Re: [VOTE] Release Apache httpd 2.4.17 as GA

2015-10-10 Thread Stefan Eissing 

> Am 09.10.2015 um 19:40 schrieb Jim Jagielski :
> 
> The pre-release test tarballs for Apache httpd 2.4.17 can be found
> at the usual place:
> 
>   http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA.
> 
> [ ] +1: Good to go

Apart from the sslvar lookup failures reported in a separate mail

Tested:
* OSX 10.11 / Xcode 7.0.1, x64
  - event, worker, prefork: http2
* Ubuntu 14.04.1, x64
  - event, worker, prefork: http2

Re: A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c

2015-10-10 Thread Stefan Eissing 
Ok, will add that. This is only in trunk. 2.4.x should compile for you.

> Am 10.10.2015 um 13:31 schrieb NormW :
> 
> H,
>> CC   h2_worker.c
>> CC   h2_workers.c
>> CC   mod_http2.c
>> GEN  obj_release/mod_http2_link.opt
>> LINK obj_release/mod_http2.nlm
>> ### mwldnlm Linker Error:
>> #   Undefined symbol: APR_BUCKET_IS_MMAP in
>> #   h2_util.o
> 
> In apr-util\include\apr_buckets.h:
>> #if APR_HAS_MMAP
>> /**
>> * Determine if a bucket is a MMAP bucket
>> * @param e The bucket to inspect
>> * @return true or false
>> */
>> #define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap)
>> #endif
> 
> :-( MMAP is (sadly) not a feature of NetWare. If the http2 experts assert the 
> entire http2 module is a dud without MMAP support, I am not in a position or 
> mind to oppose dropping NetWare 'support' for http2 entirely.
> 
> Alternatively, something like this in h2_util.c MAY be good enough :
>>}
>> ++ #if APR_HAS_MMAP
>>else if (APR_BUCKET_IS_MMAP(b)) {
>>btype = "mmap";
>>}
>> ++ #endif
> 
> Norm

this expected?

2015-10-10 Thread Stefan Eissing 
Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl 
1.0.2d):

t/ssl/varlookup.t ... 1/81 # Failed test 55 in 
t/ssl/varlookup.t at line 105 fail #55
# Failed test 56 in t/ssl/varlookup.t at line 105 fail #56
# Failed test 57 in t/ssl/varlookup.t at line 105 fail #57
# Failed test 58 in t/ssl/varlookup.t at line 105 fail #58
# Failed test 75 in t/ssl/varlookup.t at line 105 fail #75
# Failed test 76 in t/ssl/varlookup.t at line 105 fail #76
t/ssl/varlookup.t ... Failed 6/81 subtests 
t/ssl/verify.t .. ok

Re: No luck with `Protocols h2`

2015-10-10 Thread Jacob Champion 

On 10/10/2015 12:20 AM, Stefan Eissing wrote:

In the meantime, I have prepped a howto h2 to point people to in order to 
give/collect some advice. http://icing.github.io/mod_h2/howto.html

That will, once stable become part of the official docs.


Great, thanks! That is very helpful. One bit of feedback: in the Firefox 
section you say that


> Among the response headers, you see this strange X-Firefox-Spdy entry
> listing "h2". That is the indication that HTTP/2 is used on this
> https: connection.

Another (possibly more future-proof?) indicator in that Network Headers 
panel is the "Version: HTTP/2.0" field that is underneath the Status 
Code and above the search bar.



Am 10.10.2015 um 02:24 schrieb Jacob Champion :


(Haven't figured out the nghttp failure yet though.) Thanks Gregg!


For those following at home, and to save anyone else the trouble... 
nghttp still wasn't working, so I


- built Wireshark trunk to get HTTP/2 dissection for the stream, but I 
still couldn't decrypt the ephemeral ciphers, so I
- installed an LD_PRELOAD shim to get the pre-master secret keys only to 
find that the encrypted alerts were simply disconnection notices, then 
noticed that
- NPN was being sent in the Client Hello instead of ALPN, which is 
probably because
- my nghttp is using my system OpenSSL (1.0.1) instead of my latest 
compile (1.0.2).


The bleeding edge is fun. :)

In any case, I've now got an httpbin instance running in mod_passenger 
over HTTP/2, which is very cool. I was originally hoping to help with 
the vote, but now that I've discovered my binaries are mismatched, I 
wouldn't trust my test results anyway. Maybe next time.


