "ssl::io::suck"); +if (ss == NULL) { +ss = ap_palloc(r->pool, sizeof(struct ssl_io_suck_st)); +ap_ctx_set(r->ctx, "ssl::io::suck", ss); +ss->buflen = 8192; +ss->bufptr = ap_palloc(r->pool, ss->buflen); +} +ss->pendptr = ss->bufptr; +ss->pendlen = 0; +ss->active = FALSE; +return; +} + +/* record a sucked input chunk */ +static void ssl_io_suck_record(request_rec *r, char *buf, int len) +{ +struct ssl_io_suck_st *ss; + +if ((ss = ap_ctx_get(r->ctx, "ssl::io::suck")) == NULL) +return; +if (((ss->bufptr+ss->buflen)-(ss->pendptr+ss->pendlen)) < len) { +/* "expand" buffer */ +int newlen; +char *newptr; +if (ss->buflen < len) +newlen = ss->buflen * 2; +else +newlen = ss->buflen + len; +
Re: Experimental: input sucking for POST problem
I'll give this a try as well given that I'm giving a demo tomorrow morning :) Thanks Jeff On Mon, 26 Jul 1999, Ralf S. Engelschall wrote: > > As Matthias L. found out, the problems with POST requests in conjunction with > per-directory/location SSL renegotiations is that the pending POST request > body in the SSL BIO caused problems for the handshake. I've today spended four > hours in the morning and hacked together an experimental patch which does the > following: before the SSL handshake for renegotiations is performed it sucks > in all received data from the SSL BIO. Then the handshake is performed and > when Apache's BUFF code wants to read more from the BIO SSL we are aware of > the pre-sucked data. With this patch I was able to get a form working which > POSTs its data to a CGI (I was also to reproduce the I/O error problem before, > of course). > > Matthias, can you try this out, too? I'm still not convinced whether this is > the correct way (perhaps we can also maipulate the SSL BIO or whatever), but > it at least is a solution. I've less time these days and weeks, so I would > appreciate when you investigate more for us - starting from this first cut of > a solution. Thanks. > > Greetings, >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > > Index: include/buff.h > === > RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/include/buff.h,v > retrieving revision 1.6 > diff -u -r1.6 buff.h > --- include/buff.h1999/01/10 11:07:22 1.6 > +++ include/buff.h1999/07/26 09:26:06 > @@ -227,6 +227,10 @@ > > /* enable non-blocking operations */ > API_EXPORT(int) ap_bnonblock(BUFF *fb, int direction); > +/* enable blocking operations */ > +API_EXPORT(int) ap_bblock(BUFF *fb, int direction); > +/* check for blocking mode */ > +API_EXPORT(int) ap_bisblock(BUFF *fb, int direction); > /* and get an fd to select() on */ > API_EXPORT(int) ap_bfileno(BUFF *fb, int direction); > > Index: main/buff.c > === > RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/main/buff.c,v > retrieving revision 1.14 > diff -u -r1.14 buff.c > --- main/buff.c 1999/03/21 12:00:11 1.14 > +++ main/buff.c 1999/07/26 09:25:30 > @@ -580,6 +580,44 @@ > #endif > } > > +API_EXPORT(int) ap_bblock(BUFF *fb, int direction) > +{ > +int fd; > +int mode; > + > +fd = (direction == B_RD) ? fb->fd_in : fb->fd; > +mode = fcntl(fd, F_GETFL, NULL); > +#if defined(O_NONBLOCK) > +return fcntl(fd, F_SETFL, mode&~(O_NONBLOCK)); > +#elif defined(O_NDELAY) > +return fcntl(fd, F_SETFL, mode&~(O_NDELAY)); > +#elif defined(FNDELAY) > +return fcntl(fd, F_SETFL, mode&~(FNDELAY)); > +#else > +/* : this breaks things, but an alternative isn't obvious...