Re: httpd-2.3.9-alpha test tarballs

On Fri, Nov 26, 2010 at 09:25:30PM +0100, Stefan Fritsch wrote: > On Friday 26 November 2010, Rainer Jung wrote: > > On 26.11.2010 09:30, Gregg L. Smith wrote: > > > While you commit win3.diff, it seems mod_disk_cache was changed > > > to mod_cache_disk and I remember seeing mention of it. The patc

Re: mod_ssl: inserting cert parameters into headers

On Fri, Nov 19, 2010 at 05:17:06PM +0200, Graham Leggett wrote: > On 19 Nov 2010, at 3:19 PM, Plüm, Rüdiger, VF-Group wrote: > > >Does > > > >RequestHeader add some_header %{SSL_ENVIRONMENT_VARIABLE}s > > > >not work for you? > > It could, but it isn't very clean at all. You are adding a KV pair

Re: Fwd: [us...@httpd] SSLRequire & UTF-8 characters

On Fri, Nov 19, 2010 at 07:13:01AM +0100, Kaspar Brand wrote: > On 17.11.2010 15:53, Igor Galić wrote: > > it might be appropriate to ping dev@ with this problem > > I'm not sure if it's a bug or a feature. > > I'd call it a missing feature... the problem is that mod_ssl treats all > values of any

Re: Proxy regressions

On Thu, Nov 04, 2010 at 08:57:53PM +0100, Stefan Fritsch wrote: > On Thursday 04 November 2010, Jim Jagielski wrote: > > Tested so +1 > > Yes, the latest round of fixes seems to have fixed all my problems. > Thanks. I get a bunch of 404s in the aaa.t authz/form tests, did you forget to check in

Re: Feedback for new ap_expr wanted

On Fri, Nov 05, 2010 at 08:26:15PM +0100, Stefan Fritsch wrote: > I have put the current state of my work on ap_expr here and would > welcome feedback: > > http://people.apache.org/~sf/ap_expr_ng_v0/ > > There are definitely some things left to do, like implementing regexp > backreferences and

RFC: mod_ssl output buffering

mod_ssl's output buffering has been bothering me for a while. 1) it buffers the encrypted output stream (to some extent) coupled with regular use of FLUSH buckets. This seems redundant/inefficient; the core output filter should be doing this kind of thing optimally already. 2) it does /not/ do

Re: any reason for ssl_engine_kernel.c to use ap_log_error() when r and/or c are known?

Generally "no reason, no", there are lots of places in mod_ssl where _cerror should be used but the code predates the existence of _cerror; it's possible the SNI-related use of ap_log_error() in ssl_hook_ReadReq() is deliberate, however, I'm guessing. Regards, Joe

Re: svn commit: r1004753 - /httpd/httpd/branches/2.2.x/STATUS

On Thu, Oct 07, 2010 at 10:50:48AM +0100, Joe Orton wrote: > I've no strong objection to this but it deserves a comment in the code > describing why that apr_pool_clear call is redundant; a thorough ^NOT redundant

Re: svn commit: r1004753 - /httpd/httpd/branches/2.2.x/STATUS

Response as requested ;) On Tue, Oct 05, 2010 at 06:16:14PM -, William Rowe wrote: > --- httpd/httpd/branches/2.2.x/STATUS (original) > +++ httpd/httpd/branches/2.2.x/STATUS Tue Oct 5 18:16:14 2010 > @@ -177,11 +177,14 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: > PR: 43857 > Trunk

Re: Making the ssl expr parser thread safe

On Wed, Sep 29, 2010 at 11:07:14PM +0200, Stefan Fritsch wrote: > On Wednesday 29 September 2010, Nick Kew wrote: > > It's been sitting in my to-do list to review mod_ssl's expression > > parser, and see if we can't substitute ap_expr - with updates to > > the latter if necessary. > > > > Any thou

Re: Making the ssl expr parser thread safe

On Wed, Sep 29, 2010 at 12:55:36PM +0200, Stefan Fritsch wrote: > Most of the changes are rather mechanical, because the state needs to > be passed as parameters instead of being stored in global variables. > The diffs are at > > http://people.apache.org/~sf/ssl_expr_source.diff > http://people.a

Re: svn commit: r1000211 - in /httpd/httpd/trunk/modules/cache: cache_storage.c cache_storage.h cache_util.c cache_util.h mod_cache.h

