Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
On 20.02.2014 21:37, Falco Schwarz wrote: As I read through the changed code I found a smaller issue with the deprecation warning of SSLCertificateChainFile: + ap_log_error(APLOG_MARK, APLOG_WARNING|APLOG_STARTUP, 0, cmd-server, + APLOGNO(02559) + The SSLCertificateChainFile directive (%s:%d) is deprecated, + SSLCertificateFile should be used instead, + cmd-directive-filename, cmd-directive-line_num); There seems to be an error related to this change, I guess in cmd-server? This warning is never logged. It's printed to stderr, as ssl_cmd_SSLCertificateChainFile is executed before any ErrorLog files have been opened (when reloading with SIGHUP or SIGUSR1, you'll see them in the error log). My primary goal was that these warnings would be shown on the console when the config is checked with -t, that's why I put them into ssl_engine_config.c. Kaspar
RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
Perhaps I am missing something here, but if it is printed to stderr I should see it in the console when starting, right? Because I am unable to see it anywhere. Even when reloading or restarting it is not written to the error log. It does not show up with -t either. Any clues? Date: Sat, 22 Feb 2014 10:31:54 +0100 It's printed to stderr, as ssl_cmd_SSLCertificateChainFile is executed before any ErrorLog files have been opened (when reloading with SIGHUP or SIGUSR1, you'll see them in the error log). My primary goal was that these warnings would be shown on the console when the config is checked with -t, that's why I put them into ssl_engine_config.c. Kaspar
Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
On 22.02.2014 11:06, Falco Schwarz wrote: Perhaps I am missing something here, but if it is printed to stderr I should see it in the console when starting, right? Because I am unable to see it anywhere. Even when reloading or restarting it is not written to the error log. It does not show up with -t either. Any clues? Does your current config still include an SSLCertificateChainFile directive? Kaspar
RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
Date: Sat, 22 Feb 2014 11:22:14 +0100 Does your current config still include an SSLCertificateChainFile directive? Kaspar Yes, for testing I am currently using these directives (without comment): SSLCertificateFile conf/ssl/foo.bar.cer # leaf only SSLCertificateKeyFile conf/ssl/foo.bar.key # key only SSLCertificateChainFile conf/ssl/foo.bar.ca # chain only
Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
On 22.02.2014 11:27, Falco Schwarz wrote: Yes, for testing I am currently using these directives (without comment): SSLCertificateFile conf/ssl/foo.bar.cer# leaf only SSLCertificateKeyFile conf/ssl/foo.bar.key# key only SSLCertificateChainFile conf/ssl/foo.bar.ca # chain only The only explanation I can imagine then is that your mod_ssl.so / httpd binary does not include the complete mod_ssl-2.4.x-certkeyfile-v3.diff patch. Does strings mod_ssl.so | grep AH02559 show any output? Kaspar
RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
Date: Sat, 22 Feb 2014 15:16:27 +0100 The only explanation I can imagine then is that your mod_ssl.so / httpd binary does not include the complete mod_ssl-2.4.x-certkeyfile-v3.diff patch. Does strings mod_ssl.so | grep AH02559 show any output? Kaspar Unfortunately yes. I checked out a fresh 2.4.x copy and reapplied the patch, just to make sure. This line is in mod_ssl.so: AH02559: The SSLCertificateChainFile directive (%s:%d) is deprecated, SSLCertificateFile should be used instead The Warning does not get logged, though. If I change modules/ssl/ssl_engine_config.c like this, the warning is shown in STDERR: --- ssl_engine_config.c 2014-02-22 15:41:46.116497925 +0100 +++ ssl_engine_config2.c 2014-02-22 15:49:07.560507617 +0100 @@ -795,7 +795,7 @@ SSLSrvConfigRec *sc = mySrvConfig(cmd-server); const char *err; - ap_log_error(APLOG_MARK, APLOG_WARNING|APLOG_STARTUP, 0, cmd-server, + ap_log_error(APLOG_MARK, APLOG_WARNING|APLOG_STARTUP, 0, NULL, APLOGNO(02559) The SSLCertificateChainFile directive (%s:%d) is deprecated, SSLCertificateFile should be used instead, Though it is then shown on stopping, starting, config checking. That is why I thought there might be an error regarding cmd-server with ap_log_error.
