Re: [VOTE] Release httpd-2.4.37
Hi Dennis, Am 22.10.2018 um 02:15 schrieb Dennis Clarke: On 10/21/2018 08:03 PM, Rainer Jung wrote: Am 18.10.2018 um 16:36 schrieb Daniel Ruggeri: Hi, all; Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next few days to release this candidate tarball as 2.4.37: [X] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. The computed digests of the tarball up for vote are: sha1: b0521606d1df54bb425adcdecf6348f126aa352c *httpd-2.4.37.tar.gz sha256: aa97a834a32d51974be8d8a013b561e28d327387cb1da2c3c2762acd0146aabd *httpd-2.4.37.tar.gz Built on - Solaris 10 Sparc as 32 Bit Binaries Amazing work. I have no idea what blazing fast hardware you are using to get this done. Special chemicals in the coffee port? My Solaris hardware is really slow (V245) and building GCC and running its test suite takes a few days here as well. Buiding httpd is much faster. I am still churning away on a fully 64-bit build and that means a toolchain update as well as a new gcc 8.2.0 thrown in to make some things more easy. No signs of daylight yet. However if it works as a 32-bit then hey should work as 64-bit? ;-) You'll see ;) Regards and thanks for testing, Rainer
Re: [VOTE] Release httpd-2.4.37
On 10/21/2018 08:03 PM, Rainer Jung wrote: Am 18.10.2018 um 16:36 schrieb Daniel Ruggeri: Hi, all; Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next few days to release this candidate tarball as 2.4.37: [X] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. The computed digests of the tarball up for vote are: sha1: b0521606d1df54bb425adcdecf6348f126aa352c *httpd-2.4.37.tar.gz sha256: aa97a834a32d51974be8d8a013b561e28d327387cb1da2c3c2762acd0146aabd *httpd-2.4.37.tar.gz Built on - Solaris 10 Sparc as 32 Bit Binaries Amazing work. I have no idea what blazing fast hardware you are using to get this done. Special chemicals in the coffee port? I am still churning away on a fully 64-bit build and that means a toolchain update as well as a new gcc 8.2.0 thrown in to make some things more easy. No signs of daylight yet. However if it works as a 32-bit then hey should work as 64-bit? ;-) Dennis [1] https://gcc.gnu.org/ml/gcc-testresults/2018-10/msg02809.html that took 36 hours ... sorry for the delay
Re: [VOTE] Release httpd-2.4.37
Am 18.10.2018 um 16:36 schrieb Daniel Ruggeri: Hi, all; Please find below the proposed release tarball and signatures: https://dist.apache.org/repos/dist/dev/httpd/ I would like to call a VOTE over the next few days to release this candidate tarball as 2.4.37: [X] +1: It's not just good, it's good enough! [ ] +0: Let's have a talk. [ ] -1: There's trouble in paradise. Here's what's wrong. The computed digests of the tarball up for vote are: sha1: b0521606d1df54bb425adcdecf6348f126aa352c *httpd-2.4.37.tar.gz sha256: aa97a834a32d51974be8d8a013b561e28d327387cb1da2c3c2762acd0146aabd *httpd-2.4.37.tar.gz +1 to release and thanks a ton for RM! Summary: all OK except for - the CVE-2009-3555.t test with OpenSSL 1.1.1 - some shutdown crashes on Solaris event when statically linked Detailed report: - Sigs and hashes OK - contents of tarballs identical - contents of tag and tarballs identical except for expected deltas Built on - Solaris 10 Sparc as 32 Bit Binaries - SLES 11+12 (64 Bits) - RHEL 6+7 (64 Bits) For all platforms built - with default (shared) and static modules - with module set reallyall - using --enable-load-all-modules - against external APR/APU 1.6.5/1.6.1 - using external libraries - expat 2.2.6 - pcre 8.42 - lua 5.3.5 (compiled with LUA_COMPAT_MODULE) - distcache 1.5.1 - libxml2 2.9.8 - libnghttp2 1.33.0 - brotli 1.0.6 - curl 7.61.1 - jansson 2.11 and - openssl 0.9.8zh, 1.0.2p, 1.0.2, 1.0.1e, 1.0.1i, 1.1.1 - Tool chain: - platform gcc except on Solaris (gcc 8.2.0 Solaris 10) - CFLAGS: -O2 -g -Wall -fno-strict-aliasing - on Solaris additionally -mpcu=v9, -D_XOPEN_SOURCE, -D_XOPEN_SOURCE_EXTENDED=1, -D__EXTENSIONS__ and -D_XPG6 All of the 216 builds succeeded. - compiler warnings: none Tested for - Solaris 10, SLES 11+12, RHEL 6+7 - MPMs prefork, worker, event - prefork skipped on Solaris due to the accept lock problem that leads to timeouts and thus excessive testing times in the proxy - default and static module builds - log level trace8 - module set reallyall - for "reallyall" 128 modules plus MPMs - Perl client bundle build against OpenSSL 1.1.1, 1.1.0i, 1.0.2p and 0.9.8zh - OpenSSL linked statically and as shared library Every OpenSSL version in the client tested with every version in the server, not just