On Wed, Sep 22, 2010 at 08:44:50PM -, Graham Leggett wrote: > Author: minfrin > Date: Wed Sep 22 20:44:50 2010 > New Revision: 1000211 > > URL: http://svn.apache.org/viewvc?rev=1000211&view=rev > Log: > Make cache_server_conf, cache_enable and cache_disable private. Remove > public prefixes fr

Re: svn commit: r997545 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h modules/cache/mod_cache.c modules/cache/mod_cache.h modules/cache/mod_disk_cache.c modules/cache/mod_disk_cache.h

On Thu, Sep 16, 2010 at 11:53:39AM +0200, Graham Leggett wrote: > On 16 Sep 2010, at 9:13 AM, Ruediger Pluem wrote: > > >>+static apr_status_t file_cache_create(disk_cache_conf *conf, > >>disk_cache_file_t *file, > >>+ apr_pool_t *pool) > >>+{ > >>+file->po

Re: svn commit: r986333 - /httpd/httpd/trunk/modules/proxy/mod_proxy_http.c

On Tue, Aug 17, 2010 at 06:00:58PM +0200, "Plüm, Rüdiger, VF-Group" wrote: > I think you should use > > && ((apr_table_get(r->headers_in, "Content-Length") || > apr_table_get(r->headers_in, "Transfer-Encoding"))) > > as we only want do_100_continue to be true *if* we have a request body, > whi

Re: svn commit: r983618 - in /apr/apr/trunk: network_io/unix/sockets.c test/testsock.c

This fixes a slow memory leak in mod_proxy FYI. The sockaddr passed to apr_socket_connect() is allocated out of worker->cp->pool. When a new backend connection is created, core_create_conn extracts the address from that socket to the conn_rec and it gets duped in that pool again. On Mon, Aug

Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml

On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote: > >--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original) > >+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 > >13:03:04 2010 > >@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks. > > >

Re: 2.2.16 RC - pr17629.t failure on Linux

On Thu, Jul 22, 2010 at 04:50:42PM +0200, "Plüm, Rüdiger, VF-Group" wrote: > > What about these? > > > > t/ssl/extlookup.t (Wstat: 0 Tests: 4 Failed: 1) > > > > Failed test: 2 > > > > t/ssl/require

CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only

Jeremy Sowden discovered an information leak in mod_proxy affecting httpd version 2.2.9 only. If a timeout occurred reading a response from a backend on a persistent connection, the backend connection was not closed. The response could subsequently be read and delivered to an unrelated client

Re: ocsp stapling global mutex

On Wed, Jul 14, 2010 at 10:33:43PM +0100, Dr Stephen Henson wrote: > On 25/06/2010 08:10, Paul Querna wrote: > > I was playing with OCSP Stapling in 2.3.6-alpha tonight, and I noticed > > that in the common case path, we will always lock a global mutex. > > > > I don't see why this is needed for t

Re: svn commit: r952443 - /httpd/test/framework/trunk/t/apache/pr17629.t

On Wed, Jun 16, 2010 at 08:16:11PM +0200, Rainer Jung wrote: > On 07.06.2010 23:16, jor...@apache.org wrote: > >--- httpd/test/framework/trunk/t/apache/pr17629.t (original) > >+++ httpd/test/framework/trunk/t/apache/pr17629.t Mon Jun 7 21:16:50 2010 > >@@ -5,7 +5,7 @@ use Apache::Test; > > use Ap

Re: C as config

On Wed, Jun 16, 2010 at 12:05:21PM +0200, Graham Leggett wrote: > On 16 Jun 2010, at 10:45 AM, Joe Orton wrote: > > >>There is already mod_buffer in trunk. From reading the docs, it > >>should > >>be suitable for this purpose. Or is it missing some functionalit

Re: C as config

On Sun, Jun 06, 2010 at 08:53:03PM +0200, Stefan Fritsch wrote: > On Sunday 06 June 2010, Brian Pane wrote: > > As long as the documentation explained to users that they need to > > have enough memory to accommodate MaxClient * > > MaxOutputBufferedPerRequest (where the latter is a hypothetical > >

Re: svn commit: r946347 - in /httpd/test/framework/trunk/t: conf/ssl/ssl.conf.in ssl/extlookup.t ssl/require.t

On Fri, Jun 11, 2010 at 11:41:25AM +0100, Dr Stephen Henson wrote: > On 11/06/2010 07:00, Ruediger Pluem wrote: > >> Index: lib/Apache/TestSSLCA.pm > >> === > >> --- lib/Apache/TestSSLCA.pm (Revision 946346) > >> +++ lib/Apache/Tes

Re: mod_socache_shmcb bogosity?

