Re: Fwd: [Bug 58498] Apache 2.4.17: Regression with mod_autoindex (in combination with Phusion Passenger)

Am 16.10.2015 um 19:27 schrieb Eric Covener: What's with the backwards start and end there? Does the successor/predecessor override FIRST/MIDDLE/LAST? backwards? successor/predecessor are: static const char * const autoindex_module[] = { "mod_autoindex.c", NULL };

Re: [Bug 58498] Apache 2.4.17: Regression with mod_autoindex (in combination with Phusion Passenger)

On Fri, Oct 16, 2015 at 1:27 PM, Eric Covener wrote: > What's with the backwards start and end there? Does the > successor/predecessor override FIRST/MIDDLE/LAST? > > > -- Forwarded message -- > From: > Date: Fri, Oct 16, 2015 at 1:24 PM

Re: [PATCH 57300] mod_session save optimization

On 10/15/2015 01:53 PM, Paul Spangler wrote: Bump in case anyone is interested now that the list has died down a bit. I'm a little biased :) but I am still interested. From a practical angle, Paul's patch makes session-based applications usable with databases that have more expensive writes

Fwd: [Bug 58498] Apache 2.4.17: Regression with mod_autoindex (in combination with Phusion Passenger)

What's with the backwards start and end there? Does the successor/predecessor override FIRST/MIDDLE/LAST? -- Forwarded message -- From: Date: Fri, Oct 16, 2015 at 1:24 PM Subject: [Bug 58498] Apache 2.4.17: Regression with mod_autoindex (in combination

Re: [PATCH 57300] mod_session save optimization

Hello Paul, sorry for the delay... On Thu, Oct 15, 2015 at 10:53 PM, Paul Spangler wrote: > On 8/20/2015 4:58 PM, Paul Spangler wrote: >> >> The bug report contains a more detailed explanation of the patch, but >> there are some points I thought might lead to some

Re: 2.4.17 alignment issue sparc/ia64

Am 16.10.2015 um 08:25 schrieb Jacob Champion: On 10/15/2015 11:18 PM, Jacob Champion wrote: it looks like ap_init_scoreboard() doesn't try to maintain any particular alignment when it's assigning pointers from more_storage. Though one would think your compiler would be padding out the struct

Re: 2.4.17 alignment issue sparc/ia64

On 10/15/2015 08:53 PM, Eric Covener wrote: We recently merged 2.4.17 and saw some bus errors on hp/ia64 and solaris/sparc64. Selectively backing things out, it appears that the SO_REUSEPORT patch causes the worker_score to no longer (necessarily) be double-word aligned. I don't have any

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 5:53 AM, Eric Covener wrote: > We recently merged 2.4.17 and saw some bus errors on hp/ia64 and > solaris/sparc64. Selectively backing things out, it appears that the > SO_REUSEPORT patch causes the worker_score to no longer (necessarily) > be

Re: 2.4.17 alignment issue sparc/ia64

On 10/15/2015 11:18 PM, Jacob Champion wrote: it looks like ap_init_scoreboard() doesn't try to maintain any particular alignment when it's assigning pointers from more_storage. Though one would think your compiler would be padding out the struct to a double-word multiple anyway. Hrm.

Re: mod_http2 protocols directive broken

Hi Stefan, here is the output of both checks. Note I will confirm also curl is compiled with http2 support and will also show curl -V output. Curl -V "curl 7.45.0 (amd64-portbld-freebsd9.3) libcurl/7.45.0 OpenSSL/1.0.2d zlib/1.2.8 libidn/1.31 nghttp2/1.3.4 Protocols: dict file ftp ftps gopher

H2 compatible ciphers (was: svn commit: r1708593)

On Wed, Oct 14, 2015 at 2:10 PM, wrote: > Author: icing > Date: Wed Oct 14 12:10:11 2015 > New Revision: 1708593 > > URL: http://svn.apache.org/viewvc?rev=1708593=rev > Log: > mod_http2: new directive H2Compliance on/off, checking TLS protocol and > cipher against RFC7540 > []

Re: H2 compatible ciphers (was: svn commit: r1708593)

I am not blacklisting ciphers for the whole server. I try to define the security settings required for HTTP/2 as defined in the standard - as a configurable directive. There is no problem with denying HTTP/2 support for an IE8. //Stefan > Am 16.10.2015 um 12:53 schrieb Chris

Re: mod_http2 protocols directive broken

Chris, I wrote some advice at https://icing.github.io/mod_h2/howto.html already. There are several checks described. Which one fails for you and how? I need the output of the step that differs from the advice. Just a verbal description is not enough. Thx. //Stefan > Am 16.10.2015 um 11:00

Re: mod_http2 protocols directive broken

Lets move this to the users list where others can also see it. > Am 16.10.2015 um 11:22 schrieb Chris : > > Hi Stefan, here is the output of both checks. Note I will confirm also > curl is compiled with http2 support and will also show curl -V output. > > Curl -V > "curl

Re: H2 compatible ciphers (was: svn commit: r1708593)

The blacklist does look too radical to me as well. My server was configured with some in that list. Also it can place a server admin in a tough position e.g. what if they want to support IE8, or maybe android2 which doesn thave tls 1.2 stuff, but also support h2, they would be forced to choose

Fwd: mod_http2 protocols directive broken

Hi guys. Was excited to see the module got added to 2.4.17 but I cannot get it to work in my testing following information from this url. https://icing.github.io/mod_h2/howto.html#http So what is confirmed working? I compiled apache with the appropriate configure flag. I can confirm in the

Re: mod_http2 protocols directive broken

do you want me to repost this there then? On 16 October 2015 at 10:36, Stefan Eissing wrote: > Lets move this to the users list where others can also see it. > >> Am 16.10.2015 um 11:22 schrieb Chris : >> >> Hi Stefan, here is the output of both

Re: H2 compatible ciphers (was: svn commit: r1708593)

Hi Yann, I am not a cipher expert enough to know why the list in RFC 7540 was compiled this way... :( But indeed, there is a good sized overlap. And that does not make sense. I have sent a mail to the httpwg mailing list, asking for enlightment. If the blacklist in RFC 7540 proves to be

Re: 2.4.17 alignment issue sparc/ia64

I seem to recall similar issues w/ the shm slotmem impl... > On Oct 16, 2015, at 8:35 AM, Rainer Jung wrote: > > Am 16.10.2015 um 13:54 schrieb Yann Ylavic: >> On Fri, Oct 16, 2015 at 10:02 AM, Yann Ylavic wrote: >>> >>> We should do something

Re: "httpd -X" segfaults with 2.4.17

Hi Jan, On Fri, Oct 16, 2015 at 1:58 PM, Jan Kaluža wrote: > Hi, > > httpd 2.4.17 segfaults when used with prefork MPM (and probably also with > other MPMs) and -X option since r1705492. > > The crash happens in the following call in prefork.c (and probably also > worker.c

Re: H2 compatible ciphers (was: svn commit: r1708593)

On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote: > > Actually I tried some brute bash script (attached) to show what > remains compared to "openssl ciphers ALL", and the result is: > > * libressl/install/2.2.1/bin/openssl: > - ECDHE-ECDSA-CHACHA20-POLY1305 > -

Re: H2 compatible ciphers (was: svn commit: r1708593)

On 16 Oct 2015, at 12:56 PM, Stefan Eissing wrote: > I am not blacklisting ciphers for the whole server. I try to define > the security settings required for HTTP/2 as defined in the standard - > as a configurable directive. > > There is no problem with denying

Re: H2 compatible ciphers (was: svn commit: r1708593)

Yes, I proposed something along those lines at the http workshop this summer. Needs some more pushing, it seems. There is one thing that I understood to be implied by all this: that h2 is not negotiated when the security is too weak. Which, the more I think and implemented about it, does not

"httpd -X" segfaults with 2.4.17

Hi, httpd 2.4.17 segfaults when used with prefork MPM (and probably also with other MPMs) and -X option since r1705492. The crash happens in the following call in prefork.c (and probably also worker.c and so on): ap_mpm_pod_check(my_bucket->pod) pod is NULL and later dereferenced.