Good luck with the release!
--Jacob

Re: A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c

2015-10-10 Thread NormW 

On 11/10/2015 4:45 AM, Stefan Eissing wrote:

Ok, will add that. This is only in trunk. 2.4.x should compile for you.

Correct.
Norm.



Am 10.10.2015 um 13:31 schrieb NormW :

H,

CC   h2_worker.c
CC   h2_workers.c
CC   mod_http2.c
GEN  obj_release/mod_http2_link.opt
LINK obj_release/mod_http2.nlm
### mwldnlm Linker Error:
#   Undefined symbol: APR_BUCKET_IS_MMAP in
#   h2_util.o


In apr-util\include\apr_buckets.h:

#if APR_HAS_MMAP
/**
* Determine if a bucket is a MMAP bucket
* @param e The bucket to inspect
* @return true or false
*/
#define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap)
#endif


:-( MMAP is (sadly) not a feature of NetWare. If the http2 experts assert the 
entire http2 module is a dud without MMAP support, I am not in a position or 
mind to oppose dropping NetWare 'support' for http2 entirely.

Alternatively, something like this in h2_util.c MAY be good enough :

}
++ #if APR_HAS_MMAP
else if (APR_BUCKET_IS_MMAP(b)) {
btype = "mmap";
}
++ #endif


Norm

Re: this expected?

2015-10-10 Thread Kaspar Brand 
On 10.10.2015 20:14, Stefan Eissing wrote:
> Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl 
> 1.0.2d):
> 
> t/ssl/varlookup.t ... 1/81 # Failed test 55 in 
> t/ssl/varlookup.t at line 105 fail #55
> # Failed test 56 in t/ssl/varlookup.t at line 105 fail #56
> # Failed test 57 in t/ssl/varlookup.t at line 105 fail #57
> # Failed test 58 in t/ssl/varlookup.t at line 105 fail #58
> # Failed test 75 in t/ssl/varlookup.t at line 105 fail #75
> # Failed test 76 in t/ssl/varlookup.t at line 105 fail #76
> t/ssl/varlookup.t ... Failed 6/81 subtests 

Can you quickly confirm that t/conf/ssl/ca/asf/certs/client_ok.crt (or
any other cert in this directory) is older than
Apache-Test/lib/Apache/TestSSLCA.pm in that test framework installation?
If so, the above failures are a consequence of r1705534 and r1705535,
and TEST -clean should help in getting a fresh collection of certs (if
it doesn't remove the t/conf/ssl/ca directory, it can just be rm'ed
manually).

Kaspar

Re: this expected?

2015-10-10 Thread Rainer Jung 

Am 10.10.2015 um 20:14 schrieb Stefan Eissing:

Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl 
1.0.2d):

t/ssl/varlookup.t ... 1/81 # Failed test 55 in 
t/ssl/varlookup.t at line 105 fail #55
# Failed test 56 in t/ssl/varlookup.t at line 105 fail #56
# Failed test 57 in t/ssl/varlookup.t at line 105 fail #57
# Failed test 58 in t/ssl/varlookup.t at line 105 fail #58
# Failed test 75 in t/ssl/varlookup.t at line 105 fail #75
# Failed test 76 in t/ssl/varlookup.t at line 105 fail #76
t/ssl/varlookup.t ... Failed 6/81 subtests
t/ssl/verify.t .. ok


Not really. What output do you get for

t/TEST -v t/ssl/varlookup.t

I get:

...
# testing : SSL_CLIENT_SAN_Email_0
# expected: 'test-...@httpd.apache.org'
# received: 'test-...@httpd.apache.org'
ok 55
# testing : SSL_SERVER_SAN_DNS_0
# expected: 'localhost'
# received: 'localhost'
ok 56
# testing : SSL_CLIENT_SAN_OTHER_msUPN_0
# expected: 'test-...@httpd.apache.org'
# received: 'test-...@httpd.apache.org'
ok 57
# testing : SSL_SERVER_SAN_OTHER_dnsSRV_0
# expected: '_https.localhost'
# received: '_https.localhost'
ok 58
...
# testing : SSL_CLIENT_A_SIG
# expected: 'sha256WithRSAEncryption'
# received: 'sha256WithRSAEncryption'
ok 75
# testing : SSL_SERVER_A_SIG
# expected: 'sha256WithRSAEncryption'
# received: 'sha256WithRSAEncryption'
ok 76

I'm using OpenSSL 1.0.2 in client and server.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.17 as GA

2015-10-10 Thread Noel Butler 

On 10/10/2015 03:40, Jim Jagielski wrote:

The pre-release test tarballs for Apache httpd 2.4.17 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA.

