Re: [Modules] mod_gnutls making Apache use 100% CPU
Simon Josefssonwrites: > > I recall something like that, it happened if the cache was corrupt. > Maybe you could stop apache, copy away /var/cache/apache2/gnutls_cache, > and start apache again, to see if it solves the problem? Save the cache > file so we can try to debug why this happened. > > /Simon > This is an old topic but it saved me. I just had the same problem, apache spawning 100% CPU childrens. Exactly the same output than you for strace and dbg. I am glad i found this topic, the situation was becoming really troublesome. ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod_gnutls
It seems I have no longer the time to keep up working with mod_gnutls. Unless someone else steps up as maintainer please consider this module as unmaintained. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/22/2010 09:11 AM, Hardy Griech wrote: On 22.09.2010 08:56, Nikos Mavrogiannopoulos wrote: : GnuTLSCache is pointing to a file in a writable directory (/tmp-ram/gnutls), but: there are only gnutls.dir and gnutls.pag contained in that directory, no gnutls without extension. This sounds normal. The db backend does use those files. Could you try deleting them and restarting? Do you get the same error? Which version of mod_gnutls do you use? [...] [Wed Sep 22 09:08:12 2010] [debug] gnutls_cache.c(355): [gnutls_cache] Cleaned up cache '/tmp-ram/gnutls'. Deleted 0 and left 0 [Wed Sep 22 09:08:12 2010] [debug] gnutls_cache.c(461): (22)Invalid argument: [gnutls_cache] error storing in cache '/tmp-ram/gnutls' That's strange. What is the output with the patch (prints the DB internal error as well)? regards, Nikos diff --git a/configure.ac b/configure.ac index 90f4ab6..6b81ded 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl -AC_INIT(mod_gnutls, 0.5.8) +AC_INIT(mod_gnutls, 0.5.9) OOO_CONFIG_NICE(config.nice) MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION AC_PREREQ(2.53) diff --git a/src/gnutls_cache.c b/src/gnutls_cache.c index 3ca8cb5..2653b4e 100644 --- a/src/gnutls_cache.c +++ b/src/gnutls_cache.c @@ -456,12 +456,15 @@ static int dbm_cache_store(void* baton, gnutls_datum_t key, } rv = apr_dbm_store(dbm, dbmkey, dbmval); - if (rv != APR_SUCCESS) { +char err[128], *p; + +p = apr_dbm_geterror(dbm, NULL, err, sizeof(err)); + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, ctxt-c-base_server, - [gnutls_cache] error storing in cache '%s', - ctxt-sc-cache_config); + [gnutls_cache] error storing in cache '%s': %s, + ctxt-sc-cache_config, p!=NULL?p:unknown error); apr_dbm_close(dbm); apr_pool_destroy(spool); return -1; ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
I will (have to) do the test today in the evening (MESZ). Hardy - Ursprüngliche Nachricht - Von: Nikos Mavrogiannopoulos Gesendet: 22.09.10 09:25 Uhr An: Hardy Griech Betreff: Re: [Modules] [mod_gnutls] Keep-Alive possible? On 09/22/2010 09:11 AM, Hardy Griech wrote: On 22.09.2010 08:56, Nikos Mavrogiannopoulos wrote: : GnuTLSCache is pointing to a file in a writable directory (/tmp-ram/gnutls), but: there are only gnutls.dir and gnutls.pag contained in that directory, no gnutls without extension. This sounds normal. The db backend does use those files. Could you try deleting them and restarting? Do you get the same error? Which version of mod_gnutls do you use? [...] [Wed Sep 22 09:08:12 2010] [debug] gnutls_cache.c(355): [gnutls_cache] Cleaned up cache '/tmp-ram/gnutls'. Deleted 0 and left 0 [Wed Sep 22 09:08:12 2010] [debug] gnutls_cache.c(461): (22)Invalid argument: [gnutls_cache] error storing in cache '/tmp-ram/gnutls' That's strange. What is the output with the patch (prints the DB internal error as well)? regards, Nikos diff --git a/configure.ac b/configure.ac index 90f4ab6..6b81ded 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl -AC_INIT(mod_gnutls, 0.5.8) +AC_INIT(mod_gnutls, 0.5.9) OOO_CONFIG_NICE(config.nice) MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION AC_PREREQ(2.53) diff --git a/src/gnutls_cache.c b/src/gnutls_cache.c index 3ca8cb5..2653b4e 100644 --- a/src/gnutls_cache.c +++ b/src/gnutls_cache.c @@ -456,12 +456,15 @@ static int dbm_cache_store(void* baton, gnutls_datum_t key, } rv = apr_dbm_store(dbm, dbmkey, dbmval); - if (rv != APR_SUCCESS) { +char err[128], *p; + +p = apr_dbm_geterror(dbm, NULL, err, sizeof(err)); + ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, ctxt-c-base_server, - [gnutls_cache] error storing in cache '%s', - ctxt-sc-cache_config); + [gnutls_cache] error storing in cache '%s': %s, + ctxt-sc-cache_config, p!=NULL?p:unknown error); apr_dbm_close(dbm); apr_pool_destroy(spool); return -1; ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] [mod_gnutls] Keep-Alive possible?