the same version. Client and server both with OpenSSL 1.1.1 really resulted in TLS 1.3 being used in most SSL tests (after patching the test framework, all patches are committed to svn). The total number of test suite runs was 1178. The following test failures were seen: a Crashes only on Solaris and only with event MPM and static builds. The crash seems to happen only at the end of a process, likely due to double cleanup of OpenSSL. b Test 154 of t/modules/include.t only and always on Solaris. Not a regression Old analysis was: This is due to a bug in the test, which uses strftime() with a "%s" pattern that is not supported on Solaris. Until recently the server and the test client both returned verbatim "%s" and the test succeeded. After updating some Perl modules for the http2 tests, the perl client even on Solaris now supports "%s" in strftime and the test starts to fail. It seems we have to fix the test. c Various tests in t/apache/expr_string.t Not a regression. Test numbers : 6, 11, 14, 17, 20, 23, 26, 29 Happens for 47 out of about 1100 runs (once on SLES 11, once on Solaris 10, otherwise always on RHEL6). The failure is always on line 87, where the error_log contents are checked. Could be due to logs written to NFS. d Test 5 in t/modules/dav.t: Not a regression. Only once, this time on SLES 11. Creation, modified and now times not in the correct order. This seems to be a system issue, all tests done on NFS, many tested on virtualized guests. e I expect prefork on Solaris still to observe timeouts during proxy tests like reported for previous versions, but didn't test it this time due to the long test runs when the problem happens. I started these runs right now just to be able to report, whether the old problem is still there or has changed. f t/security/CVE-2009-3555.t Fails in two ways:´, the first one I am unsure about the criticality: - When using OpenSSL 1.1.1 in client and server, it fails in test 4, because the attacker request actually gets processed. For the classic pre-1.3 handshake, there's special handling to close the connection before the attacker request gets handled. I am not 100% sure, but it looks to me, as if this protection is only needed if the OpenSSL library itself is not fixed against CVE-2009-3555 as an application side workaround. So this should not be relevant for OpenSSL 1.1.1, and instead the test s broken there. It would be nice if this opinion could be confirmed by others. See the CVE-2009-3555 mail thread. - For other OpenSSL versions fails in test 3
Re: error: ‘DEFAULT_REL_STATEDIR’ undeclared
Thanks. Running build and config solved the problem. On Sun, Oct 21, 2018 at 2:15 PM Eric Covener wrote: > > On Sun, Oct 21, 2018 at 6:59 AM Danesh Daroui wrote: > > > > Hi all, > > > > I cannot compile the code on trunk. I get the following error when I > > try to compile the code: > > > > error: ‘DEFAULT_REL_STATEDIR’ undeclared > > If this was a pre-existing sandbox, and you see configure.in change, > it is likely you need to re-run ./buildconf and config.nice
Re: t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
On 10/21/2018 6:46 AM, Rainer Jung wrote: > Am 18.10.2018 um 14:23 schrieb Stefan Eissing: >>> Am 18.10.2018 um 14:12 schrieb Rainer Jung : >>> >>> - t/modules/http2.t fails when the server is build using OpenSSL >>> 0.9.8zh with the "Bad plan. You planned 52 tests..." message >>> indicating, that h2 using TLS does not work. It happens on all >>> platforms, but not if the client also uses OpenSSL 0.9.8zh. >>> >>> I don't know whether that is expected for old OpenSSL, so can not >>> judge on criticality. >> >> AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support >> TLSv1.2 and is therefore unusable with h2. The test suite seems to be >> unprepared for this scenario. I will remove it after the next >> release. It is not worth fixing in its current form. > > I added a check agains the test suite OpenSSL version in r1844483. > > I have an aditional check for the server version available. > Unfortunately I didn't find a really easy way, so here's a small > module that one can query > (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a > shortened form of mod_test_ssl.c: > > SNIP = > #define HTTPD_TEST_REQUIRE_APACHE 2 > > #if CONFIG_FOR_HTTPD_TEST > > > > SetHandler test-ssl-version-lookup > > > > #endif > > #include "httpd.h" > #include "http_config.h" > #include "http_protocol.h" > #include "http_log.h" > #include "ap_config.h" > #include "apr_optional.h" > > #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h > if using >= 2.1.0 */ > > #include "mod_ssl.h" > > #else > /* For use of < 2.0.x, inline the declaration: */ > > APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, > (apr_pool_t *, server_rec *, > conn_rec *, request_rec *, > char *)); > > #endif > > static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup; > > static void import_ssl_var_lookup(void) > { > var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); > } > > static int test_ssl_version_lookup(request_rec *r) > { > char *value; > > if (strcmp(r->handler, "test-ssl-version-lookup")) { > return DECLINED; > } > > if (r->method_number != M_GET) { > return DECLINED; > } > > if (!var_lookup) { > ap_rputs("ssl_var_lookup is not available", r); > return OK; > } > > value = var_lookup(r->pool, r->server, > r->connection, r, "SSL_VERSION_LIBRARY"); > > if (value && *value) { > ap_rputs(value, r); > } > else { > ap_rputs("NULL", r); > } > > return OK; > } > > static void test_ssl_version_register_hooks(apr_pool_t *p) > { > ap_hook_handler(test_ssl_version_lookup, NULL, NULL, > APR_HOOK_MIDDLE); > ap_hook_optional_fn_retrieve(import_ssl_var_lookup, > NULL, NULL, APR_HOOK_MIDDLE); > } > > module AP_MODULE_DECLARE_DATA test_ssl_version_module = { > STANDARD20_MODULE_STUFF, > NULL, /* create per-dir config structures */ > NULL, /* merge per-dir config structures */ > NULL, /* create per-server config structures */ > NULL, /* merge per-server config structures */ > NULL, /* table of config file commands */ > test_ssl_version_register_hooks /* register hooks */ > }; > SNIP = > > and the necessary addition to http2.t to use the module: > > Index: t/modules/http2.t > === > --- t/modules/http2.t (revision 1844483) > +++ t/modules/http2.t (working copy) > @@ -25,6 +25,16 @@ > my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER(); > if ($openssl_version < 0x1000) { > $tls_modern = 0; > +} else { > + Apache::TestRequest::scheme("https"); > + my $url = '/test_ssl_version_lookup'; > + my $r = GET("$url"); > + $openssl_version = $r->content; > + print STDOUT "OpenSSL version '$openssl_version'\n"; > + # OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc. > + if ($openssl_version =~ /\/0\./) { > + $tls_modern = 0; > + } > } > > Apache::TestRequest::module("http2"); > > What do people think? Should I apply it? > > Regards, > > Rainer +1 -- Daniel Ruggeri
Re: error: ‘DEFAULT_REL_STATEDIR’ undeclared
Am 21.10.2018 um 12:58 schrieb Danesh Daroui: Hi all, I cannot compile the code on trunk. I get the following error when I try to compile the code: error: ‘DEFAULT_REL_STATEDIR’ undeclared I bisected the mainstream using git and the erroneous commit seems to be: --- commit 16211a8cdd52251cb7ae251e693b9053fb545e20 Author: Joe Orton Date: Fri Oct 5 15:25:04 2018 + Define "state directory" for storing persistent child-writable state, with default from config.layout, configurable via DefaultStateDir. * server/core.c (set_state_dir, ap_state_dir_relative): New functions. * config.layout, acinclude.m4, Makefile.in, configure.in: Define statedir variables, drop davlockdb. * include/ap_config_layout.h.in: Define DEFAULT_REL_STATEDIR, DEFAULT_EXP_STATEDIR in place of _DAVLOCKDB. * include/ap_mmn.h: Bump MMN minor. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1842929 13f79535-47bb-0310-9956-ffa450edef68 --- You may already know about the problem. So in that case is there any fix for that? Could it be the following bug in the generic layout, hat I just now fixed in r1844484: --- httpd/httpd/trunk/config.layout (original) +++ httpd/httpd/trunk/config.layout Sun Oct 21 12:10:09 2018 @@ -355,7 +355,7 @@ manualdir: ${datadir}/manual cgidir:${datadir}/cgi-bin runtimedir:${localstatedir}/run -runtimedir:${localstatedir}/lib/httpd +statedir: ${localstatedir}/lib/httpd logfiledir:${localstatedir}/log/httpd proxycachedir: ${localstatedir}/cache/httpd/cache-root During the build, the file include/ap_config_layout.h gets generated from include/ap_config_layout.h.in. I guess in your case the line for DEFAULT_REL_STATEDIR in the generated file contains an exmpty value? Thanks for testing trunk! Regards, Rainer
Re: error: ‘DEFAULT_REL_STATEDIR’ undeclared
On Sun, Oct 21, 2018 at 6:59 AM Danesh Daroui wrote: > > Hi all, > > I cannot compile the code on trunk. I get the following error when I > try to compile the code: > > error: ‘DEFAULT_REL_STATEDIR’ undeclared If this was a pre-existing sandbox, and you see configure.in change, it is likely you need to re-run ./buildconf and config.nice
