Re: svn commit: r1783317 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

On Feb 16, 2017 17:33, "Jacob Champion" wrote: On 02/16/2017 03:16 PM, William A Rowe Jr wrote: > With no docs to that effect, and trying to predict what 1.2.0 might do > to us, the explicit avoidance seems safer, no? > There are docs to that effect for 1.1.0.

Re: svn commit: r1783305 - /httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c

On Fri, Feb 17, 2017 at 12:18 AM, William A Rowe Jr wrote: > On Thu, Feb 16, 2017 at 4:45 PM, Yann Ylavic wrote: >> >> Shouldn't this commit (and follow ups) be merged in >> branches/2.4.x-openssl-1.1.0-compat ? > > Yes; however it isn't clear to me

Re: Topic for discussion... 2.4.26

With the passing of OpenSSL 1.0.1, is OpenSSL 1.1.0 on our radar for the next release? I'm not clear how that merge branch is intended to be used, I'm don't understand whether we propose to adopt every feature and API change commit to modules/ssl/* - and why it has been rebased, unless we intend

Re: svn commit: r1783317 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

On 02/16/2017 03:16 PM, William A Rowe Jr wrote: With no docs to that effect, and trying to predict what 1.2.0 might do to us, the explicit avoidance seems safer, no? There are docs to that effect for 1.1.0. https://www.openssl.org/docs/man1.1.0/crypto/EC_GROUP_free.html

Re: SSL_CTX_set_ecdh_auto noop OpenSSL 1.1.0?

On Thu, Feb 16, 2017 at 4:39 PM, Yann Ylavic wrote: > On Thu, Feb 16, 2017 at 11:33 PM, Yann Ylavic wrote: >> On Thu, Feb 16, 2017 at 10:52 PM, William A Rowe Jr >> wrote: >>> I'm not clear that this was a good usage of the

Re: svn commit: r1783305 - /httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c

On Thu, Feb 16, 2017 at 4:45 PM, Yann Ylavic wrote: > On Thu, Feb 16, 2017 at 10:26 PM, wrote: >> Author: wrowe >> Date: Thu Feb 16 21:26:34 2017 >> New Revision: 1783305 >> >> URL: http://svn.apache.org/viewvc?rev=1783305=rev >> Log: >> Fix OpenSSL 1.1.0

Re: svn commit: r1783317 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

On Thu, Feb 16, 2017 at 4:48 PM, Yann Ylavic wrote: > On Thu, Feb 16, 2017 at 11:27 PM, wrote: >> Author: wrowe >> Date: Thu Feb 16 22:27:24 2017 >> New Revision: 1783317 >> >> URL: http://svn.apache.org/viewvc?rev=1783317=rev >> Log: >> Avoid unnecessary

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, Feb 16, 2017 at 10:51 PM, Jacob Champion wrote: > On 02/16/2017 02:49 AM, Yann Ylavic wrote: >> >> +#define FILE_BUCKET_BUFF_SIZE (64 * 1024 - 64) /* > APR_BUCKET_BUFF_SIZE >> */ > > > So, I had already hacked my O_DIRECT bucket case to just be a copy of APR's > file

Re: svn commit: r1783317 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

On Thu, Feb 16, 2017 at 11:27 PM, wrote: > Author: wrowe > Date: Thu Feb 16 22:27:24 2017 > New Revision: 1783317 > > URL: http://svn.apache.org/viewvc?rev=1783317=rev > Log: > Avoid unnecessary code (the deprecation macro wrapper itself emits unused args > warnings) in OpenSSL

Re: svn commit: r1783305 - /httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c

On Thu, Feb 16, 2017 at 10:26 PM, wrote: > Author: wrowe > Date: Thu Feb 16 21:26:34 2017 > New Revision: 1783305 > > URL: http://svn.apache.org/viewvc?rev=1783305=rev > Log: > Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone. Shouldn't this commit (and

Re: SSL_CTX_set_ecdh_auto noop OpenSSL 1.1.0?

