Bug 58118
Hello everybody, I would be very grateful if somebody could look into bug report 58118 https://bz.apache.org/bugzilla/show_bug.cgi?id=58118 The issue concerns the logging of a 503 status code in modules/proxy/mod_proxy_fcgi.c at 836 although a 200 has been sent to the client. This can happen if the user aborts the connection while mod_proxy_fcgi reads the chunked response from the backend. I appended a patch to this issue, maybe it is worth to be considered. Thank you in advance! Kind regards, Tobias Adolph
Re: Release annoucements missing on annou...@httpd.apache.org
Oops. Sorry. > On Jul 15, 2015, at 5:03 PM, Bostjan Skufca wrote: > > Hi all, > > since 2.4.10 and 2.2.29 the annou...@httpd.apache.org is abandoned. Is this > intentional? > > Someone already asked about this last year: > http://marc.info/?l=apache-httpd-dev&m=141157921203967&w=2 > > If this is not the right list to ask this question, where should it be > addressed then? > > b. > > PS: Congrats for finally successful 2.4.16 release :) >
Congradulations on the new release(s)
I am a bit behind - yet looking forward. I wish to recall a pleasant get together last April in Texas just before ApacheCon. At that time I mentioned LibreSSL and building httpd against it (actually mod_ssl is all it amounts to). The build itself was quite simple - I shall repeat that now for 2.4.16 and trunk - and send the 'patch' in. While build is simple - understanding the differences in test output is daunting. Here I have the output of just one test t/ssl/pr12355.t - and note the differences in the ssl_access_log - not just the error messages (I have removed all "debug" messages from the logs as they were "in the way". LibreSSL is version 2.2.0, OpenSSL is version 0.9.8m (yes I know very old, will test with latest patches later - I hope not relevant to here). So, please note: LibreSSL says access is: t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 while OpenSSL says t/logs/ssl_request_log:[16/Jul/2015:11:32:35 +] 127.0.0.1 TLSv1 RC4-SHA "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 200 11 My question: what can I do to understand why OpenSSL is adding TLSv1 RC4-SHA while LibreSSL is "- -" Note also in the ==> LibreSSL_pr12355.t.results <== t/logs/error_log:[Thu Jul 16 11:47:12.425257 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH01964: Connection to child 0 established (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:47:12.613855 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02221: Requesting connection re-negotiation t/logs/error_log:[Thu Jul 16 11:47:12.614004 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02226: Awaiting re-negotiation handshake t/logs/error_log:[Thu Jul 16 11:47:12.620757 2015] [ssl:error] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02261: Re-negotiation handshake failed: Not accepted by client!? t/logs/error_log:[Thu Jul 16 11:47:12.620803 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02008: SSL library error 1 in handshake (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:47:12.620825 2015] [ssl:info] [pid 389322:tid 515] SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message t/logs/error_log:[Thu Jul 16 11:47:12.620837 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH01998: Connection closed to child 0 with abortive shutdown (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:47:17.073812 2015] [core:warn] [pid 344086:tid 1] AH00045: child process 389322 still did not exit, sending a SIGTERM t/logs/error_log:[Thu Jul 16 11:47:19.076308 2015] [core:info] [pid 344086:tid 1] AH00096: removed PID file /data/prj/apache/httpd/test/t/logs/httpd.pid (pid=344086) t/logs/error_log:[Thu Jul 16 11:47:19.076349 2015] [mpm_worker:notice] [pid 344086:tid 1] AH00295: caught SIGTERM, shutting down t/logs/ssl_request_log:[16/Jul/2015:11:47:10 +] 127.0.0.1 - - "GET /index.html HTTP/1.1" 200 26 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-md5-cgi/perl_echo.pl HTTP/1.1" 403 237 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-md5-cgi/perl_echo.pl HTTP/1.1" 403 237 ==> OpenSSL_pr12355.t.results <== t/logs/error_log:[Thu Jul 16 11:32:35.380665 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39151] AH02226: Awaiting re-negotiation handshake t/logs/error_log:[Thu Jul 16 11:32:35.423630 2015] [ssl:info] [pid 417826:tid 772] [client 127.0.0.1:39152] AH01964: Connection to child 1 established (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:32:35.571262 2015] [ssl:info] [pid 417826:tid 772] [client 127.0.0.1:39152] AH02221: Requesting connection re-negotiation t/logs/error_log:[Thu Jul 16 11:32:35.571354 2015] [ssl:info] [pid 417826:tid 772] [client 127.0.0.1:39152] AH02226: Awaiting re-negotiation handshake t/logs/error_log:[Thu Jul 16 11:32:35.613858 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39153] AH01964: Connection to child 0 established (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:32:35.771440 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39153] AH02221: Requesting connection re-negotiation t/logs/error_log:[Thu Jul 16 11:32:35.771533 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39153] AH02226: Awaiting re-negotiation handshake t/logs/error_log:[Thu Jul 16 11:32:40.284682 2015] [core:warn] [pid 385024:tid 1] AH00045: child process 417826 still did not exit, sending a SIGTERM t/logs/error_log:[Thu Jul 16 11:32:42.287551 2015] [core:info] [pid 385024:tid 1] AH00096: removed PID file /data/prj/apache/httpd/test/t/logs/httpd.pid (pid=385024) t/logs/error_log:[Thu Jul 16 11:32:42.287591 2015] [mpm_worker:notice] [pid 3850
Re: Release annoucements missing on annou...@httpd.apache.org
Also, the home page still says 2.4.12 and 2.2.29 - but the Download page is up to date... On Thu, Jul 16, 2015 at 1:47 PM, Jim Jagielski wrote: > Oops. Sorry. > > On Jul 15, 2015, at 5:03 PM, Bostjan Skufca wrote: > > > > Hi all, > > > > since 2.4.10 and 2.2.29 the annou...@httpd.apache.org is abandoned. Is > this intentional? > > > > Someone already asked about this last year: > > http://marc.info/?l=apache-httpd-dev&m=141157921203967&w=2 > > > > If this is not the right list to ask this question, where should it be > addressed then? > > > > b. > > > > PS: Congrats for finally successful 2.4.16 release :) > > > >
Re: Release annoucements missing on annou...@httpd.apache.org
I see 2.4.16 since yesterday (if I remember correctly). Are you talking about http://httpd.apache.org/ ? b. On 16 July 2015 at 14:22, Michael Felt wrote: > Also, the home page still says 2.4.12 and 2.2.29 - but the Download page > is up to date... > > On Thu, Jul 16, 2015 at 1:47 PM, Jim Jagielski wrote: > >> Oops. Sorry. >> > On Jul 15, 2015, at 5:03 PM, Bostjan Skufca wrote: >> > >> > Hi all, >> > >> > since 2.4.10 and 2.2.29 the annou...@httpd.apache.org is abandoned. Is >> this intentional? >> > >> > Someone already asked about this last year: >> > http://marc.info/?l=apache-httpd-dev&m=141157921203967&w=2 >> > >> > If this is not the right list to ask this question, where should it be >> addressed then? >> > >> > b. >> > >> > PS: Congrats for finally successful 2.4.16 release :) >> > >> >> >
Re: Release annoucements missing on annou...@httpd.apache.org
refresh your browser cache. :) > On Jul 16, 2015, at 8:22 AM, Michael Felt wrote: > > Also, the home page still says 2.4.12 and 2.2.29 - but the Download page is > up to date... > > On Thu, Jul 16, 2015 at 1:47 PM, Jim Jagielski wrote: > Oops. Sorry. > > On Jul 15, 2015, at 5:03 PM, Bostjan Skufca wrote: > > > > Hi all, > > > > since 2.4.10 and 2.2.29 the annou...@httpd.apache.org is abandoned. Is this > > intentional? > > > > Someone already asked about this last year: > > http://marc.info/?l=apache-httpd-dev&m=141157921203967&w=2 > > > > If this is not the right list to ask this question, where should it be > > addressed then? > > > > b. > > > > PS: Congrats for finally successful 2.4.16 release :) > > > >
Re: Release annoucements missing on annou...@httpd.apache.org
Should have thought of that earlier :p @ me. On Thu, Jul 16, 2015 at 2:34 PM, Jim Jagielski wrote: > refresh your browser cache. :) > > > On Jul 16, 2015, at 8:22 AM, Michael Felt wrote: > > > > Also, the home page still says 2.4.12 and 2.2.29 - but the Download page > is up to date... > > > > On Thu, Jul 16, 2015 at 1:47 PM, Jim Jagielski wrote: > > Oops. Sorry. > > > On Jul 15, 2015, at 5:03 PM, Bostjan Skufca wrote: > > > > > > Hi all, > > > > > > since 2.4.10 and 2.2.29 the annou...@httpd.apache.org is abandoned. > Is this intentional? > > > > > > Someone already asked about this last year: > > > http://marc.info/?l=apache-httpd-dev&m=141157921203967&w=2 > > > > > > If this is not the right list to ask this question, where should it be > addressed then? > > > > > > b. > > > > > > PS: Congrats for finally successful 2.4.16 release :) > > > > > > > > >
The show goes on - 2.4.16
First little thing I ran into - that I did not have with 2.4.12 is this: root@x065:[/data/prj/apache/httpd/test]/opt/httpd/sbin/apachectl start AH00534: httpd: Configuration error: More than one MPM loaded. Granted, I should perhaps change to pre-fork (I noticed some had only tested that) - but I had 'adopted' MPM when 2.4.0 first came out. root@x065:[/data/prj/apache/httpd/test]grep -i mpm /etc/httpd/httpd.conf LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so LoadModule mpm_worker_module libexec/mod_mpm_worker.so # Server-pool management (MPM specific) #Include /etc/httpd/extra/httpd-mpm.conf p.s. I had done configure with: $ ./configure --enable-layout=AIX --with-apr=/opt/bin/apr-1-config --with-apr-util=/opt/bin/apu-1-config --enable-mpms-shared=all --enable-mods-shared=all --disable-lua --enable-load-all-modules --enable-maintainer-mode --with-ssl
Re: The show goes on - 2.4.16
Am 16.07.2015 um 15:03 schrieb Michael Felt: First little thing I ran into - that I did not have with 2.4.12 is this: root@x065:[/data/prj/apache/httpd/test]/opt/httpd/sbin/apachectl start AH00534: httpd: Configuration error: More than one MPM loaded. Granted, I should perhaps change to pre-fork (I noticed some had only tested that) - but I had 'adopted' MPM when 2.4.0 first came out. no, you jsut should not load *both* root@x065:[/data/prj/apache/httpd/test]grep -i mpm /etc/httpd/httpd.conf LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so LoadModule mpm_worker_module libexec/mod_mpm_worker.so why are both there? signature.asc Description: OpenPGP digital signature
Re: The show goes on - 2.4.16
I do not know why both are there - something to do with the "configure" statement perhaps. As I said above - not had this show up before. In any case, just finished ApacheTest and is looking very good. All tests successful. Files=110, Tests=4843, 364 wallclock secs ( 3.38 usr 0.50 sys + 88.88 cusr 74.02 csys = 166.78 CPU) Result: PASS [warning] server loopback:8529 shutdown [warning] port 8529 still in use... ..done On Thu, Jul 16, 2015 at 3:10 PM, Reindl Harald wrote: > > Am 16.07.2015 um 15:03 schrieb Michael Felt: > >> First little thing I ran into - that I did not have with 2.4.12 is this: >> >> root@x065:[/data/prj/apache/httpd/test]/opt/httpd/sbin/apachectl start >> AH00534: httpd: Configuration error: More than one MPM loaded. >> >> Granted, I should perhaps change to pre-fork (I noticed some had only >> tested that) - but I had 'adopted' MPM when 2.4.0 first came out. >> > > no, you jsut should not load *both* > > root@x065:[/data/prj/apache/httpd/test]grep -i mpm /etc/httpd/httpd.conf >> LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so >> LoadModule mpm_worker_module libexec/mod_mpm_worker.so >> > > why are both there? > >
Re: The show goes on - 2.4.16
On Jul 16, 2015 8:04 AM, "Michael Felt" wrote: > > First little thing I ran into - that I did not have with 2.4.12 is this: > > root@x065:[/data/prj/apache/httpd/test]/opt/httpd/sbin/apachectl start > AH00534: httpd: Configuration error: More than one MPM loaded. > root@x065:[/data/prj/apache/httpd/test]grep -i mpm /etc/httpd/httpd.conf > LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so > LoadModule mpm_worker_module libexec/mod_mpm_worker.so > # Server-pool management (MPM specific) > #Include /etc/httpd/extra/httpd-mpm.conf > > p.s. I had done configure with: > > $ ./configure --enable-layout=AIX --with-apr=/opt/bin/apr-1-config --with-apr-util=/opt/bin/apu-1-config --enable-mpms-shared=all --enable-mods-shared=all --disable-lua --enable-load-all-modules --enable-maintainer-mode --with-ssl Looks correct... --enable-mpms-shared=all Worked as instructed... --enable-load-all-modules Did just as you asked. Not sure offhand if we can hack some mpm-specific module exception to the later.
Re: The show goes on - 2.4.16
My comment is that with 2.4.12 the same configure did not do this. This is new behavior. I was testing with 2.4.12 all day yesterday, using the same build scripts today with 2.4.16 came up differently. So now, after the build I have this difference in httpd.conf root@x065:[/data/prj/apache/httpd]diff -u */x/etc/httpd/httpd.conf --- httpd-2.4.12/x/etc/httpd/httpd.conf 2015-07-16 09:48:20 + +++ httpd-2.4.16/x/etc/httpd/httpd.conf 2015-07-16 12:31:25 + @@ -143,6 +143,7 @@ LoadModule lbmethod_bytraffic_module libexec/mod_lbmethod_bytraffic.so LoadModule lbmethod_bybusyness_module libexec/mod_lbmethod_bybusyness.so LoadModule lbmethod_heartbeat_module libexec/mod_lbmethod_heartbeat.so +LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so LoadModule mpm_worker_module libexec/mod_mpm_worker.so LoadModule unixd_module libexec/mod_unixd.so LoadModule heartbeat_module libexec/mod_heartbeat.so On Thu, Jul 16, 2015 at 4:03 PM, William A Rowe Jr wrote: > On Jul 16, 2015 8:04 AM, "Michael Felt" wrote: > > > > First little thing I ran into - that I did not have with 2.4.12 is this: > > > > root@x065:[/data/prj/apache/httpd/test]/opt/httpd/sbin/apachectl start > > AH00534: httpd: Configuration error: More than one MPM loaded. > > > root@x065:[/data/prj/apache/httpd/test]grep -i mpm /etc/httpd/httpd.conf > > LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so > > LoadModule mpm_worker_module libexec/mod_mpm_worker.so > > # Server-pool management (MPM specific) > > #Include /etc/httpd/extra/httpd-mpm.conf > > > > p.s. I had done configure with: > > > > $ ./configure --enable-layout=AIX --with-apr=/opt/bin/apr-1-config > --with-apr-util=/opt/bin/apu-1-config --enable-mpms-shared=all > --enable-mods-shared=all --disable-lua --enable-load-all-modules > --enable-maintainer-mode --with-ssl > > Looks correct... > > --enable-mpms-shared=all > Worked as instructed... > > --enable-load-all-modules > Did just as you asked. > > Not sure offhand if we can hack some mpm-specific module exception to the > later. >
Re: The show goes on - 2.4.16
On Thu, Jul 16, 2015 at 4:41 PM, Michael Felt wrote: > My comment is that with 2.4.12 the same configure did not do this. This is > new behavior. Probably a consequence of [1] which may not play very well with --enable-load-all-modules. [1] http://svn.apache.org/r1661848
Re: The show goes on - 2.4.16
http://svn.apache.org/viewvc?view=revision&revision=1661848 https://bz.apache.org/bugzilla/show_bug.cgi?id=53882 Looks like it was explicitly changed to track mpms like any other shared module, and as Bill noted, --enable-load-all-modules simply loaded them all mpms included. Andy On 07/16/2015 09:41 AM, Michael Felt wrote: My comment is that with 2.4.12 the same configure did not do this. This is new behavior. I was testing with 2.4.12 all day yesterday, using the same build scripts today with 2.4.16 came up differently. So now, after the build I have this difference in httpd.conf root@x065:[/data/prj/apache/httpd]diff -u */x/etc/httpd/httpd.conf --- httpd-2.4.12/x/etc/httpd/httpd.conf 2015-07-16 09:48:20 + +++ httpd-2.4.16/x/etc/httpd/httpd.conf 2015-07-16 12:31:25 + @@ -143,6 +143,7 @@ LoadModule lbmethod_bytraffic_module libexec/mod_lbmethod_bytraffic.so LoadModule lbmethod_bybusyness_module libexec/mod_lbmethod_bybusyness.so LoadModule lbmethod_heartbeat_module libexec/mod_lbmethod_heartbeat.so +LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so LoadModule mpm_worker_module libexec/mod_mpm_worker.so LoadModule unixd_module libexec/mod_unixd.so LoadModule heartbeat_module libexec/mod_heartbeat.so On Thu, Jul 16, 2015 at 4:03 PM, William A Rowe Jr mailto:wr...@rowe-clan.net>> wrote: On Jul 16, 2015 8:04 AM, "Michael Felt" mailto:mamf...@gmail.com>> wrote: > > First little thing I ran into - that I did not have with 2.4.12 is this: > > root@x065:[/data/prj/apache/httpd/test]/opt/httpd/sbin/apachectl start > AH00534: httpd: Configuration error: More than one MPM loaded. > root@x065:[/data/prj/apache/httpd/test]grep -i mpm /etc/httpd/httpd.conf > LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so > LoadModule mpm_worker_module libexec/mod_mpm_worker.so > # Server-pool management (MPM specific) > #Include /etc/httpd/extra/httpd-mpm.conf > > p.s. I had done configure with: > > $ ./configure --enable-layout=AIX --with-apr=/opt/bin/apr-1-config --with-apr-util=/opt/bin/apu-1-config --enable-mpms-shared=all --enable-mods-shared=all --disable-lua --enable-load-all-modules --enable-maintainer-mode --with-ssl Looks correct... --enable-mpms-shared=all Worked as instructed... --enable-load-all-modules Did just as you asked. Not sure offhand if we can hack some mpm-specific module exception to the later.
Re: The show goes on - 2.4.16
Yeah... gr. In any case, this would affect only those w/ virgin builds, right? > On Jul 16, 2015, at 11:01 AM, Yann Ylavic wrote: > > On Thu, Jul 16, 2015 at 4:41 PM, Michael Felt wrote: >> My comment is that with 2.4.12 the same configure did not do this. This is >> new behavior. > > Probably a consequence of [1] which may not play very well with > --enable-load-all-modules. > > [1] http://svn.apache.org/r1661848
Re: finally...
Testing as we speak... will commit if all OK :) > On Jul 15, 2015, at 12:26 PM, Stefan Eissing > wrote: > > ...got the test framework to PASS on my OS X against httpd/trunk built. > > I added more description of what I found in the README and checked that in. I > have the attached patch to the test code itself, which I will not just dump > on you. I think the changes are ok, but will wait for some feedback. > > The changes are in > - t/modules/cgi.t > - t/modules/include.t > - t/security/CVE-2004-0747.t > > Cheers, > > Stefan > > > > bytes GmbH > Hafenweg 16, 48155 Münster, Germany > Phone: +49 251 2807760. Amtsgericht Münster: HRB5782 > > >
Re: The show goes on - 2.4.16
Yes, and with --enable-load-all-modules (not so common, I think, when not testing with the framework...). On Thu, Jul 16, 2015 at 5:19 PM, Jim Jagielski wrote: > Yeah... gr. > > In any case, this would affect only those w/ virgin builds, right? > >> On Jul 16, 2015, at 11:01 AM, Yann Ylavic wrote: >> >> On Thu, Jul 16, 2015 at 4:41 PM, Michael Felt wrote: >>> My comment is that with 2.4.12 the same configure did not do this. This is >>> new behavior. >> >> Probably a consequence of [1] which may not play very well with >> --enable-load-all-modules. >> >> [1] http://svn.apache.org/r1661848 >
Re: The show goes on - 2.4.16
Nothing serious of course - AND the advantage is that I do not have to do a new build to switch to pre-fork (which was the old way iirc). So - was I the first to find a bug in the new release :P btw - I am much more interested in the ssl tests and whether it is a failed test (going back to MC4 128-bit) when the initial connection was much better. I assume this is not logjam (or some other horrible recent OpenSSL TLS renegotiate CVE) - but it is something we want to prevent (as far as I know LibreSSL has no support for RC4 as it is too weak - hence these will fail by definition if the test (client) is forcing a renegotiate to that level of cryptography (key exchange?). In other words - think more about my other post please! On Thu, Jul 16, 2015 at 5:26 PM, Yann Ylavic wrote: > Yes, and with --enable-load-all-modules (not so common, I think, when > not testing with the framework...). > > On Thu, Jul 16, 2015 at 5:19 PM, Jim Jagielski wrote: > > Yeah... gr. > > > > In any case, this would affect only those w/ virgin builds, right? > > > >> On Jul 16, 2015, at 11:01 AM, Yann Ylavic wrote: > >> > >> On Thu, Jul 16, 2015 at 4:41 PM, Michael Felt > wrote: > >>> My comment is that with 2.4.12 the same configure did not do this. > This is > >>> new behavior. > >> > >> Probably a consequence of [1] which may not play very well with > >> --enable-load-all-modules. > >> > >> [1] http://svn.apache.org/r1661848 > > >
Re: Congradulations on the new release(s)
I really should have titled this differently - sigh! On Thu, Jul 16, 2015 at 2:20 PM, Michael Felt wrote: > I am a bit behind - yet looking forward. > > I wish to recall a pleasant get together last April in Texas just before > ApacheCon. At that time I mentioned LibreSSL and building httpd against it > (actually mod_ssl is all it amounts to). > > The build itself was quite simple - I shall repeat that now for 2.4.16 and > trunk - and send the 'patch' in. > > While build is simple - understanding the differences in test output is > daunting. > > Here I have the output of just one test t/ssl/pr12355.t - and note the > differences in the ssl_access_log - not just the error messages (I have > removed all "debug" messages from the logs as they were "in the way". > > LibreSSL is version 2.2.0, OpenSSL is version 0.9.8m (yes I know very old, > will test with latest patches later - I hope not relevant to here). > > So, please note: LibreSSL says access is: > t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST > /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 > while OpenSSL says > t/logs/ssl_request_log:[16/Jul/2015:11:32:35 +] 127.0.0.1 TLSv1 > RC4-SHA "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 200 11 > > My question: what can I do to understand why OpenSSL is adding TLSv1 > RC4-SHA while LibreSSL is "- -" > > Note also in the > > ==> LibreSSL_pr12355.t.results <== > t/logs/error_log:[Thu Jul 16 11:47:12.425257 2015] [ssl:info] [pid > 389322:tid 515] [client 127.0.0.1:48676] AH01964: Connection to child 0 > established (server loopback:8532) > t/logs/error_log:[Thu Jul 16 11:47:12.613855 2015] [ssl:info] [pid > 389322:tid 515] [client 127.0.0.1:48676] AH02221: Requesting connection > re-negotiation > t/logs/error_log:[Thu Jul 16 11:47:12.614004 2015] [ssl:info] [pid > 389322:tid 515] [client 127.0.0.1:48676] AH02226: Awaiting re-negotiation > handshake > t/logs/error_log:[Thu Jul 16 11:47:12.620757 2015] [ssl:error] [pid > 389322:tid 515] [client 127.0.0.1:48676] AH02261: Re-negotiation > handshake failed: Not accepted by client!? > t/logs/error_log:[Thu Jul 16 11:47:12.620803 2015] [ssl:info] [pid > 389322:tid 515] [client 127.0.0.1:48676] AH02008: SSL library error 1 in > handshake (server loopback:8532) > t/logs/error_log:[Thu Jul 16 11:47:12.620825 2015] [ssl:info] [pid > 389322:tid 515] SSL Library Error: error:1408E0F4:SSL > routines:SSL3_GET_MESSAGE:unexpected message > t/logs/error_log:[Thu Jul 16 11:47:12.620837 2015] [ssl:info] [pid > 389322:tid 515] [client 127.0.0.1:48676] AH01998: Connection closed to > child 0 with abortive shutdown (server loopback:8532) > t/logs/error_log:[Thu Jul 16 11:47:17.073812 2015] [core:warn] [pid > 344086:tid 1] AH00045: child process 389322 still did not exit, sending a > SIGTERM > t/logs/error_log:[Thu Jul 16 11:47:19.076308 2015] [core:info] [pid > 344086:tid 1] AH00096: removed PID file > /data/prj/apache/httpd/test/t/logs/httpd.pid (pid=344086) > t/logs/error_log:[Thu Jul 16 11:47:19.076349 2015] [mpm_worker:notice] > [pid 344086:tid 1] AH00295: caught SIGTERM, shutting down > t/logs/ssl_request_log:[16/Jul/2015:11:47:10 +] 127.0.0.1 - - "GET > /index.html HTTP/1.1" 200 26 > t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST > /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 > t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST > /require-md5-cgi/perl_echo.pl HTTP/1.1" 403 237 > t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST > /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 > t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST > /require-md5-cgi/perl_echo.pl HTTP/1.1" 403 237 > > ==> OpenSSL_pr12355.t.results <== > t/logs/error_log:[Thu Jul 16 11:32:35.380665 2015] [ssl:info] [pid > 417826:tid 515] [client 127.0.0.1:39151] AH02226: Awaiting re-negotiation > handshake > t/logs/error_log:[Thu Jul 16 11:32:35.423630 2015] [ssl:info] [pid > 417826:tid 772] [client 127.0.0.1:39152] AH01964: Connection to child 1 > established (server loopback:8532) > t/logs/error_log:[Thu Jul 16 11:32:35.571262 2015] [ssl:info] [pid > 417826:tid 772] [client 127.0.0.1:39152] AH02221: Requesting connection > re-negotiation > t/logs/error_log:[Thu Jul 16 11:32:35.571354 2015] [ssl:info] [pid > 417826:tid 772] [client 127.0.0.1:39152] AH02226: Awaiting re-negotiation > handshake > t/logs/error_log:[Thu Jul 16 11:32:35.613858 2015] [ssl:info] [pid > 417826:tid 515] [client 127.0.0.1:39153] AH01964: Connection to child 0 > established (server loopback:8532) > t/logs/error_log:[Thu Jul 16 11:32:35.771440 2015] [ssl:info] [pid > 417826:tid 515] [client 127.0.0.1:39153] AH02221: Requesting connection > re-negotiation > t/logs/error_log:[Thu Jul 16 11:32:35.771533 2015] [ssl:info] [pid > 417826:tid 515] [client 127.0.0.1:39153] AH02226: Awaiting re-negotiation > handshake > t/logs/error_log:[Thu Jul 16 11:32:40.284682 2015] [core:warn] [pid > 385024:tid 1] AH00045: child process
Re: finally...
Thanks, Jim! > Am 16.07.2015 um 17:22 schrieb Jim Jagielski : > > Testing as we speak... will commit if all OK :) > >> On Jul 15, 2015, at 12:26 PM, Stefan Eissing >> wrote: >> >> ...got the test framework to PASS on my OS X against httpd/trunk built. >> >> I added more description of what I found in the README and checked that in. >> I have the attached patch to the test code itself, which I will not just >> dump on you. I think the changes are ok, but will wait for some feedback. >> >> The changes are in >> - t/modules/cgi.t >> - t/modules/include.t >> - t/security/CVE-2004-0747.t >> >> Cheers, >> >> Stefan >> >> >> >> bytes GmbH >> Hafenweg 16, 48155 Münster, Germany >> Phone: +49 251 2807760. Amtsgericht Münster: HRB5782 >
Re: The show goes on - 2.4.16
On Thu, Jul 16, 2015 at 5:38 PM, Michael Felt wrote: > > btw - I am much more interested in the ssl tests and whether it is a failed > test (going back to MC4 128-bit) when the initial connection was much > better. I assume this is not logjam (or some other horrible recent OpenSSL > TLS renegotiate CVE) - but it is something we want to prevent (as far as I > know LibreSSL has no support for RC4 as it is too weak - hence these will > fail by definition if the test (client) is forcing a renegotiate to that > level of cryptography (key exchange?). The test framework does indeed use RC4-MD5 (vs RC4-SHA) on location /require-md5-cgi (resp. /require-sha-cgi) for renegotiations based on cipher change. I have replace it with AES128 vs AES256 (-SHA) in r1691419, these should be available with both libs. Could you svn up your framework and check if it works now?
Re: The show goes on - 2.4.16
Am 16.07.2015 um 17:26 schrieb Yann Ylavic: Yes, and with --enable-load-all-modules (not so common, I think, when not testing with the framework...). Exactly, thats mostly a flag to produce non-production bus test ready configs. Not so nice that it doesn't startup, but I would be astonished if there were people running into this problem and not being on this list here. On Thu, Jul 16, 2015 at 5:19 PM, Jim Jagielski wrote: Yeah... gr. In any case, this would affect only those w/ virgin builds, right? On Jul 16, 2015, at 11:01 AM, Yann Ylavic wrote: On Thu, Jul 16, 2015 at 4:41 PM, Michael Felt wrote: My comment is that with 2.4.12 the same configure did not do this. This is new behavior. Probably a consequence of [1] which may not play very well with --enable-load-all-modules. [1] http://svn.apache.org/r1661848
Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
Moving this to a thread with a better title! A longish read - basically while 2.4.12 had few errors when built against OpenSSL 0.9.8 LibreSSL has quite a few errors - perhaps because it has removed many "unsafe" crypto combinations. The root question is: is this LibreSSL misbehaving, or are the tests needing some work to verify that "weak ciphers and key exchanges are not being used - e.g., via renegotiation. +++ I wish to recall a pleasant get together last April in Texas just before ApacheCon. At that time I mentioned LibreSSL and building httpd against it (actually mod_ssl is all it amounts to). The build itself was quite simple - I shall repeat that now for 2.4.16 and trunk - and send the 'patch' in. While build is simple - understanding the differences in test output is daunting. Here I have the output of just one test t/ssl/pr12355.t - and note the differences in the ssl_access_log - not just the error messages (I have removed all "debug" messages from the logs as they were "in the way". LibreSSL is version 2.2.0, OpenSSL is version 0.9.8m (yes I know very old, will test with latest patches later - I hope not relevant to here). So, please note: LibreSSL says access is: t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 while OpenSSL says t/logs/ssl_request_log:[16/Jul/2015:11:32:35 +] 127.0.0.1 TLSv1 RC4-SHA "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 200 11 My question: what can I do to understand why OpenSSL is adding TLSv1 RC4-SHA while LibreSSL is "- -" Note also in the ==> LibreSSL_pr12355.t.results<== t/logs/error_log:[Thu Jul 16 11:47:12.425257 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH01964: Connection to child 0 established (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:47:12.613855 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02221: Requesting connection re-negotiation t/logs/error_log:[Thu Jul 16 11:47:12.614004 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02226: Awaiting re-negotiation handshake t/logs/error_log:[Thu Jul 16 11:47:12.620757 2015] [ssl:error] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02261: Re-negotiation handshake failed: Not accepted by client!? t/logs/error_log:[Thu Jul 16 11:47:12.620803 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH02008: SSL library error 1 in handshake (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:47:12.620825 2015] [ssl:info] [pid 389322:tid 515] SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message t/logs/error_log:[Thu Jul 16 11:47:12.620837 2015] [ssl:info] [pid 389322:tid 515] [client 127.0.0.1:48676] AH01998: Connection closed to child 0 with abortive shutdown (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:47:17.073812 2015] [core:warn] [pid 344086:tid 1] AH00045: child process 389322 still did not exit, sending a SIGTERM t/logs/error_log:[Thu Jul 16 11:47:19.076308 2015] [core:info] [pid 344086:tid 1] AH00096: removed PID file /data/prj/apache/httpd/test/t/logs/httpd.pid (pid=344086) t/logs/error_log:[Thu Jul 16 11:47:19.076349 2015] [mpm_worker:notice] [pid 344086:tid 1] AH00295: caught SIGTERM, shutting down t/logs/ssl_request_log:[16/Jul/2015:11:47:10 +] 127.0.0.1 - - "GET /index.html HTTP/1.1" 200 26 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-md5-cgi/perl_echo.pl HTTP/1.1" 403 237 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST /require-md5-cgi/perl_echo.pl HTTP/1.1" 403 237 ==> OpenSSL_pr12355.t.results<== t/logs/error_log:[Thu Jul 16 11:32:35.380665 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39151] AH02226: Awaiting re-negotiation handshake t/logs/error_log:[Thu Jul 16 11:32:35.423630 2015] [ssl:info] [pid 417826:tid 772] [client 127.0.0.1:39152] AH01964: Connection to child 1 established (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:32:35.571262 2015] [ssl:info] [pid 417826:tid 772] [client 127.0.0.1:39152] AH02221: Requesting connection re-negotiation t/logs/error_log:[Thu Jul 16 11:32:35.571354 2015] [ssl:info] [pid 417826:tid 772] [client 127.0.0.1:39152] AH02226: Awaiting re-negotiation handshake t/logs/error_log:[Thu Jul 16 11:32:35.613858 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39153] AH01964: Connection to child 0 established (server loopback:8532) t/logs/error_log:[Thu Jul 16 11:32:35.771440 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39153] AH02221: Requesting connection re-negotiation t/logs/error_log:[Thu Jul 16 11:32:35.771533 2015] [ssl:info] [pid 417826:tid 515] [client 127.0.0.1:39153] AH02226: Awaiting re-negotiation handshake t/logs/erro
Re: [VOTE] [24 hr] Release 2.2.31 as GA?
On Wed, Jul 15, 2015 at 11:44 AM, William A Rowe Jr wrote: > The pre-release candidate tarballs of Apache httpd 2.2.31, can be found > in; > > http://httpd.apache.org/dev/dist/ > > +/-1 > [+1] Release 2.2.31 GA (apr 1.5.2, apr-util 1.5.4) > My own vote after preparing and exercising -win32-src. The linux builds have long looked good.
[VOTE] [PASSES] Release 2.2.31 as GA?