Hi, I'm trying to configure mod_gnutls/apache to allow keep-alive connections, i.e. allow multiple http requests through a single connection. Is this actually possible with mod_gnutls? Thanks Hardy Background: we have a battery driven application which should securely connect to a web server via GPRS. So amount of data transmission and online time is critical. ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 21.09.2010 21:32, Nikos Mavrogiannopoulos wrote: : Why wouldn't it be? Did you notice any issues? mod_gnutls only offers the secure layer. The HTTP is still handled by apache thus anything that worked without mod_gnutls should work with it. : Another hint that mod_gnutls is the culprit: the headers of the responses in both cases (mod_ssl, mod_gnutls) are the same. The difference is, that apache with mod_gnutls closes the connection after the response while apache with mod_ssl does not. mod_gnutls: H: HTTP/1.1 200 OK H: Date: Wed, 22 Sep 2010 03:34:51 GMT H: Server: Apache/2.2.16 (Debian) H: Vary: Accept-Encoding H: Keep-Alive: timeout=60, max=100 H: Connection: Keep-Alive H: Transfer-Encoding: chunked H: Content-Type: text/plain mod_ssl: H: HTTP/1.1 200 OK H: Date: Tue, 21 Sep 2010 11:15:38 GMT H: Server: Apache H: Keep-Alive: timeout=15, max=99 H: Connection: Keep-Alive H: Transfer-Encoding: chunked H: Content-Type: text/plain SSL_VERSION_LIBRARY=GnuTLS/2.10.1 SSL_VERSION_INTERFACE=mod_gnutls/0.5.8 (the same for official debian packages from testing, gnutls 2.8.6, mod_gnutls 0.5.6) Hardy ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls missing a Certificate file!
Julian Blake Kongslie wrote: I'm trying to setup an apache 2 server that offers SSL using anonymous DH, and does not offer any certificate at all. Presently, my virtual host configuration is as follows: VirtualHost *:443 ServerName testbed GnuTLSEnable on GnuTLSPriorities NORMAL:+ANON-DH DocumentRoot /web /VirtualHost Unfortunately, apache 2 refuses to start, with the error: [GnuTLS] - Host 'testbed:0' is missing a Certificate File! But that, of course, is exactly what I want. If I provide a X.509 certificate to satisfy mod_gnutls, it is delivered to clients, even if I add -CTYPE-X.509 to the priorities. I can get approximately the right thing by providing an OpenPGP certificate instead - it, too, is sent to clients, but nothing in the world understands it, so it is simply ignored and the connection falls back to ANON-DH mode as I desire. Please tell me there's a better way? Don't really think so. I've never considered anon to be the only option in mod_gnutls. If you provide a dummy certificate and set -CTYPE-X509 and -CTYPE-OPENPGP does it do what you expect? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls making Apache use 100% CPU
Hi again Sander. I just remembered that you can disable session resumption caching if you run into this problem again. So FYI, in /etc/apache2/mods-available/gnutls.conf add GnuTLSCache none none and comment out the other settings. Of course, this will disable session resumption, so it may also hurt performance. But it may help. /Simon ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls making Apache use 100% CPU
Sander Marechal s.marec...@jejik.com writes: How can I debug this? Here's a typical configuration for one of my domains: What does 'strace -p PID' for the PIDs of the apache daemon indicate? /Simon ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls making Apache use 100% CPU
Simon Josefsson wrote: I recall something like that, it happened if the cache was corrupt. Maybe you could stop apache, copy away /var/cache/apache2/gnutls_cache, and start apache again, to see if it solves the problem? Save the cache file so we can try to debug why this happened. That worked! I have a copy of the cache. Before I publish this on the mailinglist here, what is in the cache? No private information like private keys or anything? -- Sander Marechal ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls making Apache use 100% CPU
Sander Marechal s.marec...@jejik.com writes: Simon Josefsson wrote: I recall something like that, it happened if the cache was corrupt. Maybe you could stop apache, copy away /var/cache/apache2/gnutls_cache, and start apache again, to see if it solves the problem? Save the cache file so we can try to debug why this happened. That worked! Good. I have a copy of the cache. Before I publish this on the mailinglist here, what is in the cache? No private information like private keys or anything? I don't think it contains private keys, but it definitely contains secrets for the TLS sessions you have had live. Maybe you could get dbm people to help you debug the file for them, there are probably some dbm tools to inspect dbm files. Maybe Nikos can answer this better, I'm not a mod_gnutls developer (yet :)). /Simon ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls making Apache use 100% CPU
Sander Marechal s.marec...@jejik.com writes: Simon Josefsson wrote: You could install memcached and modify /etc/apache2/mods-available/gnutls.conf to use it instead of a dbm file. I tried that but I get an error: # /etc/init.d/apache2 restart Restarting web server: apache2Syntax error on line 6 of /etc/apache2/mods-enabled/gnutls.conf: Invalid Type for GnuTLSCache! failed! The contents of my file: IfModule mod_gnutls.c GnuTLSCache memcache 127.0.0.1 # GnuTLSCache dbm /var/cache/apache2/gnutls_cache /IfModule Is mod_gnutls in Debian Lenny built without memcache support? Alas, yes. It appears as if you updated #497097, thanks. It would be useful to prepare back-ported mod-gnutls packages with memcached support for lenny though. /Simon ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Jack Bates wrote: Sander Marechal reports that he cannot use the CA certificates distributed in the Debian ca-certificates package with mod_gnutls: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573 I confirmed that this behaviour is the same in mod_gnutls trunk revision 403: Thanks for the report. I'll try to fix it as soon. However note that if you want to set all the list of ca-certificates.crt as the trusted list then probably you are doing something wrong. mod_gnutls uses this list to authenticate clients that should have access to this website, thus a list of 1-2 ca certificates should be the typical use. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules