date:20120904

SSLProxyCheckPeerCN / ProxyPreserveHost issue

2012-09-04 Thread Zisis Lianas

I noticed some different behaviour of SSLProxyCheckPeerCN in combination
with activated ProxyPreserveHost since httpd-2.4.3.
httpd-2.4.2 and httpd-2.2.22 seem to work 'correctly' (or vice versa).

When setting SSLProxyCheckPeerCN and ProxyPreserveHost to on in httpd-2.4.3,
i get an AH02005: SSL Proxy: Peer certificate CN mismatch error.

Platform: Linux SLES11 / x64



Configuration excerpt:
###
SSLEngine on
SSLProxyEngine On
ProxyPreserveHost On
SSLProxyCheckPeerCN On

Proxy balancer://appcluster
BalancerMember https://backend01.server.foo:24090 route=0   #SSL 
CN=backend01.server.foo
BalancerMember https://backend02.server.foo:24090 route=1   #SSL 
CN=backend02.server.foo
ProxySet lbmethod=bybusyness nofailover=off 
stickysession=JSESSIONID|jsessionid
/Proxy

ProxyPass /clusterjsp balancer://appcluster/clusterjsp
ProxyPassReverse / balancer://appcluster/
###


https://mydispatcher-name.foo/ is the URL i call in my browser.
(SSL CN=mydispatcher-name.foo)



Test results:

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
[Tue Sep 04 15:21:36.033808 2012] [ssl:info] [pid 17466:tid 140319655495440] 
[remote x.x.x.x:24090] AH02005: SSL Proxy: Peer certificate CN mismatch: 
Certificate CN: backend01.server.foo Requested hostname: mydispatcher-name.foo
== NOT WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
== WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost Off
SSLProxyCheckPeerCN On
== WORKING



Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
== WORKING

Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
== WORKING



Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
== WORKING

Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
== WORKING



Reading the documentation for me it looks like 2.4.3 is working
correctly, and all older versions not. Opinions?


regards,
zisis

Re: SSLProxyCheckPeerCN / ProxyPreserveHost issue

2012-09-04 Thread Rainer Jung


On 04.09.2012 16:09, Zisis Lianas wrote:

I noticed some different behaviour of SSLProxyCheckPeerCN in combination
with activated ProxyPreserveHost since httpd-2.4.3.
httpd-2.4.2 and httpd-2.2.22 seem to work 'correctly' (or vice versa).

When setting SSLProxyCheckPeerCN and ProxyPreserveHost to on in httpd-2.4.3,
i get an AH02005: SSL Proxy: Peer certificate CN mismatch error.

Platform: Linux SLES11 / x64



Configuration excerpt:
###
SSLEngine on
SSLProxyEngine On
ProxyPreserveHost On
SSLProxyCheckPeerCN On

Proxy balancer://appcluster
 BalancerMember https://backend01.server.foo:24090 route=0   #SSL 
CN=backend01.server.foo
 BalancerMember https://backend02.server.foo:24090 route=1   #SSL 
CN=backend02.server.foo
 ProxySet lbmethod=bybusyness nofailover=off 
stickysession=JSESSIONID|jsessionid
/Proxy

ProxyPass /clusterjsp balancer://appcluster/clusterjsp
ProxyPassReverse / balancer://appcluster/
###


https://mydispatcher-name.foo/ is the URL i call in my browser.
(SSL CN=mydispatcher-name.foo)



Test results:

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
[Tue Sep 04 15:21:36.033808 2012] [ssl:info] [pid 17466:tid 140319655495440] 
[remote x.x.x.x:24090] AH02005: SSL Proxy: Peer certificate CN mismatch: 
Certificate CN: backend01.server.foo Requested hostname: mydispatcher-name.foo
== NOT WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
== WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost Off
SSLProxyCheckPeerCN On
== WORKING



Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
== WORKING

Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
== WORKING



Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
== WORKING

Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
== WORKING



Reading the documentation for me it looks like 2.4.3 is working
correctly, and all older versions not. Opinions?


