Re: [VOTE] Release Apache httpd 2.4.17 as GA
> Am 09.10.2015 um 19:40 schrieb Jim Jagielski: > > The pre-release test tarballs for Apache httpd 2.4.17 can be found > at the usual place: > > http://httpd.apache.org/dev/dist/ > > I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. > > [ ] +1: Good to go Apart from the sslvar lookup failures reported in a separate mail Tested: * OSX 10.11 / Xcode 7.0.1, x64 - event, worker, prefork: http2 * Ubuntu 14.04.1, x64 - event, worker, prefork: http2
Re: A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c
Ok, will add that. This is only in trunk. 2.4.x should compile for you. > Am 10.10.2015 um 13:31 schrieb NormW: > > H, >> CC h2_worker.c >> CC h2_workers.c >> CC mod_http2.c >> GEN obj_release/mod_http2_link.opt >> LINK obj_release/mod_http2.nlm >> ### mwldnlm Linker Error: >> # Undefined symbol: APR_BUCKET_IS_MMAP in >> # h2_util.o > > In apr-util\include\apr_buckets.h: >> #if APR_HAS_MMAP >> /** >> * Determine if a bucket is a MMAP bucket >> * @param e The bucket to inspect >> * @return true or false >> */ >> #define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap) >> #endif > > :-( MMAP is (sadly) not a feature of NetWare. If the http2 experts assert the > entire http2 module is a dud without MMAP support, I am not in a position or > mind to oppose dropping NetWare 'support' for http2 entirely. > > Alternatively, something like this in h2_util.c MAY be good enough : >>} >> ++ #if APR_HAS_MMAP >>else if (APR_BUCKET_IS_MMAP(b)) { >>btype = "mmap"; >>} >> ++ #endif > > Norm
this expected?
Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl 1.0.2d): t/ssl/varlookup.t ... 1/81 # Failed test 55 in t/ssl/varlookup.t at line 105 fail #55 # Failed test 56 in t/ssl/varlookup.t at line 105 fail #56 # Failed test 57 in t/ssl/varlookup.t at line 105 fail #57 # Failed test 58 in t/ssl/varlookup.t at line 105 fail #58 # Failed test 75 in t/ssl/varlookup.t at line 105 fail #75 # Failed test 76 in t/ssl/varlookup.t at line 105 fail #76 t/ssl/varlookup.t ... Failed 6/81 subtests t/ssl/verify.t .. ok
Re: No luck with `Protocols h2`
On 10/10/2015 12:20 AM, Stefan Eissing wrote: In the meantime, I have prepped a howto h2 to point people to in order to give/collect some advice. http://icing.github.io/mod_h2/howto.html That will, once stable become part of the official docs. Great, thanks! That is very helpful. One bit of feedback: in the Firefox section you say that > Among the response headers, you see this strange X-Firefox-Spdy entry > listing "h2". That is the indication that HTTP/2 is used on this > https: connection. Another (possibly more future-proof?) indicator in that Network Headers panel is the "Version: HTTP/2.0" field that is underneath the Status Code and above the search bar. Am 10.10.2015 um 02:24 schrieb Jacob Champion: (Haven't figured out the nghttp failure yet though.) Thanks Gregg! For those following at home, and to save anyone else the trouble... nghttp still wasn't working, so I - built Wireshark trunk to get HTTP/2 dissection for the stream, but I still couldn't decrypt the ephemeral ciphers, so I - installed an LD_PRELOAD shim to get the pre-master secret keys only to find that the encrypted alerts were simply disconnection notices, then noticed that - NPN was being sent in the Client Hello instead of ALPN, which is probably because - my nghttp is using my system OpenSSL (1.0.1) instead of my latest compile (1.0.2). The bleeding edge is fun. :) In any case, I've now got an httpbin instance running in mod_passenger over HTTP/2, which is very cool. I was originally hoping to help with the vote, but now that I've discovered my binaries are mismatched, I wouldn't trust my test results anyway. Maybe next time. Good luck with the release! --Jacob
Re: A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c
On 11/10/2015 4:45 AM, Stefan Eissing wrote: Ok, will add that. This is only in trunk. 2.4.x should compile for you. Correct. Norm. Am 10.10.2015 um 13:31 schrieb NormW: H, CC h2_worker.c CC h2_workers.c CC mod_http2.c GEN obj_release/mod_http2_link.opt LINK obj_release/mod_http2.nlm ### mwldnlm Linker Error: # Undefined symbol: APR_BUCKET_IS_MMAP in # h2_util.o In apr-util\include\apr_buckets.h: #if APR_HAS_MMAP /** * Determine if a bucket is a MMAP bucket * @param e The bucket to inspect * @return true or false */ #define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap) #endif :-( MMAP is (sadly) not a feature of NetWare. If the http2 experts assert the entire http2 module is a dud without MMAP support, I am not in a position or mind to oppose dropping NetWare 'support' for http2 entirely. Alternatively, something like this in h2_util.c MAY be good enough : } ++ #if APR_HAS_MMAP else if (APR_BUCKET_IS_MMAP(b)) { btype = "mmap"; } ++ #endif Norm
Re: this expected?