On Thu, Feb 16, 2017 at 11:33 PM, Yann Ylavic wrote: > On Thu, Feb 16, 2017 at 10:52 PM, William A Rowe Jr > wrote: >> I'm not clear that this was a good usage of the current API... >> >> In file included from httpd-2.x/modules/ssl/ssl_private.h:90:0,

Re: SSL_CTX_set_ecdh_auto noop OpenSSL 1.1.0?

On Thu, Feb 16, 2017 at 10:52 PM, William A Rowe Jr wrote: > I'm not clear that this was a good usage of the current API... > > In file included from httpd-2.x/modules/ssl/ssl_private.h:90:0, > from httpd-2.x/modules/ssl/ssl_engine_init.c:29: >

Re: FYI brotli

Funny you mention it. Nginx had it first anyways, and was (perhaps still is) using the deprecated API that dies with libbrotli rev 1.0.0 - part of that delay might have been affording ngnix a chance to adapt. Versioning their installed library should allow both to be installed at once. So...

Re: FYI brotli

On Mon, Jan 16, 2017 at 2:28 PM, Evgeny Kotkov wrote: > > There is, however, a potential problem with backporting mod_brotli, since > it relies on the Brotli library 1.0.0, which has not yet been released. > In other words, if the upstream changes the API or the

Re: FYI brotli

On Thu, Feb 16, 2017 at 2:27 PM, Evgeny Kotkov wrote: > William A Rowe Jr writes: > >> My open questions; has this been entirely reviewed in conjunction with h2? >> Will A-E: br,gzip,deflate axe all others from that list when deciding to >>

Re: SSL_CTX_set_ecdh_auto noop OpenSSL 1.1.0?

On 02/16/2017 01:52 PM, William A Rowe Jr wrote: This looks like a no-op now in OpenSSL 1.1.0. https://github.com/openssl/openssl/issues/1437 seems to explain it. --Jacob

SSL_CTX_set_ecdh_auto noop OpenSSL 1.1.0?

I'm not clear that this was a good usage of the current API... In file included from httpd-2.x/modules/ssl/ssl_private.h:90:0, from httpd-2.x/modules/ssl/ssl_engine_init.c:29: httpd-2.x/modules/ssl/ssl_engine_init.c: In function ‘ssl_init_server_certs’:

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On 02/16/2017 02:49 AM, Yann Ylavic wrote: +#define FILE_BUCKET_BUFF_SIZE (64 * 1024 - 64) /* > APR_BUCKET_BUFF_SIZE */ So, I had already hacked my O_DIRECT bucket case to just be a copy of APR's file bucket, minus the mmap() logic. I tried making this change on top of it... ...and holy

Re: FYI brotli

William A Rowe Jr writes: > My open questions; has this been entirely reviewed in conjunction with h2? > Will A-E: br,gzip,deflate axe all others from that list when deciding to > enable brotli? (I presume not-yet.) Will gzip filter work where A-E: gzip was > given without

Re: FYI brotli

Whatever... nginx will have it 1st anyway. And once again we fail our users by having a nickel holding up a dollar. > On Feb 16, 2017, at 2:48 PM, William A Rowe Jr wrote: > > On Thu, Feb 16, 2017 at 12:47 PM, Jim Jagielski wrote: >> >>> On Feb 16, 2017,

Re: FYI brotli

On Thu, Feb 16, 2017 at 12:47 PM, Jim Jagielski wrote: > >> On Feb 16, 2017, at 1:15 PM, William A Rowe Jr wrote: >> >> >> I concur with Evgeny Kotkov that an ABI stable dependency is appropriate >> before adding this to httpd 2.4.x - so far as I've read

Re: release v1.9.0

On Thu, Feb 16, 2017 at 2:16 PM, Stefan Eissing wrote: > I will sleep soundly then. Thanks a lot! :) Thanks to both of you for your persistence! -- Eric Covener cove...@gmail.com