Yes, and I'd say it is a result of

http://svn.apache.org/viewcvs.cgi?rev=1356881view=rev

https://issues.apache.org/bugzilla/show_bug.cgi?id=53134

*) mod_proxy: Use the the same hostname for SNI as for the HTTP request
   when forwarding to SSL backends. PR 53134.
   [Michael Weiser michael weiser.dinsnail.net, Ruediger Pluem]

Regards,

Rainer

Re: Re: Re: mod_fcgid concurrency bottleneck, issue#53693

2012-09-04 Thread pqf

Hi, all
I took some times to setup a stress test for mod_fcgid, to see is there any 
other concurrency bottleneck left, it seems fine to me.

I did a stress test with callgrind on mod_fcgid, this is the big picture: 
http://people.apache.org/~pqf/mod_fcgid_performance/performance.png and this is 
the output of callgrind: 
http://people.apache.org/~pqf/mod_fcgid_performance/callgrind.out
As we can see, most cpu time are used in ap_create_environment() + 
init_environment(). ap_create_environment() copy environment vars to a char[][] 
buffer, and init_environment() copy char[][] to a char[] buffer for FCGI 
protocol. I have to keep using ap_create_environment() to be compatible with 
other cgi modules(cgid, cgi...), I will not shortcut these two calls for less 
cpu utils.

And I make a strace trace to the system calls, to make sure there is no obvious 
IO throughput bottleneck, and no luck either