On Thu, Jun 10, 2010 at 07:28:55PM -0500, William Rowe wrote: > Have not checked specifically, the problem I observed was ejecting other > unexpired elts as other records were repeatedly updated. > > It seems the simple fix is to change the pre-store free logic, > > * expire records [do this onl

Re: mod_socache_shmcb bogosity?

On Wed, Jun 09, 2010 at 11:30:45AM -0500, William Rowe wrote: > Just noticed that our shmcb socache never replaces an identical node > on ->store, leading to multiple entries for the same id (with different > expiries and data, obviously). > > Is this deliberate? What is the distcache/memcached/db

Re: [PATCH] PR 17629 and all that

So since nobody has told me I'm an idiot yet, I've committed this to the trunk for wider testing: http://svn.apache.org/viewvc?view=revision&revision=952828 Regards, Joe

Re: [PATCH] PR 17629 and all that

On Tue, Jun 08, 2010 at 06:17:29PM +0200, "Plüm, Rüdiger, VF-Group" wrote: > > I'd spent some time working on exactly that approach, trying to > > answer that question. But surprisingly the answer is "yes" - the > > subreq filter has ftype=AP_FTYPE_CONTENT_SET, so any filter > > registered with

Re: svn commit: r952724 - /httpd/httpd/trunk/server/log.c

On Tue, Jun 08, 2010 at 02:56:46PM -0500, William Rowe wrote: > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/log.c?rev=952724&r1=952723&r2=952724&view=diff > > == > > --- httpd/httpd/trunk/server/log.c

Re: [PATCH] PR 17629 and all that

On Tue, Jun 08, 2010 at 05:20:16PM +0200, "Plüm, Rüdiger, VF-Group" wrote: > Is it possible to have any non subrequest specific filters below the > ap_subreq_core_filter_handle? > It is no that the current patch does not handle this but wouldn't it be > possible > to just throw away any filter be

[PATCH] PR 17629 and all that

https://issues.apache.org/bugzilla/show_bug.cgi?id=17629 Here's an attempt at fixing the dreaded PR 17629. This is a bug in the handling of the output filter chain at the point where an internal redirect is applied to a subrequest. Complications: a) a subrequest's filter chain may start at an

Re: svn commit: r952201 - /httpd/httpd/trunk/server/log.c

On Mon, Jun 07, 2010 at 12:23:26PM -, rj...@apache.org wrote: > Author: rjung > Date: Mon Jun 7 12:23:26 2010 > New Revision: 952201 > > URL: http://svn.apache.org/viewvc?rev=952201&view=rev > Log: > Add process id and thread id (if APR has thread support) > to the error log. ... > @@ -620,6

Re: Per-module / per-dir loglevel configuration version 4

On Fri, Jun 04, 2010 at 01:40:42PM +0200, "Plüm, Rüdiger, VF-Group" wrote: > >memset(l->module_levels, val, total_modules + > > DYNAMIC_MODULE_LIMIT); > > Hm, module_levels is int[] and memset works byte wise. Doh. Sorry, yes, ignore me there.

Re: Per-module / per-dir loglevel configuration version 4

On Wed, Jun 02, 2010 at 10:42:44PM +0200, Stefan Fritsch wrote: > The patch is at > > http://people.apache.org/~sf/per-module-loglevel-v4/ , This looks good to me. Kudos for taking on such a task. It's kind of hard to review the individual patches with fixes-on-fixes separated out, or t

Re: RFC: drop support for OpenSSL < 1.0 in trunk/2.3?

On Wed, Jun 02, 2010 at 01:18:17PM -0500, William Rowe wrote: > On 6/2/2010 11:23 AM, Joe Orton wrote: > > Thanks very much for all the responses. There is strong consensus for > > retaining support for some varieties of 0.9.8 and possibly some 0.9.7. > > > > A new R

Re: RFC: drop support for OpenSSL < 1.0 in trunk/2.3?