*/ > +return 0; > +#endif > +} > + > +API_EXPORT(int) ap_bisblock(BUFF *fb, int direction) > +{ > +int fd; > +int mode; > + > +fd = (direction == B_RD) ? fb->fd_in : fb->fd; > +mode = fcntl(fd, F_GETFL, NULL); > +#if defined(O_NONBLOCK) > +return (mode & O_NONBLOCK) ? FALSE : TRUE; > +#elif defined(O_NDELAY) > +return (mode & O_NDELAY) ? FALSE : TRUE; > +#elif defined(FNDELAY) > +return (mode & FNDELAY) ? FALSE : TRUE; > +#else > +/* : this breaks things, but an alternative isn't obvious...*/ > +return FALSE; > +#endif > +} > + > API_EXPORT(int) ap_bfileno(BUFF *fb, int direction) > { > return (direction == B_RD) ? fb->fd_in : fb->fd; > Index: modules/ssl/mod_ssl.h > === > RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v > retrieving revision 1.108 > diff -u -r1.108 mod_ssl.h > --- modules/ssl/mod_ssl.h 1999/07/25 11:24:13 1.108 > +++ modules/ssl/mod_ssl.h 1999/07/26 08:02:23 > @@ -715,6 +715,7 @@ > void ssl_io_register(void); > void ssl_io_unregister(void); > long ssl_io_data_cb(BIO *, int, const char *, int, long, long); > +void ssl_io_suck(SSL *); > > /* PRNG */ > int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t); > Index: modules/ssl/ssl_engine_io.c > === > RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v > retrieving revision 1.23 > diff -u -r1.23 ssl_engine_io.c > --- modules/ssl/ssl_engine_io.c 1999/05/04 07:58:53 1.23 > +++ modules/ssl/ssl_engine_io.c 1999/07/26 09:53:23 > @@ -64,6 +64,138 @@ > -- Unknown*/ > #include "mod_ssl.h" > > +/* _ > +** > +** I/O Sucking > +** _ > +*/ > + > +static char *suc
Experimental: input sucking for POST problem
As Matthias L. found out, the problems with POST requests in conjunction with per-directory/location SSL renegotiations is that the pending POST request body in the SSL BIO caused problems for the handshake. I've today spended four hours in the morning and hacked together an experimental patch which does the following: before the SSL handshake for renegotiations is performed it sucks in all received data from the SSL BIO. Then the handshake is performed and when Apache's BUFF code wants to read more from the BIO SSL we are aware of the pre-sucked data. With this patch I was able to get a form working which POSTs its data to a CGI (I was also to reproduce the I/O error problem before, of course). Matthias, can you try this out, too? I'm still not convinced whether this is the correct way (perhaps we can also maipulate the SSL BIO or whatever), but it at least is a solution. I've less time these days and weeks, so I would appreciate when you investigate more for us - starting from this first cut of a solution. Thanks. Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Index: include/buff.h === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/include/buff.h,v retrieving revision 1.6 diff -u -r1.6 buff.h --- include/buff.h 1999/01/10 11:07:22 1.6 +++ include/buff.h 1999/07/26 09:26:06 @@ -227,6 +227,10 @@ /* enable non-blocking operations */ API_EXPORT(int) ap_bnonblock(BUFF *fb, int direction); +/* enable blocking operations */ +API_EXPORT(int) ap_bblock(BUFF *fb, int direction); +/* check for blocking mode */ +API_EXPORT(int) ap_bisblock(BUFF *fb, int direction); /* and get an fd to select() on */ API_EXPORT(int) ap_bfileno(BUFF *fb, int direction); Index: main/buff.c === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/main/buff.c,v retrieving revision 1.14 diff -u -r1.14 buff.c --- main/buff.c 1999/03/21 12:00:11 1.14 +++ main/buff.c 1999/07/26 09:25:30 @@ -580,6 +580,44 @@ #endif } +API_EXPORT(int) ap_bblock(BUFF *fb, int direction) +{ +int fd; +int mode; + +fd = (direction == B_RD) ? fb->fd_in : fb->fd; +mode = fcntl(fd, F_GETFL, NULL); +#if defined(O_NONBLOCK) +return fcntl(fd, F_SETFL, mode&~(O_NONBLOCK)); +#elif defined(O_NDELAY) +return fcntl(fd, F_SETFL, mode&~(O_NDELAY)); +#elif defined(FNDELAY) +return fcntl(fd, F_SETFL, mode&~(FNDELAY)); +#else +/* : this breaks things, but an alternative isn't obvious...