t/modules/http2.t: Run only if OpenSSL >= 1.0.0 is available
Am 18.10.2018 um 14:23 schrieb Stefan Eissing: Am 18.10.2018 um 14:12 schrieb Rainer Jung : - t/modules/http2.t fails when the server is build using OpenSSL 0.9.8zh with the "Bad plan. You planned 52 tests..." message indicating, that h2 using TLS does not work. It happens on all platforms, but not if the client also uses OpenSSL 0.9.8zh. I don't know whether that is expected for old OpenSSL, so can not judge on criticality. AFAICT, correct me if I am wrong, OpenSSL 0.9.8 does not support TLSv1.2 and is therefore unusable with h2. The test suite seems to be unprepared for this scenario. I will remove it after the next release. It is not worth fixing in its current form. I added a check agains the test suite OpenSSL version in r1844483. I have an aditional check for the server version available. Unfortunately I didn't find a really easy way, so here's a small module that one can query (c-modules/test_ssl_version/mod_test_ssl_version.c), mostly a shortened form of mod_test_ssl.c: SNIP = #define HTTPD_TEST_REQUIRE_APACHE 2 #if CONFIG_FOR_HTTPD_TEST SetHandler test-ssl-version-lookup #endif #include "httpd.h" #include "http_config.h" #include "http_protocol.h" #include "http_log.h" #include "ap_config.h" #include "apr_optional.h" #if AP_MODULE_MAGIC_AT_LEAST(20040425, 0) /* simply include mod_ssl.h if using >= 2.1.0 */ #include "mod_ssl.h" #else /* For use of < 2.0.x, inline the declaration: */ APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup, (apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *)); #endif static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *var_lookup; static void import_ssl_var_lookup(void) { var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); } static int test_ssl_version_lookup(request_rec *r) { char *value; if (strcmp(r->handler, "test-ssl-version-lookup")) { return DECLINED; } if (r->method_number != M_GET) { return DECLINED; } if (!var_lookup) { ap_rputs("ssl_var_lookup is not available", r); return OK; } value = var_lookup(r->pool, r->server, r->connection, r, "SSL_VERSION_LIBRARY"); if (value && *value) { ap_rputs(value, r); } else { ap_rputs("NULL", r); } return OK; } static void test_ssl_version_register_hooks(apr_pool_t *p) { ap_hook_handler(test_ssl_version_lookup, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_optional_fn_retrieve(import_ssl_var_lookup, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA test_ssl_version_module = { STANDARD20_MODULE_STUFF, NULL, /* create per-dirconfig structures */ NULL, /* merge per-dirconfig structures */ NULL, /* create per-server config structures */ NULL, /* merge per-server config structures */ NULL, /* table of config file commands */ test_ssl_version_register_hooks /* register hooks */ }; SNIP = and the necessary addition to http2.t to use the module: Index: t/modules/http2.t === --- t/modules/http2.t (revision 1844483) +++ t/modules/http2.t (working copy) @@ -25,6 +25,16 @@ my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER(); if ($openssl_version < 0x1000) { $tls_modern = 0; +} else { +Apache::TestRequest::scheme("https"); +my $url = '/test_ssl_version_lookup'; +my $r = GET("$url"); +$openssl_version = $r->content; +print STDOUT "OpenSSL version '$openssl_version'\n"; +# OpenSSL/0.9.8zh, OpenSSL/1.0.2p etc. +if ($openssl_version =~ /\/0\./) { +$tls_modern = 0; +} } Apache::TestRequest::module("http2"); What do people think? Should I apply it? Regards, Rainer
error: ‘DEFAULT_REL_STATEDIR’ undeclared
Hi all, I cannot compile the code on trunk. I get the following error when I try to compile the code: error: ‘DEFAULT_REL_STATEDIR’ undeclared I bisected the mainstream using git and the erroneous commit seems to be: --- commit 16211a8cdd52251cb7ae251e693b9053fb545e20 Author: Joe Orton Date: Fri Oct 5 15:25:04 2018 + Define "state directory" for storing persistent child-writable state, with default from config.layout, configurable via DefaultStateDir. * server/core.c (set_state_dir, ap_state_dir_relative): New functions. * config.layout, acinclude.m4, Makefile.in, configure.in: Define statedir variables, drop davlockdb. * include/ap_config_layout.h.in: Define DEFAULT_REL_STATEDIR, DEFAULT_EXP_STATEDIR in place of _DAVLOCKDB. * include/ap_mmn.h: Bump MMN minor. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1842929 13f79535-47bb-0310-9956-ffa450edef68 --- You may already know about the problem. So in that case is there any fix for that? Regards, Danesh Daroui