Thanks very much for all the responses. There is strong consensus for retaining support for some varieties of 0.9.8 and possibly some 0.9.7. A new RFC, then, for trunk/2.3 and beyond: - support and build warning-free with OpenSSL >= 0.9.8 - support and build with OpenSSL >= 0.9.7a, albeit with

Re: mod_deflate handling of empty initial brigade

On Tue, Jun 01, 2010 at 05:02:08PM +0200, "Plüm, Rüdiger, VF-Group" wrote: > > The guide to writing output filters says: > > > > https://httpd.apache.org/docs/trunk/developer/output-filters.h > > tml#invocation > > > > "An output filter should never pass an empty brigade down the filter > > chain

RFC: drop support for OpenSSL < 1.0 in trunk/2.3?

I'd like to drop support for versions of OpenSSL older than 1.0 in the trunk mod_ssl. We have 200+ lines of compat macro junk and still six different compiler warnings remain in a trunk build against 1.0.0. pro: simplify code: remove ssl_toolkit_compat.h and all compat macro mess which litters

Re: test/framework

On Tue, May 25, 2010 at 03:49:33AM +, Philip M. Gollucci wrote: > Is there any easy way to run this for 2.0.x ? The test suite should run for 2.0 just the same as for 2.2, though there may be many more test failures. Is it broken? Regards, Joe

Re: svn commit: r947593 - in /httpd/test/framework/trunk/t: apache/pr49328.t conf/extra.conf.in htdocs/modules/filter/ htdocs/modules/filter/included.shtml htdocs/modules/filter/pr49328.shtml

On Mon, May 24, 2010 at 02:39:29PM +0200, Ruediger Pluem wrote: > On 24.05.2010 12:44, jor...@apache.org wrote: > > + = 2.3.0> > > + # resp{Content-Type} = /text/ should be equivalent but > > + # doesn't seem to work. > > + FilterProvider pr49328 DEFLATE "true

Re: svn commit: r942897 - in /httpd/httpd/trunk: CHANGES server/mpm/prefork/prefork.c

On Wed, May 12, 2010 at 03:30:29PM -0400, Jeff Trawick wrote: > The multiple-calls-to-pool_clear solution is definitely safer. OK, so now I reviewed that too ;) The only difference between: apr_pool_clear(ptrans); apr_pool_destroy(pchild); and simply: apr_pool_destroy(pchild); (given

Re: File descriptor leak with mpm-event / apr file bucket cleanup

On Tue, May 18, 2010 at 09:18:23AM +0200, Stefan Fritsch wrote: > On Tue, 18 May 2010, Ruediger Pluem wrote: > >So if you want to close this fd you IMHO would need to do some refcounting > >and only close it if no other filebucket still references it. > > The filebuckets already do refcounting. ap

Re: svn commit: r942897 - in /httpd/httpd/trunk: CHANGES server/mpm/prefork/prefork.c

On Mon, May 10, 2010 at 08:47:59PM -, Jeff Trawick wrote: > --- httpd/httpd/trunk/server/mpm/prefork/prefork.c (original) > +++ httpd/httpd/trunk/server/mpm/prefork/prefork.c Mon May 10 20:47:59 2010 > @@ -549,12 +549,6 @@ static void child_main(int child_num_arg > conn_rec *current_co

Re: OpenBSD & the Apache license problem. Why?

On Wed, Apr 28, 2010 at 03:05:07PM +0300, Tasos Andras wrote: > Oh, by the way, what was your answer for: > "There is a number of serious security problems in apache that we have > fixed, and that have been offered them back, and they refused." > @ > http://marc.info/?l=openbsd-misc&m=1086557931129

Re: svn commit: r921378 - in /httpd/httpd/trunk: CHANGES modules/filters/mod_reqtimeout.c

On Fri, Mar 12, 2010 at 08:47:48PM +0100, Stefan Fritsch wrote: > I have also tried inserting the filter in pre_connection and storing > the socket as filter context, and then removing the filter in the > first invocation of reqtimeout_filter. But this did not work well > either, because ap_remove_

Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch

On Tue, Mar 09, 2010 at 02:43:08PM -0600, William Rowe wrote: > On 3/9/2010 11:15 AM, Jeff Trawick wrote: > > On Tue, Mar 9, 2010 at 11:52 AM, wrote: > >> Author: wrowe > >> Date: Tue Mar 9 11:52:32 2010 > >> New Revision: 113 > >> > >> Log: > >> For 2.0 patch available, note different line numb

Re: [vote] release 2.2.15?

