Re: ssl renegotiate

2016-02-09 Thread Rainer Jung
Am 09.02.2016 um 19:20 schrieb Stefan Eissing: Ah, closer look revealed that the first test was a cipher renegotiation using HTTP/1.1. That no longer works, but the slave connection checks do. So, false alarm on that front. Will disable the renegotiation tests that fail for now until the

Re: balancer-manager docs

2016-02-09 Thread Luca Toscano
Hi Jim, 2016-02-09 21:25 GMT+01:00 Jim Jagielski : > The more I think of it, a HowTo guide, like the ones we have > for public_html, Authn, etc regarding reverse proxy > makes the most sense... > > > On Feb 9, 2016, at 12:55 PM, Tim Bannister > wrote: >

APLOGNO() in mod_rewrite

2016-02-09 Thread Yehuda Katz
I noticed today that errors about invalid flags on rewrite rules do not have APLOGNO() on them. cmd_rewriterule calls cmd_rewriterule_setflag and if a string is returned, prefixes "RewriteRule: " and returns that as an error. Should these have APLOGNO()? They are errors, but they don't use

Re: balancer-manager docs

2016-02-09 Thread Jim Jagielski
The more I think of it, a HowTo guide, like the ones we have for public_html, Authn, etc regarding reverse proxy makes the most sense... > On Feb 9, 2016, at 12:55 PM, Tim Bannister wrote: > > On 9 Feb 2016, at 16:02, Rainer Jung wrote: >> Am

Re: svn commit: r1726233 - in /httpd/httpd/trunk: docs/manual/mod/core.xml include/http_core.h server/core.c

2016-02-09 Thread Yann Ylavic
On Fri, Jan 22, 2016 at 4:30 PM, wrote: > Author: covener > Date: Fri Jan 22 15:30:19 2016 > New Revision: 1726233 > > URL: http://svn.apache.org/viewvc?rev=1726233=rev > Log: > from feedback, assume all parameters to SetHandler are expressions. > > Modified: >

Re: mod_proxy_http2

2016-02-09 Thread Stefan Eissing
> Am 09.02.2016 um 00:38 schrieb Gregg Smith : > >> On 2/8/2016 9:07 AM, Stefan Eissing wrote: >> PS. I did not update Windows Makefiles. I feel bad. > > Don't, I need to play catch-up anyway :) > > Should this be in modules/proxy like all the rest of the mod_proxy_* modules? >

Support for OpenSSL 1.1.0

2016-02-09 Thread Rainer Jung
I started adding support for OpenSSL 1.1.0 in trunk. As some might know, the OpenSSL API changes and especially many structures have been made opaque. I resolved all the stuff that could be done on a local/formal level, but some items remain, where I'm not sure how to proceed. I have marked

Re: Support for OpenSSL 1.1.0

2016-02-09 Thread Dr Stephen Henson
On 09/02/2016 14:36, Rainer Jung wrote: > Hi Steve, > > thanks a lot for your review and comments. More inline. > > Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson: >> On 09/02/2016 10:20, Rainer Jung wrote: >>> >>> 3) ssl_engine_ocsp.c >>> >>> In modssl_verify_ocsp() the following code

Re: Support for OpenSSL 1.1.0

2016-02-09 Thread Rainer Jung
Hi Steve, thanks a lot for your review and comments. More inline. Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson: On 09/02/2016 10:20, Rainer Jung wrote: 3) ssl_engine_ocsp.c In modssl_verify_ocsp() the following code accesses the struct member "valid", for which currently no accessor

Re: mod_proxy_http2

2016-02-09 Thread Yann Ylavic
On Mon, Feb 8, 2016 at 6:07 PM, Stefan Eissing wrote: > > One thing: the ssl_hostname that is used for SNI by the generic proxy utils > seems to get lost when the socket needs to reset and is then not available on > the next connect. That should affect

Re: mod_proxy_http2

2016-02-09 Thread Yann Ylavic
On Mon, Feb 8, 2016 at 6:07 PM, Stefan Eissing wrote: > FYI: I just checked in a very experimental mod_proxy_http2 that registers on > h2:// and h2c:// proxy URLs. I did this naming to have the module totally > separate from mod_proxy_http, not wanting to make a

Re: ABI report

2016-02-09 Thread Jeff Trawick
On Mon, Feb 8, 2016 at 12:57 PM, William A Rowe Jr wrote: > This is excellent, thanks for the effort! > > You should note that there was no binary compatibility between 2.2.x final > and 2.4.x. And there will be no binary compatibility between 2.next (3.0?) > and 2.4.x.

balancer-manager docs

2016-02-09 Thread Jim Jagielski
We currently have really really little info about the balancer- manager in our docs, just a short little blurb on how to enable it and a brief description of what it does [1]. I'd like to extend that, but does it make sense to add it to the mod_proxy_balancer module page, or have a separate page

Re: ABI report

2016-02-09 Thread Ponomarenko Andrey
Hello Bill, I'll try to add 2.2.x and 2.4.x branches to the compatibility table soon (the 2.2.x on top of all 2.2.* versions and 2.4.x on top of all 2.4.*). But it requires some time to improve the code base. Thank you. 08.02.2016, 21:20, "William A Rowe Jr":This is excellent, thanks for the

Re: Support for OpenSSL 1.1.0

2016-02-09 Thread Dr Stephen Henson
On 09/02/2016 10:20, Rainer Jung wrote: > > 3) ssl_engine_ocsp.c > > In modssl_verify_ocsp() the following code accesses the struct member "valid", > for which currently no accessor function exists in 1.1.0: > > 268 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { > 269

Re: ABI report

2016-02-09 Thread Ponomarenko Andrey
09.02.2016, 15:02, "Jeff Trawick" :On Mon, Feb 8, 2016 at 12:57 PM, William A Rowe Jr wrote:This is excellent, thanks for the effort! You should note that there was no binary compatibility between 2.2.x finaland 2.4.x.  And there will be no binary

Re: balancer-manager docs

2016-02-09 Thread Rainer Jung
Am 09.02.2016 um 13:25 schrieb Jim Jagielski: We currently have really really little info about the balancer- manager in our docs, just a short little blurb on how to enable it and a brief description of what it does [1]. I'd like to extend that, but does it make sense to add it to the

Negative mod_proxy ping_timeout..