*/ +return 0; +#endif +} + +API_EXPORT(int) ap_bisblock(BUFF *fb, int direction) +{ +int fd; +int mode; + +fd = (direction == B_RD) ? fb->fd_in : fb->fd; +mode = fcntl(fd, F_GETFL, NULL); +#if defined(O_NONBLOCK) +return (mode & O_NONBLOCK) ? FALSE : TRUE; +#elif defined(O_NDELAY) +return (mode & O_NDELAY) ? FALSE : TRUE; +#elif defined(FNDELAY) +return (mode & FNDELAY) ? FALSE : TRUE; +#else +/* : this breaks things, but an alternative isn't obvious...*/ +return FALSE; +#endif +} + API_EXPORT(int) ap_bfileno(BUFF *fb, int direction) { return (direction == B_RD) ? fb->fd_in : fb->fd; Index: modules/ssl/mod_ssl.h === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v retrieving revision 1.108 diff -u -r1.108 mod_ssl.h --- modules/ssl/mod_ssl.h 1999/07/25 11:24:13 1.108 +++ modules/ssl/mod_ssl.h 1999/07/26 08:02:23 @@ -715,6 +715,7 @@ void ssl_io_register(void); void ssl_io_unregister(void); long ssl_io_data_cb(BIO *, int, const char *, int, long, long); +void ssl_io_suck(SSL *); /* PRNG */ int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t); Index: modules/ssl/ssl_engine_io.c === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v retrieving revision 1.23 diff -u -r1.23 ssl_engine_io.c --- modules/ssl/ssl_engine_io.c 1999/05/04 07:58:53 1.23 +++ modules/ssl/ssl_engine_io.c 1999/07/26 09:53:23 @@ -64,6 +64,138 @@ -- Unknown*/ #include "mod_ssl.h" +/* _ +** +** I/O Sucking +** _ +*/ + +static char *suck_buf = NULL; +static int suck_len = 0; + +static char *suck_ptr = NULL; +static int suck_pend = 0; + +int ssl_io_suck_in(SSL *ssl, int n); +int ssl_io_suck_read(SSL *ssl, char *buf, int len); + +void ssl_io_suck(SSL *ssl) +{ +conn_rec *c; +BUFF *b; +int wasblocking; + +c = (conn_rec *)SSL_get_app_data(ssl); +b = c->client; + +/* set socket to non-blocking mode */ +wasbl
Re: POST problem
>I've also come across the POST problem. >And I think that I found the hint of the problem. Sorry, I forget to write the environment. Server: Apache1.3.6+mod_ssl2.2.6+openssl0.9.2b Server OS: Solaris2.6 (Sparc) Client: MSIE5.0 Client OS: WindowsNT4.0SP4 __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: POST problem
>> Ok, then I've to check now POST+keepalive+redirection, too. What a nice thing >> that the HTTP protocol makes has such a lot of esoteric combinations >> possibleI'll investigate when I find time. >Just FYI, i've also come across the POST+keepalive+redirection problem. I think >i'm right in saying it's still a problem because i can't see it in the changes >for 2.2.6. I've also come across the POST problem. And I think that I found the hint of the problem. /contact/index.html is the html file with form. And I wrote in the form,then I click the submit button. 