Re: release v1.9.0

> Am 16.02.2017 um 19:51 schrieb Stefan Priebe - Profihost AG > : > > Hi, > > Am 16.02.2017 um 11:39 schrieb Stefan Eissing: >> >>> Am 15.02.2017 um 20:53 schrieb Stefan Priebe - Profihost AG >>> : >>> >>> Hi, >>> >>> still no segfaults. >> >>

Re: release v1.9.0

Hi, Am 16.02.2017 um 11:39 schrieb Stefan Eissing: > >> Am 15.02.2017 um 20:53 schrieb Stefan Priebe - Profihost AG >> : >> >> Hi, >> >> still no segfaults. > > My heart sings with joy. Can you keep on sending that message every morning? > thanks! I've no time tomorrow

Re: FYI brotli

> On Feb 16, 2017, at 1:15 PM, William A Rowe Jr wrote: > > > I concur with Evgeny Kotkov that an ABI stable dependency is appropriate > before adding this to httpd 2.4.x - so far as I've read none have suggested > this as an experimental addition to 2.4. > I do. We

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On 02/16/2017 02:48 AM, Niklas Edmundsson wrote: While I applaud the efforts to get https to behave performance-wise I would hate for http to be left out of being able to do top-notch on latest networking :-) My intent in focusing there was to discover why disabling mmap() seemed to be

Re: FYI brotli

To close up some loose ends/confusion; On Mon, Jan 16, 2017 at 6:42 PM, Jacob Champion wrote: > On 01/16/2017 04:06 PM, William A Rowe Jr wrote: >> >> Before we push this at users.. is there a concern that brotoli >> compression has similar dictionary or simply size based

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On 02/16/2017 03:41 AM, Yann Ylavic wrote: I can't reproduce it anymore, somehow I failed with my restarts between EnableMMap on=>off. Sorry for the noise... This is suspiciously similar to what I've been fighting the last three days. It's still entirely possible that you and I both messed up

Topic for discussion... 2.4.26

Would be nice, I think, to start discussion on a T of 2.4.26 and to open the doors to who wants to RM. Note, that if *nobody* offers to RM, I will... and no matter what, I offer to help whoever wishes to RM.

Re: svn commit: r1782875 [1/3] - in /httpd/httpd/trunk: ./ modules/http2/

> On Feb 15, 2017, at 7:07 AM, Yann Ylavic wrote: > > On Mon, Feb 13, 2017 at 10:00 PM, wrote: >> Author: icing >> Date: Mon Feb 13 21:00:30 2017 >> New Revision: 1782875 >> >> URL: http://svn.apache.org/viewvc?rev=1782875=rev >> Log: >> On the trunk:

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, Feb 16, 2017 at 11:41 AM, Plüm, Rüdiger, Vodafone Group wrote: > >> -Ursprüngliche Nachricht- >> Von: Yann Ylavic [mailto:ylavic@gmail.com] >> Gesendet: Donnerstag, 16. Februar 2017 11:35 >> An: httpd-dev >> Betreff: Re:

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, Feb 16, 2017 at 11:48 AM, Niklas Edmundsson wrote: > On Thu, 16 Feb 2017, Yann Ylavic wrote: > >> Here are some SSL/core_write outputs (sizes) for me, with 2.4.x. >> This is with a GET for a 2MB file, on localhost... >> >> Please note that "EnableMMap on" avoids

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, Feb 16, 2017 at 11:48 AM, Niklas Edmundsson wrote: > On Thu, 16 Feb 2017, Yann Ylavic wrote: > >> Here are some SSL/core_write outputs (sizes) for me, with 2.4.x. >> This is with a GET for a 2MB file, on localhost... >> >> Please note that "EnableMMap on" avoids