Re: H2 compatible ciphers (was: svn commit: r1708593)

On Fri, Oct 16, 2015 at 12:21 PM, Yann Ylavic wrote: > > And maybe more importantly, what remains currently? Actually I tried some brute bash script (attached) to show what remains compared to "openssl ciphers ALL", and the result is: * libressl/install/2.2.1/bin/openssl:

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 2:48 PM, Yann Ylavic wrote: > On Fri, Oct 16, 2015 at 2:35 PM, Rainer Jung wrote: >> >> I didn't yet have the time to reproduce and test your patch, but the >> APR_ALIGN((size),sizeof(void *)) align approach would not work.

Re: H2 compatible ciphers (was: svn commit: r1708593)

On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote: > > Actually I tried some brute bash script (attached) Really attached now... http2_vs_openssl.sh Description: Bourne shell script

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 10:02 AM, Yann Ylavic wrote: > > We should do something like the following patch: > > Index: server/scoreboard.c > === > --- server/scoreboard.c(revision 1708095) > +++

Re: 2.4.17 alignment issue sparc/ia64

Am 16.10.2015 um 13:54 schrieb Yann Ylavic: On Fri, Oct 16, 2015 at 10:02 AM, Yann Ylavic wrote: We should do something like the following patch: Index: server/scoreboard.c === --- server/scoreboard.c

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 2:35 PM, Rainer Jung wrote: > > I didn't yet have the time to reproduce and test your patch, but the > APR_ALIGN((size),sizeof(void *)) align approach would not work. The problem > here is that even or especially when building for 32 Bits and then

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 3:08 PM, Rainer Jung wrote: > Am 16.10.2015 um 14:56 schrieb Yann Ylavic: >> >> On Fri, Oct 16, 2015 at 2:48 PM, Yann Ylavic wrote: >>> >>> On Fri, Oct 16, 2015 at 2:35 PM, Rainer Jung >>> wrote:

Re: H2 compatible ciphers (was: svn commit: r1708593)

On Fri, Oct 16, 2015 at 2:33 PM, Yann Ylavic wrote: > On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote: >> >> Actually I tried some brute bash script (attached) to show what >> remains compared to "openssl ciphers ALL", and the result is: >> >> *

Re: "httpd -X" segfaults with 2.4.17

On Fri, Oct 16, 2015 at 01:58:17PM +0200, Jan Kaluža wrote: > httpd 2.4.17 segfaults when used with prefork MPM (and probably also > with other MPMs) and -X option since r1705492. > > The crash happens in the following call in prefork.c (and probably > also worker.c and so on): Works fine here

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 3:16 PM, Yann Ylavic wrote: > On Fri, Oct 16, 2015 at 3:08 PM, Rainer Jung wrote: >> >> Wasn't the bus error occuring in >> >> ws->last_used = apr_time_now(); >> >> and the address is >> >> (dbx) print &(ws->last_used) >>

Re: 2.4.17 alignment issue sparc/ia64

Am 16.10.2015 um 14:56 schrieb Yann Ylavic: On Fri, Oct 16, 2015 at 2:48 PM, Yann Ylavic wrote: On Fri, Oct 16, 2015 at 2:35 PM, Rainer Jung wrote: I didn't yet have the time to reproduce and test your patch, but the

Re: H2 compatible ciphers (was: svn commit: r1708593)

interesting that chrome is happily using h2 on my domain that I activated for h2 earlier and I have a couple of banned ciphers in mod_ssl. On 16 October 2015 at 13:33, Yann Ylavic wrote: > On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote: >> >>

Re: H2 compatible ciphers (was: svn commit: r1708593)

On Fri, Oct 16, 2015 at 9:28 AM, Chris wrote: > interesting that chrome is happily using h2 on my domain that I > activated for h2 earlier and I have a couple of banned ciphers in > mod_ssl. unbanned ones listed earlier, or no SSLHonorCipherOrder?