14:08:07 log is strange. [debug] OpenSSL: write 23/23 bytes to BIO#00140880 [mem: 00155638] (BIO dump follows) Why is the first line of 14:08:07 "write"? access_log: XXX.XXX.XXX.XX - - [26/Mar/1999:14:07:51 +0900] "GET /contact/index.html HTTP/1.0" 304 - XXX.XXX.XXX.XX - - [26/Mar/1999:14:07:51 +0900] "GET /icon/inquiryhead.gif HTTP/1.0" 304 - ssl_engine_log (debug): [26/Mar/1999 14:07:51] [debug] OpenSSL: read 419/18437 bytes from BIO#00140880 [mem: 00150E28] (BIO dump follows) +-+ | : 17 03 01 01 9e 9f 62 78-e9 92 1b 1c 5d 27 77 51 ..bx]'wQ | | 0010: ca c9 60 10 6b bd 55 03-54 9d 44 90 2f 82 00 31 ..`.k.U.T.D./..1 | | 0020: 21 a0 cd 5d c4 30 35 b6-10 45 39 69 5e d5 be 4e !..].05..E9i^..N | | 0030: ac 84 ac d8 6b 8c 87 e3-4a f4 79 5f 4d 77 fb 22 k...J.y_Mw." | | 0040: c6 5b d6 8a bd af 37 55-55 8e a4 1f ce 7a ad a9 .[7UUz.. | | 0050: 9a 0a 27 a6 f7 ca ff a1-c2 9a 16 b5 d7 37 cd fa ..'..7.. | | 0060: 65 ff 0c e7 17 69 42 c1-d5 f8 0a 4d b0 3f 9d 56 eiBM.?.V | | 0070: 8a 81 5b f2 80 ab a5 80-18 23 58 80 99 f7 0c a7 ..[..#X. | | 0080: 1a 1e d0 a5 c3 1c 17 a9-88 d2 31 ed f1 68 5d 35 ..1..h]5 | | 0090: 7a 97 28 92 48 c3 b8 9a-4d cb 4f 5b a7 c5 c1 ca z.(.H...M.O[ | | 00a0: 51 0f e9 55 01 35 d3 8b-9e e8 ac 14 05 25 4b f5 Q..U.5...%K. | | 00b0: 6f e1 bb 77 6d 62 79 6d-aa 70 57 a7 73 dc f9 9b o..wmbym.pW.s... | | 00c0: cd 3c e5 5e 40 d7 45 b3-21 70 db 7e 7c 13 3e 87 .<.^@.E.!p.~|.>. | | 00d0: db 23 d8 f3 c5 6c 7d 0f-4d 87 ce 35 46 be 0a c9 .#...l}.M..5F... | | 00e0: 07 41 f7 b6 90 c5 5f 74-2f f6 16 2a 86 08 23 44 .A_t/..*..#D | | 00f0: fc 9b a8 91 aa 0a fc f4-fb 71 7b 35 3a e8 83 ae .q{5:... | | 0100: ac 7e c8 79 38 76 e9 e7-9b 98 02 45 b5 0b c7 33 .~.y8v.E...3 | | 0110: 5c 05 59 48 b3 9a 2a 96-53 da 58 a4 44 17 13 7f \.YH..*.S.X.D... | | 0120: 4a d7 d3 52 bb 14 40 f5-43 69 db cc 3e 9f 7e 06 J..R..@.Ci..>.~. | | 0130: 9e 86 f5 a3 7a 83 f6 bd-5d 3c 05 e7 4c fc 6c 9b z...]<..L.l. | | 0140: 58 fd 8a 76 c5 dc b0 1b-c6 f0 8e bd 08 df c4 33 X..v...3 | | 0150: 84 fc 87 70 a9 5e 3f 1c-1c 96 2c 4a 3f 07 03 79 ...p.^?...,J?..y | | 0160: 30 ac c1 e3 99 08 20 f8-b2 83 d5 79 d3 3a ec d3 0. y.:.. | | 0170: 2b 88 35 84 8c e1 ad d3-6a 38 92 8d da e3 98 2a +.5.j8.* | | 0180: 44 b3 88 fd 9b 4f dc 4a-bd 04 38 ad 1c 98 22 45 DO.J..8..."E | | 0190: a5 5c 45 f3 37 e1 2a 9d-31 94 1d 96 67 02 90 93 .\E.7.*.1...g... | | 01a0: 4a db c0 J.. | +-+ [26/Mar/1999 14:07:51] [info] Subsequent (No.4) HTTPS request received for child 1 (server xxx.xxx.xxx.xxx.xxx.xxx:443 ) [26/Mar/1999 14:07:51] [debug] OpenSSL: write 229/229 bytes to BIO#00140880 [mem: 00155638] (BIO dump follows) +-+ | : 17 03 01 00 e0 2d 5c c4-86 16 85 87 8e 94 17 4b .-\K | | 0010: a2 d9 35 e6 7d 83 8f 2f-83 5f 5b de 01 ee 9a 3f ..5.}../._[? | | 0020: 46 48 2f a2 f2 cf d6 ea-e4 24 e7 8f 53 58 65 19 FH/..$..SXe. | | 0030: d2 a0 f8 66 93 ae ac f2-07 2a 4b e4 1d c8 a1 97 ...f.*K. | | 0040: 77 dd ce 0f c0 0c 94 fd-88 4b 82 4f b2 6c 37 49 wK.O.l7I | | 0050: 65 01 73 e4 70 ba 79 ad-99 e0 8e 6d 0c 11 5a 9f e.s.p.ym..Z. | | 0060: d5 da 6a 79 e3 c0 17 30-00 60 8c 3d a7 79 27 53 ..jy...0.`.=.y'S | | 0070: 31 5c c4 0c ac 7c d7 26-19 a7 4f df f9 c3 09 7f 1\...|.&..O. | | 0080: ea 9f 9d 68 ab 68 0d ec-dd fb 66 fb eb df 3b fe ...h.hf...;. | | 0090: d3 d1 e0 8a 9c 83 78 98-b1 a8 b2 5b ee 20 6c e3 ..x[. l. | | 00a0: d7 a2 94 73 d3 b1 17 c5-ef 61 4e 38 89 f2 8f 1b ...s.aN8 | | 00b0: 18 9c f0 cf ab 8c cb b1-3a dd 43 8d ca 47 ed 72 :.C..G.r | | 00c0: 5a 2d e5 3e 25 d7 0c c5-e6 78 35 b9 c1 02 f2 f3 Z-.>%x5. | | 00d0: 37 b6 7c eb 73 ee 77 33-04 2a c8 1d 1e 2e 3b 6e 7.|.s.w3.*;n | | 00e0: 69 c4 16 14 c9 i| +-+ [26/Mar/1999 14:07:51] [debug] OpenSSL: read 354/18437 bytes from