Re: modules calling ap_lingering_close()!!!
On 20.02.2014 18:24, Jeff Trawick wrote: BTW, do you know if there's a known collection of patches for 2.4 support or for other critical fixes? mod_wsgi is running on eos and reliably serves wiki.apache.org using the following patch on top of 3.4 in combination with 2.4.4, 2.4.6 and 2.4.6 (over the months): --- mod_wsgi.c 2012-08-23 03:10:44.0 + +++ mod_wsgi.c 2013-05-01 17:40:01.083241157 + @@ -10600,7 +10600,13 @@ * will add their own input/output filters to the chain. */ +#if AP_MODULE_MAGIC_AT_LEAST(20110619,0) +/* For 2.4 a NULL sbh pointer should work. */ +sbh = NULL; +#else +/* For 2.2 a dummy sbh pointer is needed. */ ap_create_sb_handle(sbh, p, -1, 0); +#endif c = (conn_rec *)apr_pcalloc(p, sizeof(conn_rec)); @@ -12873,8 +12879,10 @@ * here for status but Apache 2.4 prohibits it now. */ -if (r-status == 200 !strcmp(r-status_line, 200 Error)) +if (r-status == 200 !strcmp(r-status_line, 200 Error)) { +r-status_line = NULL; return HTTP_INTERNAL_SERVER_ERROR; +} /* * Look for 'Location' header and if an internal Regards, Rainer
Re: 2.4.8 This Month
On 19.02.2014 14:08, Jim Jagielski wrote: I'd like to shoot for a TR sometime next week... I updated aurora our US server for www.apache.org, the project sites and also mail-archives.a.o to 2.4.8 dev svn revision 1570851 plus apr/apu head revision of their 1.5 branches. Looks good, but only updated a few minutes ago. Will have an eye on it and if all goes well update eos as well, which also serves wiki.a.o using mod_wsgi. Regards, Rainer
Re: mod_ssl openssl ./configure particularity
Understood and this would explain assigning them to MOD_SSL_LIBS etc. But added to MOD_LIBS? That struck me as very odd. On Feb 22, 2014 1:41 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote: On 20.02.2014 04:18, William A. Rowe Jr. wrote: Can anyone offer background as to why httpd 2.4 branch ./configure likes checking for OpenSSL... checking for user-provided OpenSSL base directory... /usr/local/ssl adding -I/usr/local/ssl/include to CPPFLAGS setting MOD_CFLAGS to -I/usr/local/ssl/include setting ab_CFLAGS to -I/usr/local/ssl/include setting MOD_LDFLAGS to -L/usr/local/ssl/lib checking for OpenSSL version = 0.9.8a... OK adding -lssl to MOD_LDFLAGS adding -lcrypto to MOD_LDFLAGS adding -luuid to MOD_LDFLAGS adding -lrt to MOD_LDFLAGS adding -lcrypt to MOD_LDFLAGS adding -lpthread to MOD_LDFLAGS adding -ldl to MOD_LDFLAGS setting LIBS to -lssl -lcrypto -luuid -lrt -lcrypt -lpthread -ldl forcing ab_LDFLAGS to -L/usr/local/ssl/lib -lssl -lcrypto -luuid -lrt -lcrypt -lpthread -ldl instead of MOD_SSL_CFLAGS, MOD_SSL_LDFLAGS, and MOD_SSL_LIBS? This was added with r1385216, to support per-subdir MOD_* variables, see the discussion starting at [1]. Previously, there was no way for a module to make sure that its specific {C,LD}FLAGS were inserted first. Kaspar [1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201208.mbox/%3C502D3DAF.2010402%40velox.ch%3E
RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
Kaspar, I switched back to your version and realized, that the directive SSLCertificateChainFile was always used in a VirtualHost. If the directive is in server scope, the warning is written correctly.