2016-02-09 Thread Yann Ylavic
.. is meant to do a simple TCP readability check on the connection, using ap_proxy_is_socket_connected(). This is trunk only AFAICT. However all our proxy modules handle this just after calling ap_proxy_connect_backend() which already calls ap_proxy_is_socket_connected() for the same purpose.

Re: Negative mod_proxy ping_timeout..

2016-02-09 Thread Jim Jagielski
Why the change to modules/proxy/mod_proxy_hcheck.c? > On Feb 9, 2016, at 10:58 AM, Yann Ylavic wrote: > >

Re: mod_proxy_http2

2016-02-09 Thread Stefan Eissing
I had the effect that when a socket was determined to be dead, the SNI was cleared and a new connection was made without any SNI. So, I save the first ssl_hostname I see and set that on every new connection. > Am 09.02.2016 um 15:42 schrieb Yann Ylavic : > > On Mon, Feb

Re: Negative mod_proxy ping_timeout..

2016-02-09 Thread Yann Ylavic
On Tue, Feb 9, 2016 at 5:42 PM, Jim Jagielski wrote: > Why the change to modules/proxy/mod_proxy_hcheck.c? The call to ap_proxy_connect_backend() just above already calls ap_proxy_is_socket_connected() for any reused connection, so why check it twice? If the connection is not

Re: mod_proxy_http2

2016-02-09 Thread Stefan Eissing
For the request itself, yes. mod_proxy_http2 follows the same pattern as mod_proxy_http. It does not setup a faked request_rec that mod_proxy_http does since I did not need it and did not see the point. Might have missed something. > Am 09.02.2016 um 15:51 schrieb Yann Ylavic

Re: Proposal for a new mod_event documentation page

2016-02-09 Thread Luca Toscano
After some feedbacks I updated the trunk documentation: https://httpd.apache.org/docs/trunk/mod/event.html Please let me know if you like the new page and the new information contained. In case, I'll backport the change to 2.4.x, otherwise I'll revert. Thanks! Luca 2016-02-08 15:32 GMT+01:00

Re: ssl renegotiate

2016-02-09 Thread Stefan Eissing
Testing in trunk, 2.4.x seems to be fine. It's the httpd/test/mod_h2/trunk test cases (do not expect you to get that running). I will take a closer look tomorrow as there is more fishy than just the renegotiation. I see more failures than that. I will try an earlier mod_ssl tomorrow and try to

Re: "httpd -X" segfaults with 2.4.17

2016-02-09 Thread Brian J. France
This hasn't made it into the 2.4.x branch yet, what is the status of getting this in the .19 release? http://svn.apache.org/viewvc?view=revision=1711479 Thanks, Brian > On Oct 16, 2015, at 8:06 AM, Yann Ylavic wrote: > > Hi Jan, > > On Fri, Oct 16, 2015 at 1:58 PM,

Re: ssl renegotiate

2016-02-09 Thread Rainer Jung
Am 09.02.2016 um 20:03 schrieb Stefan Eissing: Am 09.02.2016 um 19:58 schrieb Rainer Jung : Am 09.02.2016 um 19:20 schrieb Stefan Eissing: Ah, closer look revealed that the first test was a cipher renegotiation using HTTP/1.1. That no longer works, but the slave

Re: ssl renegotiate

2016-02-09 Thread Stefan Eissing
> Am 09.02.2016 um 19:58 schrieb Rainer Jung : > > Am 09.02.2016 um 19:20 schrieb Stefan Eissing: >> Ah, closer look revealed that the first test was a cipher renegotiation >> using HTTP/1.1. That no longer works, but the slave connection checks do. >> So, false alarm

ssl renegotiate

2016-02-09 Thread Stefan Eissing
With the new renegotiate code, I get failures in trunk for my tests that expect renegotiation to fail on slave connections. Rainer, not sure how this works now. Can you have a look? -Stefan

Re: ssl renegotiate

2016-02-09 Thread Stefan Eissing
Ah, closer look revealed that the first test was a cipher renegotiation using HTTP/1.1. That no longer works, but the slave connection checks do. So, false alarm on that front. Will disable the renegotiation tests that fail for now until the 1.1.0 openssl work is done... Sorry for the

Re: Negative mod_proxy ping_timeout..

2016-02-09 Thread Jim Jagielski
> On Feb 9, 2016, at 11:49 AM, Yann Ylavic wrote: > > On Tue, Feb 9, 2016 at 5:42 PM, Jim Jagielski wrote: >> Why the change to modules/proxy/mod_proxy_hcheck.c? > > The call to ap_proxy_connect_backend() just above already calls >

Re: balancer-manager docs

2016-02-09 Thread Tim Bannister
On 9 Feb 2016, at 16:02, Rainer Jung wrote: > Am 09.02.2016 um 13:25 schrieb Jim Jagielski: >> We currently have really really little info about the balancer-manager in >> our docs, just a short little blurb on how to enable it and a brief >> description of what it does