On Wed, Mar 03, 2010 at 10:40:34PM +, Dr Stephen Henson wrote: > Joe Orton wrote: > > On Wed, Mar 03, 2010 at 06:31:36PM +, Dr Stephen Henson wrote: > > > >> Note that you don't need to abort if secure renegotiation is supported > >> by the client. &

Re: [vote] release 2.2.15?

On Wed, Mar 03, 2010 at 11:21:47PM +0100, Mladen Turk wrote: > SSLInsecureRenegotiation off > echo R | openssl-0.9.8m s_client .. disconnects > echo R | openssl-0.9.8k s_client .. hangs until ServerTimeout Ah, right, hmm. Yes, this is exactly as Bill says, the client is ignoring the alert and

Re: [vote] release 2.2.15?

On Wed, Mar 03, 2010 at 06:31:36PM +, Dr Stephen Henson wrote: > If I understand the code correctly it looks like Apache is already > trapping and aborting client initiated renegotiations so this "hang" > situation shouldn't arise. This is true for client-initiated reneg, I'm not sure whethe

Re: [vote] release 2.2.15?

[+1] Release 2.2.15 Testing looks good on Fedora 12/x86_64. diff vs .14 is fine, sigs good, CHANGES good. Thanks for RM-ing! Minor note: a BOM has mysteriously appeared in CHANGES again :) Regards, Joe

Re: svn commit: r917867 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/protocol.c

On Wed, Mar 03, 2010 at 10:12:55AM +, Mark J Cox wrote: > > This seems like a borderline case, but we should assign a CVE name - > > Mark, can you assign one? > > It's low severity, but it probably should have got one earlier, yes. Use > CVE-2010-0434. Thanks a lot. Joe

Re: svn commit: r917867 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/protocol.c

On Tue, Mar 02, 2010 at 04:01:29AM -, William Rowe wrote: > Author: wrowe > Date: Tue Mar 2 04:01:29 2010 > New Revision: 917867 > > URL: http://svn.apache.org/viewvc?rev=917867&view=rev > Log: > Ensure each subrequest has a shallow copy of headers_in so that the > parent request headers are

Re: Wildcards internal to Include paths matching files

On Mon, Mar 01, 2010 at 08:44:12AM -0500, Dan Poirier wrote: > --- config.c (revision 916378) > +++ config.c (working copy) > @@ -1710,8 +1710,17 @@ > && strcmp(dirent.name, "..") > && (apr_fnmatch(fname, dirent.name, > APR_FNM_PERIOD) == APR

Re: svn commit: r917343 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_io.c

On Mon, Mar 01, 2010 at 02:59:18PM -0600, William Rowe wrote: > On 3/1/2010 8:49 AM, Joe Orton wrote: > > > > +/* Abort early if the client has initiated a renegotiation. */ > > +if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { > > +

Re: svn commit: r917343 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_io.c

On Mon, Mar 01, 2010 at 11:49:44AM +, Joe Orton wrote: > On Mon, Mar 01, 2010 at 01:31:36AM -, Graham Leggett wrote: > > --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original) > > +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Mon Mar 1 &g

Re: svn commit: r917343 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_io.c

On Mon, Mar 01, 2010 at 01:31:36AM -, Graham Leggett wrote: > --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original) > +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Mon Mar 1 > 01:31:36 2010 > @@ -465,7 +465,6 @@ > apr_size_t inl = inlen; > bio_filter_in_

Re: svn commit: r908015 - /httpd/httpd/trunk/modules/ssl/ssl_engine_config.c

On Fri, Feb 26, 2010 at 12:55:38PM -0500, Jeff Trawick wrote: > On Tue, Feb 9, 2010 at 7:46 AM, wrote: > > --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original) > > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Feb  9 12:46:17 > > 2010 > > @@ -637,7 +637,8 @@ > >     sc->i

Re: Tagging 2.2.15 to play openssl catchup?