4622  13:17:16.737888 ... futex resumed ) = 0
4622  13:17:16.737920 futex(0x95ce65c, FUTEX_WAKE, 1 unfinished ...
4622  13:17:16.738038 ... futex resumed ) = 0
4622  13:17:16.740735 gettimeofday({1346217436, 740787}, NULL) = 0
4622  13:17:16.740835 getsockname(12, {sa_family=AF_INET6, 
sin6_port=htons(8080), inet_pton(AF_INET6, :::127.0.0.1, si
n6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
4622  13:17:16.741008 fcntl64(12, F_GETFL) = 0x2 (flags O_RDWR)
4622  13:17:16.741056 fcntl64(12, F_SETFL, O_RDWR|O_NONBLOCK) = 0
4622  13:17:16.741824 gettimeofday({1346217436, 741849}, NULL) = 0
4622  13:17:16.741890 gettimeofday({1346217436, 741911}, NULL) = 0
4622  13:17:16.741969 read(12, GET /fcgi-bin/foo.pl HTTP/1.0\r\nH..., 8000) = 
97
4622  13:17:16.742049 gettimeofday({1346217436, 742070}, NULL) = 0
4622  13:17:16.742108 gettimeofday({1346217436, 742129}, NULL) = 0
4622  13:17:16.742165 gettimeofday({1346217436, 742185}, NULL) = 0
4622  13:17:16.74 gettimeofday({1346217436, 742242}, NULL) = 0
4622  13:17:16.742278 gettimeofday({1346217436, 742299}, NULL) = 0
4622  13:17:16.742345 gettimeofday({1346217436, 742367}, NULL) = 0
4622  13:17:16.742404 gettimeofday({1346217436, 742424}, NULL) = 0
4622  13:17:16.742467 stat64(/usr/local/apache2/htdocs/fcgi-bin/foo.pl, 
{st_mode=S_IFREG|0755, st_size=229, ...}) = 0
4622  13:17:16.742697 semop(4292662, 0x17234c, 1) = 0
4622  13:17:16.742750 semop(4292662, 0x172358, 1) = 0
4622  13:17:16.742804 socket(PF_FILE, SOCK_STREAM, 0) = 13
4622  13:17:16.742864 connect(13, {sa_family=AF_FILE, 
path=/usr/local/apache2/logs/fcgidsock/4617.11}, 110) = 0
4622  13:17:16.743028 fcntl64(13, F_GETFL) = 0x2 (flags O_RDWR)
4622  13:17:16.743074 fcntl64(13, F_SETFL, O_RDWR|O_NONBLOCK) = 0
4622  13:17:16.743118 gettimeofday({1346217436, 743138}, NULL) = 0
4622  13:17:16.743174 writev(13, [{\1\1\0\1\0\10\0\0, 8}, 
{\0\1\0\0\0\0\0\0, 8}, {\1\4\0\1\3U\0\0, 8}, {\t\30UNIQUE_ID
UD2l3MCoqlsAABILpXoAA..., 853}, {\1\4\0\1\0\0\0\0, 8}, {\1\5\0\1\0\0\0\0, 
8}], 6) = 893
4622  13:17:16.743337 read(13, 0xa6f4c5b8, 8192) = -1 EAGAIN (Resource 
temporarily unavailable)
4622  13:17:16.743386 poll([{fd=13, events=POLLIN, revents=POLLIN}], 1, 4) 
= 1
4622  13:17:16.743789 read(13, \1\6\0\1\3\266\2\0Content-Type: text/plain..., 
8192) = 984
4622  13:17:16.743879 gettimeofday( unfinished ...
4622  13:17:16.743968 ... gettimeofday resumed {1346217436, 743943}, NULL) = 0
4622  13:17:16.744037 close(13) = 0
4622  13:17:16.744101 semop(4292662, 0x17234c, 1) = 0
4622  13:17:16.744149 semop(4292662, 0x172358, 1) = 0
4622  13:17:16.744209 gettimeofday({1346217436, 744231}, NULL) = 0
4622  13:17:16.744266 gettimeofday({1346217436, 744287}, NULL) = 0
4622  13:17:16.744343 writev(12, [{HTTP/1.1 200 OK\r\nDate: Wed, 29 A..., 
154}, {CONTEXT_DOCUMENT_ROOT=\/usr/loca..., 92
4}], 2 unfinished ...
4622  13:17:16.745033 ... writev resumed ) = 1078
4622  13:17:16.745076 gettimeofday({1346217436, 745098}, NULL) = 0
4622  13:17:16.745148 times({tms_utime=1416, tms_stime=1464, tms_cutime=0, 
tms_cstime=0}) = 499844951
4622  13:17:16.745255 gettimeofday( unfinished ...
4622  13:17:16.745800 ... gettimeofday resumed {1346217436, 745791}, NULL) = 0
4622  13:17:16.746013 shutdown(12, 1 /* send */ unfinished ...
4622  13:17:16.746554 ... shutdown resumed ) = 0
4622  13:17:16.746625 gettimeofday( unfinished ...
4622  13:17:16.746684 ... gettimeofday resumed {1346217436, 746658}, NULL) = 0
4622  13:17:16.746765 epoll_ctl(11, EPOLL_CTL_ADD, 12, {EPOLLIN, 
{u32=158210764, u64=158210764}} unfinished ...
4622  13:17:16.746833 ... epoll_ctl resumed ) = 0
4622  13:17:16.747587 gettimeofday( unfinished ...
4622  13:17:16.747904 ... gettimeofday resumed {1346217436, 747649}, NULL) = 0
4622  13:17:16.748672 futex(0x95ce690, FUTEX_WAIT, 176390, NULL unfinished ...



2012-09-05



pqf



发件人：pqf
发送时间：2012-08-28 09:34
主题：回复: Re: Re: Re: mod_fcgid concurrency bottleneck, issue#53693
收件人：devdev@httpd.apache.org
抄送：

So what can mod_fcgid do in this overloaded?
1. mod_fcgid get a request
2. mod_fcgid can't apply a free slot of

SSLProxyCheckPeerCN / ProxyPreserveHost issue

Re: SSLProxyCheckPeerCN / ProxyPreserveHost issue

Re: Re: Re: mod_fcgid concurrency bottleneck, issue#53693

3 matches

Site Navigation

Mail list logo

Footer information