[X] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.

Vote will last the normal 72 hrs.

NOTE: The *-deps are only there for convenience.




built with mysql, apr-1.5.2 and apr-util 1.5.4
all good   slackware 13.1/13.37/14.0/14.1

Re: [VOTE] Release Apache httpd 2.4.17 as GA

2015-10-10 Thread Kaspar Brand 
On 09.10.2015 19:40, Jim Jagielski wrote:
> The pre-release test tarballs for Apache httpd 2.4.17 can be found
> at the usual place:
> 
>   http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA.
> 
> [X] +1: Good to go

Tested with mod_ssl compiled against OpenSSL 0.9.8/1.0.0/1.0.1/1.0.2.

Kaspar

in case someone is bored

2015-10-10 Thread Stefan Eissing 
https://github.com/google/ngx_brotli

Support is in chrome and firefox.

//Stefan

Re: No luck with `Protocols h2`

2015-10-10 Thread Stefan Eissing 
Glad that Gregg pointed you the right way. 

Yes, I'll add that to the todos. There should be a better spec compliance check 
configurable in the server that gives at least logs for clients that do not 
comply and are turned down. 

In the meantime, I have prepped a howto h2 to point people to in order to 
give/collect some advice. http://icing.github.io/mod_h2/howto.html

That will, once stable become part of the official docs. 

> Am 10.10.2015 um 02:24 schrieb Jacob Champion :
> 
>> On 10/09/2015 05:11 PM, Gregg Smith wrote:
>> I have no real recommendation for you but the RFC states all
>> implementations must support
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent
>> ECDHE-RSA-AES128-GCM-SHA256.
>> So it's a starting point.
> 
> Perfect! After pulling it up front with
> 
>SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4
> 
> all appears to be working with Firefox. (Haven't figured out the nghttp 
> failure yet though.) Thanks Gregg!
> 
> So, there's some feedback for the module then: that's a really strange 
> failure mode. It would be nice if something in the logs reflected the bad 
> cipher in use, and/or the documentation pointed this interaction out. (Or 
> maybe it already does and I just overlooked it?)
> 
> --Jacob
>

Re: [VOTE] Release Apache httpd 2.4.17 as GA

2015-10-10 Thread Stefan Eissing 
Will check the release later today. The nit in the doc should not hold us back.

> Am 10.10.2015 um 00:02 schrieb Gregg Smith :
> 
>> On 10/9/2015 10:40 AM, Jim Jagielski wrote:
>> The pre-release test tarballs for Apache httpd 2.4.17 can be found
>> at the usual place:
>> 
>>http://httpd.apache.org/dev/dist/
>> 
>> I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA.
> Not a vote, I haven't gotten that far yet. It's been pointed out to me that 
> on our potential first release of the new module that the docs for it are 
> wrong : (  I suppose this happens when something is renamed at a relatively 
> last minute.
> 
> The docs still state the module identifier as  h2_module which of course it's 
> http2_module.
>

A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c

2015-10-10 Thread NormW 

H,

CC   h2_worker.c
CC   h2_workers.c
CC   mod_http2.c
GEN  obj_release/mod_http2_link.opt
LINK obj_release/mod_http2.nlm
### mwldnlm Linker Error:
#   Undefined symbol: APR_BUCKET_IS_MMAP in
#   h2_util.o


In apr-util\include\apr_buckets.h:

#if APR_HAS_MMAP
/**
 * Determine if a bucket is a MMAP bucket
 * @param e The bucket to inspect
 * @return true or false
 */
#define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap)
#endif


:-( MMAP is (sadly) not a feature of NetWare. If the http2 experts 
assert the entire http2 module is a dud without MMAP support, I am not 
in a position or mind to oppose dropping NetWare 'support' for http2 
entirely.


Alternatively, something like this in h2_util.c MAY be good enough :

}
++ #if APR_HAS_MMAP
else if (APR_BUCKET_IS_MMAP(b)) {
btype = "mmap";
}
++ #endif


Norm