Re: 2.4.17 alignment issue sparc/ia64

> > Yes but ws itself isn't aligned either: >(dbx) print ws >ws = 0x7bb00044 > which is IMHO the issue. > > Align ws and everything goes well (at least I think :p ). > It better! :)

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 4:02 AM, Yann Ylavic wrote: > We should do something like the following patch: Promising so far with my two one-off testcases, putting it through a longer test now. Thanks!

Re: H2 compatible ciphers (was: svn commit: r1708593)

sslhonorcipherorder is definitely set. I will check again to see if is in the unbanned ones. On 16 October 2015 at 14:37, Eric Covener wrote: > On Fri, Oct 16, 2015 at 9:28 AM, Chris wrote: >> interesting that chrome is happily using h2 on my domain that

Re: 2.4.17 alignment issue sparc/ia64

On Fri, Oct 16, 2015 at 4:16 PM, Eric Covener wrote: > On Fri, Oct 16, 2015 at 4:02 AM, Yann Ylavic wrote: >> We should do something like the following patch: > > Promising so far with my two one-off testcases, putting it through a > longer test now.

Re: H2 compatible ciphers (was: svn commit: r1708593)

here is ciphers as listed by ssllabs scanning a site on the server. (in the order set) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128

Re: H2 compatible ciphers (was: svn commit: r1708593)

here is my cipher list used in mod_ssl SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDH+AES128:ECDHE-RSA-AES256-GCM-SHA384:ECDH+AES256:ECDH+3DES:CHACHA20+POLY1305:DHE-RSA-AES128-SHA:RSA+3DES:!aNULL:!MD5 note tho poly1305 doesnt work so ignore that one. On 16 October 2015 at 14:37, Eric Covener

Re: H2 compatible ciphers (was: svn commit: r1708593)

Some of them are not banned, so I don't see why Chrome should complain. Is the selected cipher a banned one? On Fri, Oct 16, 2015 at 4:29 PM, Chris wrote: > here is my cipher list used in mod_ssl > > SSLCipherSuite >

Re: H2 compatible ciphers (was: svn commit: r1708593)

Yes, the browser won't see the whole list, only the selected one. On Fri, Oct 16, 2015 at 4:33 PM, Chris wrote: > ahh so only one needs to be unbanned for it to work? > > the selected cipher isnt banned no. > > On 16 October 2015 at 15:32, Yann Ylavic

Re: H2 compatible ciphers (was: svn commit: r1708593)

ahh so only one needs to be unbanned for it to work? the selected cipher isnt banned no. On 16 October 2015 at 15:32, Yann Ylavic wrote: > Some of them are not banned, so I don't see why Chrome should complain. > Is the selected cipher a banned one? > > On Fri, Oct 16,

Re: H2 compatible ciphers (was: svn commit: r1708593)

good to know thanks :) Thats why I was told off for suggesting supporting ie8 and http2 at the same time was not possible then :) On 16 October 2015 at 15:35, Yann Ylavic wrote: > Yes, the browser won't see the whole list, only the selected one. > > On Fri, Oct 16, 2015 at

Re: Fwd: [Bug 58498] Apache 2.4.17: Regression with mod_autoindex (in combination with Phusion Passenger)

On Fri, Oct 16, 2015 at 1:34 PM, Rainer Jung wrote: > Am 16.10.2015 um 19:27 schrieb Eric Covener: >> >> What's with the backwards start and end there? Does the >> successor/predecessor override FIRST/MIDDLE/LAST? > > > backwards? > > successor/predecessor are: > >