On Fri, Feb 26, 2010 at 12:17:14PM +0100, Rainer Jung wrote: > Joe, do you already have a candidate, or should I suggest a backport > patch myself? Here's the patch: http://people.apache.org/~jorton/ms_reneg22_v1.diff I've excluded the docs from that since they don't require RTC, but obviousl

Re: Tagging 2.2.15 to play openssl catchup?

On Fri, Feb 26, 2010 at 12:17:14PM +0100, Rainer Jung wrote: > Isn't 0.9.8m by default still allowing unsafe renegs? So updated > clients will be safe, but the server doesn't enforce the safetyness > (and reject unsafe client). No, OpenSSL now only allows secure reneg by default, so this is backw

Re: Finding memory leaks in httpd and httpd modules

On Wed, Feb 17, 2010 at 09:12:03AM -0500, Jeff Trawick wrote: > a. get the server to steady state ... > b. see what causes the heap to expand (brk/sbrk) This is what I do too, FWIW. It's primitive but usually effective. Regards, Joe

Re: svn commit: r907917 - in /httpd/httpd/trunk: include/ap_mmn.h include/ap_socache.h modules/cache/mod_socache_dbm.c modules/cache/mod_socache_dc.c modules/cache/mod_socache_memcache.c modules/cache

On Tue, Feb 09, 2010 at 03:43:18AM -, William Rowe wrote: > Author: wrowe > Date: Tue Feb 9 03:43:18 2010 > New Revision: 907917 > > URL: http://svn.apache.org/viewvc?rev=907917&view=rev > Log: > distcache already demonstrates sub-second resolutions, but much more > importantly, let us not in

Re: svn commit: r906039 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_private.h

On Wed, Feb 03, 2010 at 03:33:23PM -0600, William Rowe wrote: > On 2/3/2010 3:18 PM, Joe Orton wrote: > > On Wed, Feb 03, 2010 at 12:44:45PM -0500, Eric Covener wrote: > >> On Wed, Feb 3, 2010 at 12:09 PM, Joe Orton wrote: > >>> I considered logging a warning for

Re: svn commit: r906039 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_private.h

On Wed, Feb 03, 2010 at 12:44:45PM -0500, Eric Covener wrote: > On Wed, Feb 3, 2010 at 12:09 PM, Joe Orton wrote: > > > I considered logging a warning for each client which renegotiates > > insecurely (whether due to lack of support on client or server), but, > > that&#

Re: svn commit: r906039 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_private.h

On Wed, Feb 03, 2010 at 11:51:16AM -0500, Dan Poirier wrote: > How about logging a dire warning during startup if insecure > renegotiation has been enabled? Hmmm, I'm not sure. If the user has configured this it seems slightly patronising to then berate them for doing so. Also, why log in the c

Re: TLS renegotiation attack, mod_ssl and OpenSSL

On Wed, Jan 27, 2010 at 10:41:02PM +, Dr Stephen Henson wrote: > FYI the initial documentation is here: > > http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION > > there are currently only two flags to set in an SSL/SSL_CTX structure. Though > servers might want to m

Re: svn commit: r834378 - in /httpd/httpd/trunk: CHANGES docs/conf/extra/httpd-ssl.conf.in modules/ssl/mod_ssl.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h

On Tue, Nov 10, 2009 at 07:55:13AM -, scte...@apache.org wrote: > Author: sctemme > Date: Tue Nov 10 07:55:13 2009 > New Revision: 834378 > > URL: http://svn.apache.org/viewvc?rev=834378&view=rev > Log: > enable support for ECC keys and ECDH ciphers. Tested against > OpenSSL 1.0.0b3. [Vipul

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555

On Sun, Dec 13, 2009 at 06:59:37PM +0100, Ruediger Pluem wrote: > On 26.11.2009 22:06, Ruediger Pluem wrote: > > On 11/19/2009 04:58 PM, Joe Orton wrote: > >> Yes, I agree, this seems very sensible, I can't see any problem with > >> this. > >> > &

Re: [RESULTS] [VOTE] Release httpd 2.3.4-alpha

On Fri, Dec 04, 2009 at 07:48:02PM -0600, William Rowe wrote: > Joe Orton wrote: > > 1) the httpd project cannot force the APR project to commit to API > > stability by distributing a snapshot of the APR 1.4 branch. Why on > > earth would that be the case? The only time th