With 4/5 of the 2.2.30 voters having re-reviewed 2.2.31, and the single s/-1/+1/ based on this re-roll, I'm confident in calling this vote a success, and am pushing this release to the mirrors for announcement tomorrow. Thanks all for all the reviews of both 2.2 candidates (and all of the 4 2.4 candidates!) that you were able to participate in, seemed unusually difficult to make it this far, but here we are at last. Yours, Bill On Wed, Jul 15, 2015 at 11:44 AM, William A Rowe Jr wrote: > The pre-release candidate tarballs of Apache httpd 2.2.31, can be found > in; > > http://httpd.apache.org/dev/dist/ > > +/-1 > [ ] Release 2.2.31 GA (apr 1.5.2, apr-util 1.5.4) > > Win32 src to follow in an hour this round. With such an insignificant > set of changes to a generally approved 2.2.30 which enjoyed the full > 3-day voting period, I expect to end this vote tomorrow at 17:00GMT > Thursday, if there are sufficient votes cast. > > The entire delta between 2.2.30 and 2.2.31 is attached, for your initial > inspection. >
Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
On Thu, Jul 16, 2015 at 12:02 PM, Michael Felt wrote: > Here I have the output of just one test t/ssl/pr12355.t - and note the > differences in the ssl_access_log - not just the error messages (I have > removed all "debug" messages from the logs as they were "in the way". > > LibreSSL is version 2.2.0, OpenSSL is version 0.9.8m (yes I know very old, > will test with latest patches later - I hope not relevant to here). > > So, please note: LibreSSL says access is: > t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST > /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 > while OpenSSL says > t/logs/ssl_request_log:[16/Jul/2015:11:32:35 +] 127.0.0.1 TLSv1 RC4-SHA > "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 200 11 > > My question: what can I do to understand why OpenSSL is adding TLSv1 > RC4-SHA while LibreSSL is "- -" > > I'll take this one item. Take a look into our implementation of ssl_var_lookup_ssl and particularly ssl_var_lookup_ssl_cipher. I would expect LibreSSL isn't providing any meaningful data to represent.
Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
I'll look at it and hopefully understand something. but tomorrow. On Thu, Jul 16, 2015 at 7:56 PM, William A Rowe Jr wrote: > On Thu, Jul 16, 2015 at 12:02 PM, Michael Felt wrote: > >> Here I have the output of just one test t/ssl/pr12355.t - and note the >> differences in the ssl_access_log - not just the error messages (I have >> removed all "debug" messages from the logs as they were "in the way". >> >> LibreSSL is version 2.2.0, OpenSSL is version 0.9.8m (yes I know very old, >> will test with latest patches later - I hope not relevant to here). >> >> So, please note: LibreSSL says access is: >> t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +] 127.0.0.1 - - "POST >> /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 >> while OpenSSL says >> t/logs/ssl_request_log:[16/Jul/2015:11:32:35 +] 127.0.0.1 TLSv1 RC4-SHA >> "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 200 11 >> >> My question: what can I do to understand why OpenSSL is adding TLSv1 >> RC4-SHA while LibreSSL is "- -" >> >> > I'll take this one item. Take a look into our implementation of > ssl_var_lookup_ssl > and particularly ssl_var_lookup_ssl_cipher. I would expect LibreSSL isn't > providing > any meaningful data to represent. > > >
Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
On Thu, Jul 16, 2015 at 7:02 PM, Michael Felt wrote:
>
> A longish read - basically while 2.4.12 had few errors when built against
> OpenSSL 0.9.8 LibreSSL has quite a few errors - perhaps because it has
> removed many "unsafe" crypto combinations. The root question is: is this
> LibreSSL misbehaving, or are the tests needing some work to verify that
> "weak ciphers and key exchanges are not being used - e.g., via
> renegotiation.
Latest commit on test framework ([1]) replaced RC4-{MD5,SHA} with
AES{128,256}-SHA so that these are more likely to be known by both
libs (unless LibreSSL also disabled all CBC based chainings).
So if RC4 was the culprit, the tests (pr12355 and pr43738) should pass now.
BTW that's not what triggers the renegotiations since keep-alive seems
not be used for successive requests (that possibly could be another
test, though logs show Initial connections only here), but rather a
specific Location's CipherSuite different from the (handshaken)
VirtualHost's one.
>
> One test in LibreSSL (first one) from test:
> [...]
> [Thu Jul 16 11:47:11.864018 2015] [ssl:debug] [pid 389322:tid 772]
> ssl_engine_kernel.c(1908): [client 127.0.0.1:48673] AH02043: SSL virtual
> host for servername loopback found
> [Thu Jul 16 11:47:11.982116 2015] [ssl:debug] [pid 389322:tid 772]
> ssl_engine_kernel.c(1841): [client 127.0.0.1:48673] AH02041: Protocol:
> TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
Is the framework using openssl or libressl here?
Are PATH or APACHE_TEST_OPENSSL_CMD defined, or maybe the system's default lib?
> [Thu Jul 16 11:47:12.051994 2015] [ssl:error] [pid 389322:tid 772]
> [client 127.0.0.1:48673] AH02261: Re-negotiation handshake failed: Not
> accepted by client!?
> [Thu Jul 16 11:47:12.052072 2015] [ssl:info] [pid 389322:tid 772]
> [client 127.0.0.1:48673] AH02008: SSL library error 1 in handshake (server
> loopback:8532)
> [Thu Jul 16 11:47:12.052157 2015] [ssl:info] [pid 389322:tid 772]
> SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected
> message
That's not an alert (a close?).
Maybe a higher LogLevel (trace5?) would help, and/or a pcap...
Regards,
Yann.
[1] http://svn.apache.org/r1691419