Re: POST problem
Ralf S. Engelschall wrote: > Ok, then I've to check now POST+keepalive+redirection, too. What a nice thing > that the HTTP protocol makes has such a lot of esoteric combinations > possibleI'll investigate when I find time. Just FYI, i've also come across the POST+keepalive+redirection problem. I think i'm right in saying it's still a problem because i can't see it in the changes for 2.2.6. thanks, Tony. -- - Tony Locke [EMAIL PROTECTED] Programmer, Open World Limited - __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: POST problem
On Mon, Mar 22, 1999, [EMAIL PROTECTED] wrote: >[...] > I have four scripts that I call using HTTPS. Two are C programs, one is > a PHP3.0.7 script, and one is a shell script. All of these scripts work > over HTTP with POST. All work over HTTPS with GET. One of the C programs > and the shell script work over HTTPS with POST. The other C program and > the PHP script do not. The scripts that work both do some processing and > send output to the browser. The scripts that don't work do some processing > then send a "Location: " header to send to another page. The problem > appears to be in the redirection, then. This is the error I get: > > "An I/O error occured during security authorization. Please try >your connection again" Ok, then I've to check now POST+keepalive+redirection, too. What a nice thing that the HTTP protocol makes has such a lot of esoteric combinations possibleI'll investigate when I find time. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: POST problem
> > On Sun, Mar 21, 1999, [EMAIL PROTECTED] wrote: > > > I just did the following: > > > > cd apache_1.3.4 > > make clean > > cd ../mod_ssl-2.2.5-1.3.4 > > ./configure ... > > cd ../apache_1.3.4 > > ./configure ... > > make > > make install > > > > which would seem to COMPLETELY rebuild the apache and mod_ssl source > > trees, and I'm still having the POST problem, using mod_ssl with DSO. > > Hmmm... I've yesterday evening tried it again myself with a little POST > cgi-script and all worked fine. So, you've to give me more details on your > particular "POST problem" or I cannot help you. Perhaps it's something > different this time. What exact URLs you request, what scripts/pages are on > the filesystem and how are they configured? > > BTW, Apache doesn't allow POSTs to all things per default and Netscape doesn't > like Apache's non-200/OK response in these cases. So, are you sure your "POST > problem" works at least with plain HTTP? I have four scripts that I call using HTTPS. Two are C programs, one is a PHP3.0.7 script, and one is a shell script. All of these scripts work over HTTP with POST. All work over HTTPS with GET. One of the C programs and the shell script work over HTTPS with POST. The other C program and the PHP script do not. The scripts that work both do some processing and send output to the browser. The scripts that don't work do some processing then send a "Location: " header to send to another page. The problem appears to be in the redirection, then. This is the error I get: "An I/O error occured during security authorization. Please try your connection again" I'm using: Apache 1.3.4 mod_ssl 2.2.5-1.3.4 openssl 0.9.1c (upgrading shortly) PHP 3.0.7 Netscape 4.07 Linux 2.0.36 glibc 2.0.7 -mike > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > __ > Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]