Re: [RESULTS] [VOTE] Release httpd 2.3.4-alpha

On Thu, Dec 03, 2009 at 05:21:09PM -0600, William Rowe wrote: > Paul Querna wrote: > > Vote Results: > >+1 (binding): Sander Temme, Paul Querna, Joe Orton, Niklas Edmundsson, > >+1: Gregg Smith > > +/-0: Rainer Jung > > -1: William A. Rowe, Jr. >

Re: [VOTE] Release httpd 2.3.4-alpha

On Wed, Nov 25, 2009 at 02:43:42PM -0800, Paul Querna wrote: > Test tarballs for Apache httpd 2.3.4-alpha are available at: > > > Your votes please; > > +/- 1 > [+1] Release httpd-2.3.4 as Alpha Sorry I'm late - thanks for RMing! +1 here for Alpha. * p

Re: dav_new_error_*() and errno, revisit before 2.4 GA

On Wed, Nov 18, 2009 at 07:29:46AM -0500, Jeff Trawick wrote: > - For mod_dav in httpd trunk/future 2.4: > http://people.apache.org/~trawick/mod_dav_err_api.txt Great stuff! Looks good here. Joe

Re: mutex method configuration cleanup for 2.4

On Thu, Nov 19, 2009 at 06:47:56AM -0500, Jeff Trawick wrote: > I envisioned the conf (perhaps a vendor conf) declaring something like > > MutexDir logs > or > MutexDir /var/apache2/2.2/locks > > The admin can then adjust the mutex methods as necessary and not worry > about paths to locks. Or ch

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555

On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote: > With the proposed change, we prevent request splitting attacks based > on the TSL renegotiation flaw. From my point of view without > drawbacks, since 'pipelining' clients must handle the closing of a > connection after a complete r

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555

On Tue, Nov 17, 2009 at 06:12:41PM +0100, Hartmut Keil wrote: > The client must stop and wait for the response in any case, otherwise the > response of a subsequent request will get lost, if the server is not > configured > for keep-alive, or the response for the first request causes the server to

Re: mutex method configuration cleanup for 2.4

On Wed, Nov 18, 2009 at 01:18:55PM -0500, Jeff Trawick wrote: > A. simplistic goal: Just make it simple for modules with no special > issues or love of complexity. Provide these directives to set global > defaults for modules that have been modified to query them: > > use MutexMethod and MutexFil

Re: better SSL defaults in 2.4

On Wed, Nov 18, 2009 at 09:54:34AM -0500, Jeff Trawick wrote: > enable session cache by default? Yes! I've been moving towards this goal - creating a "default" socache provider is simple now. Regards, Joe

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555

On Tue, Nov 17, 2009 at 11:42:40AM +0100, Hartmut Keil wrote: > Joe Orton wrote: > > This would break HTTP pipelining over SSL (for affected configurations), > > and it might not fail gracefully - the server would appear to simply > > never receive the pipelined requests

Re: r833582

On Tue, Nov 17, 2009 at 10:06:32AM +0100, "Plüm, Rüdiger, VF-Group" wrote: > I now see the following warning: > > ssl_engine_kernel.c: In function `ssl_callback_Info': > ssl_engine_kernel.c:1943: warning: passing arg 1 of `SSL_state' discards > qualifiers from pointer target type r881222 should f

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555

On Mon, Nov 16, 2009 at 09:59:12PM +0100, Hartmut Keil wrote: > With the change described in > https://issues.apache.org/bugzilla/show_bug.cgi?id=48204 > the buffer used in ssl_io_input_read(..) will be reset, and so the second > request of > the MITM will be dropped. > The first request will be

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On Mon, Nov 16, 2009 at 08:21:20PM +0100, Jean-Marc Desperrier wrote: > Ok, so in fact I have one apache instance available locally with a > problem of this kind. It's configured to not require client > authentication by defaut, but to require it on the /authentication url > > So what happens t

Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)

On Fri, Nov 06, 2009 at 02:00:47AM +, Dirk-Willem van Gulik wrote: > What we really need is 1) a pub/priv key pair of such a cert* (or use > attached CSR) of some random domain (ideally expired and with a totally > bogus CN valye so we can post the private key publicly) and 2) obviously >