On 10.10.2015 20:14, Stefan Eissing wrote: > Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl > 1.0.2d): > > t/ssl/varlookup.t ... 1/81 # Failed test 55 in > t/ssl/varlookup.t at line 105 fail #55 > # Failed test 56 in t/ssl/varlookup.t at line 105 fail #56 > # Failed test 57 in t/ssl/varlookup.t at line 105 fail #57 > # Failed test 58 in t/ssl/varlookup.t at line 105 fail #58 > # Failed test 75 in t/ssl/varlookup.t at line 105 fail #75 > # Failed test 76 in t/ssl/varlookup.t at line 105 fail #76 > t/ssl/varlookup.t ... Failed 6/81 subtests Can you quickly confirm that t/conf/ssl/ca/asf/certs/client_ok.crt (or any other cert in this directory) is older than Apache-Test/lib/Apache/TestSSLCA.pm in that test framework installation? If so, the above failures are a consequence of r1705534 and r1705535, and TEST -clean should help in getting a fresh collection of certs (if it doesn't remove the t/conf/ssl/ca directory, it can just be rm'ed manually). Kaspar
Re: this expected?
Am 10.10.2015 um 20:14 schrieb Stefan Eissing: Testing 2.4.17 release tar ball on OS X 10.11 (event/worker/prefork, openssl 1.0.2d): t/ssl/varlookup.t ... 1/81 # Failed test 55 in t/ssl/varlookup.t at line 105 fail #55 # Failed test 56 in t/ssl/varlookup.t at line 105 fail #56 # Failed test 57 in t/ssl/varlookup.t at line 105 fail #57 # Failed test 58 in t/ssl/varlookup.t at line 105 fail #58 # Failed test 75 in t/ssl/varlookup.t at line 105 fail #75 # Failed test 76 in t/ssl/varlookup.t at line 105 fail #76 t/ssl/varlookup.t ... Failed 6/81 subtests t/ssl/verify.t .. ok Not really. What output do you get for t/TEST -v t/ssl/varlookup.t I get: ... # testing : SSL_CLIENT_SAN_Email_0 # expected: 'test-...@httpd.apache.org' # received: 'test-...@httpd.apache.org' ok 55 # testing : SSL_SERVER_SAN_DNS_0 # expected: 'localhost' # received: 'localhost' ok 56 # testing : SSL_CLIENT_SAN_OTHER_msUPN_0 # expected: 'test-...@httpd.apache.org' # received: 'test-...@httpd.apache.org' ok 57 # testing : SSL_SERVER_SAN_OTHER_dnsSRV_0 # expected: '_https.localhost' # received: '_https.localhost' ok 58 ... # testing : SSL_CLIENT_A_SIG # expected: 'sha256WithRSAEncryption' # received: 'sha256WithRSAEncryption' ok 75 # testing : SSL_SERVER_A_SIG # expected: 'sha256WithRSAEncryption' # received: 'sha256WithRSAEncryption' ok 76 I'm using OpenSSL 1.0.2 in client and server. Regards, Rainer
Re: [VOTE] Release Apache httpd 2.4.17 as GA
On 10/10/2015 03:40, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.17 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. [X] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience. built with mysql, apr-1.5.2 and apr-util 1.5.4 all good slackware 13.1/13.37/14.0/14.1
Re: [VOTE] Release Apache httpd 2.4.17 as GA
On 09.10.2015 19:40, Jim Jagielski wrote: > The pre-release test tarballs for Apache httpd 2.4.17 can be found > at the usual place: > > http://httpd.apache.org/dev/dist/ > > I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. > > [X] +1: Good to go Tested with mod_ssl compiled against OpenSSL 0.9.8/1.0.0/1.0.1/1.0.2. Kaspar