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, Feb 16, 2017 at 11:01 AM, Yann Ylavic wrote: > On Thu, Feb 16, 2017 at 10:49 AM, Yann Ylavic wrote: >> >> - http + !EnableMMap + !EnableSendfile => 125KB writes > > This is due to MAX_IOVEC_TO_WRITE being 16 in > send_brigade_nonblocking(),

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, 16 Feb 2017, Yann Ylavic wrote: Here are some SSL/core_write outputs (sizes) for me, with 2.4.x. This is with a GET for a 2MB file, on localhost... Please note that "EnableMMap on" avoids EnableSendfile (i.e. "EnableMMap on" => "EnableSendfile off"), which is relevant only in the http

AW: httpd 2.4.25, mpm_event, ssl: segfaults

> -Ursprüngliche Nachricht- > Von: Yann Ylavic [mailto:ylavic@gmail.com] > Gesendet: Donnerstag, 16. Februar 2017 11:35 > An: httpd-dev > Betreff: Re: httpd 2.4.25, mpm_event, ssl: segfaults > > On Thu, Feb 16, 2017 at 11:20 AM, Plüm, Rüdiger, Vodafone Group >

Re: release v1.9.0

> Am 15.02.2017 um 20:53 schrieb Stefan Priebe - Profihost AG > : > > Hi, > > still no segfaults. My heart sings with joy. Can you keep on sending that message every morning? thanks! > > @Yann > Are those patches (the addon on top of v7) and the one on top of mod_ssl

Re: mod_proxy_http2 sni ?

Is this the same as https://github.com/icing/mod_h2/issues/124 ? It seems that the ProxyPreserveHost is not (correctly) implemented. > Am 16.02.2017 um 10:42 schrieb Steffen : > > > Have an Apache ssl only in front of an Apache on port 80 with several vhosts. > > In

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, Feb 16, 2017 at 11:20 AM, Plüm, Rüdiger, Vodafone Group wrote: >> >> Please note that "EnableMMap on" avoids EnableSendfile (i.e. >> "EnableMMap on" => "EnableSendfile off") > > Just for clarification: If you placed EnableMMap on in your test > configuration

AW: httpd 2.4.25, mpm_event, ssl: segfaults

> -Ursprüngliche Nachricht- > Von: Yann Ylavic [mailto:ylavic@gmail.com] > Gesendet: Donnerstag, 16. Februar 2017 10:49 > An: httpd-dev > Betreff: Re: httpd 2.4.25, mpm_event, ssl: segfaults > > Here are some SSL/core_write outputs (sizes) for me, with 2.4.x.

Re: httpd 2.4.25, mpm_event, ssl: segfaults

On Thu, Feb 16, 2017 at 10:49 AM, Yann Ylavic wrote: > > - http + !EnableMMap + !EnableSendfile => 125KB writes This is due to MAX_IOVEC_TO_WRITE being 16 in send_brigade_nonblocking(), 125KB is 16 * 8000B. So playing with MAX_IOVEC_TO_WRITE might also be worth a try for

Re: httpd 2.4.25, mpm_event, ssl: segfaults

Here are some SSL/core_write outputs (sizes) for me, with 2.4.x. This is with a GET for a 2MB file, on localhost... Please note that "EnableMMap on" avoids EnableSendfile (i.e. "EnableMMap on" => "EnableSendfile off"), which is relevant only in the http (non-ssl) case anyway. Outputs (and the

mod_proxy_http2 sni ?

Have an Apache ssl only in front of an Apache on port 80 with several vhosts. In front have: ProtocolsHonorOrder On Protocols h2 http/1.1 LoadModule http2_module modules/mod_http2.so ProxyPass / http://127.0.0.1:80/ ProxyPassReverse / http://127.0.0.1:80/ In backend have:

Re: httpd 2.4.25, mpm_event, ssl: segfaults

Not at my comp, but the mod_http2 output has special handling for file buckts. Because apr_buckt_read returns a max of 8k and splits itself. It instead grabs the file and reads the size it needs, if memory serves me well. I assume when it's mmapped it does not make much of a difference. > Am