in case someone is bored
https://github.com/google/ngx_brotli Support is in chrome and firefox. //Stefan
Re: No luck with `Protocols h2`
Glad that Gregg pointed you the right way. Yes, I'll add that to the todos. There should be a better spec compliance check configurable in the server that gives at least logs for clients that do not comply and are turned down. In the meantime, I have prepped a howto h2 to point people to in order to give/collect some advice. http://icing.github.io/mod_h2/howto.html That will, once stable become part of the official docs. > Am 10.10.2015 um 02:24 schrieb Jacob Champion: > >> On 10/09/2015 05:11 PM, Gregg Smith wrote: >> I have no real recommendation for you but the RFC states all >> implementations must support >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent >> ECDHE-RSA-AES128-GCM-SHA256. >> So it's a starting point. > > Perfect! After pulling it up front with > >SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4 > > all appears to be working with Firefox. (Haven't figured out the nghttp > failure yet though.) Thanks Gregg! > > So, there's some feedback for the module then: that's a really strange > failure mode. It would be nice if something in the logs reflected the bad > cipher in use, and/or the documentation pointed this interaction out. (Or > maybe it already does and I just overlooked it?) > > --Jacob >
Re: [VOTE] Release Apache httpd 2.4.17 as GA
Will check the release later today. The nit in the doc should not hold us back. > Am 10.10.2015 um 00:02 schrieb Gregg Smith: > >> On 10/9/2015 10:40 AM, Jim Jagielski wrote: >> The pre-release test tarballs for Apache httpd 2.4.17 can be found >> at the usual place: >> >>http://httpd.apache.org/dev/dist/ >> >> I'm calling a VOTE on releasing these as Apache httpd 2.4.17 GA. > Not a vote, I haven't gotten that far yet. It's been pointed out to me that > on our potential first release of the new module that the docs for it are > wrong : ( I suppose this happens when something is renamed at a relatively > last minute. > > The docs still state the module identifier as h2_module which of course it's > http2_module. >
A small wrinkle in latest r1707735 update to httpd-trunk\modules\http2\h2_util.c
H, CC h2_worker.c CC h2_workers.c CC mod_http2.c GEN obj_release/mod_http2_link.opt LINK obj_release/mod_http2.nlm ### mwldnlm Linker Error: # Undefined symbol: APR_BUCKET_IS_MMAP in # h2_util.o In apr-util\include\apr_buckets.h: #if APR_HAS_MMAP /** * Determine if a bucket is a MMAP bucket * @param e The bucket to inspect * @return true or false */ #define APR_BUCKET_IS_MMAP(e)((e)->type == _bucket_type_mmap) #endif :-( MMAP is (sadly) not a feature of NetWare. If the http2 experts assert the entire http2 module is a dud without MMAP support, I am not in a position or mind to oppose dropping NetWare 'support' for http2 entirely. Alternatively, something like this in h2_util.c MAY be good enough : } ++ #if APR_HAS_MMAP else if (APR_BUCKET_IS_MMAP(b)) { btype = "mmap"; } ++ #endif Norm