Re: TLS renegotiation attack, mod_ssl and OpenSSL

On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote: > Joe Orton wrote: >> On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote: >>> > On Thu, Nov 05, 2009 at 09:31:00PM +, Joe Orton wrote: >>>> > > * we can detect in mod_ssl wh

Re: [PATCH] mod_ssl: improving session caching for SNI configurations

On Mon, Nov 09, 2009 at 07:06:16PM +0100, Kaspar Brand wrote: > Dr Stephen Henson wrote: > > Yes that looks better. There is an alternative technique if it is easier to > > find > > a "base" SSL_CTX, you can retrieve the auto generated keys using > > SSL_CTX_get_tlsext_ticket_keys() and then copy

Re: TLS renegotiation attack, mod_ssl and OpenSSL

On Fri, Nov 06, 2009 at 12:00:06AM +, Joe Orton wrote: > On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote: > > * we can detect in mod_ssl when the client is renegotiating by using the > > callback installed using SSL_CTX_set_info_callback(), in conjunction > > w

Re: TLS renegotiation attack, mod_ssl and OpenSSL

On Fri, Nov 06, 2009 at 12:00:06AM +, Joe Orton wrote: > On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote: > > * we can detect in mod_ssl when the client is renegotiating by using the > > callback installed using SSL_CTX_set_info_callback(), in conjunction > > w

Re: TLS renegotiation attack, mod_ssl and OpenSSL

On Thu, Nov 05, 2009 at 09:31:00PM +, Joe Orton wrote: > * we can detect in mod_ssl when the client is renegotiating by using the > callback installed using SSL_CTX_set_info_callback(), in conjunction > with suitable flags in the SSLConnRec to detect the cases where this is &

Re: TLS renegotiation attack, mod_ssl and OpenSSL

On Thu, Nov 05, 2009 at 09:38:23PM +0100, Ruediger Pluem wrote: > If server triggered renegotiation will not work at all, people will just > ignore the > update or remove it from 0.9.8l in their self patched versions. > So overall I guess we would be safer with an approach that > > 1. Turns off r

Re: svn commit: r829619 - in /httpd/httpd/trunk: ./ modules/ssl/

On Tue, Oct 27, 2009 at 03:14:55AM +0100, Guenter Knauf wrote: > Hi Joe, Steve, > I have some probs with getting this compiled; > first its inclear for me from where HAVE_OCSP should get defined in > ssl_toolkit.compat.h - for me it seems its not defined in line 42, thus > #include > in line 44

Re: svn commit: r829619 - in /httpd/httpd/trunk: ./ modules/ssl/

On Mon, Oct 26, 2009 at 12:44:17AM +0100, Ruediger Pluem wrote: > On 10/25/2009 06:21 PM, jor...@apache.org wrote: > > Author: jorton > > Date: Sun Oct 25 17:21:10 2009 > > New Revision: 829619 > > > > URL: http://svn.apache.org/viewvc?rev=829619&view=rev > > Log: > > Add support for OCSP "staplin

Re: OCSP stapling in mod_ssl - use as OCSP cache for client authentication

On Wed, Sep 16, 2009 at 01:45:30PM +0100, Joe Orton wrote: > On Wed, Sep 16, 2009 at 01:38:50PM +0100, Dr Stephen Henson wrote: > > I may have missed something here but the OCSP stapling code doesn't appear > > to be > > in trunk. The patch in: > > > &

Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12

On Fri, Oct 23, 2009 at 06:08:52PM +0200, Kaspar Brand wrote: > Kamesh Jayachandran wrote: > > Find the tcpdump while this failure occurs at > > http://www.livecipher.com/tlsext_dump/tlsext.dmp > > It seems that you used a URI with an IP address (https://10.2.1.97/...), > is that correct? This ac

Re: dropping inode keyed locks in mod_dav_fs (was: Dav Locks corrupting; need some troubleshooting tools)

On Sun, Oct 18, 2009 at 09:50:25PM +0200, Stefan Fritsch wrote: > On Thursday 15 October 2009, Dick Davies wrote: > > In any event, does it made sense to use something other than the > > inode as the key into the lockDB - the URI for example? > > Is the performance improvement of inode keyed locki

Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12

On Thu, Oct 22, 2009 at 12:49:10PM +0530, Kamesh Jayachandran wrote: > I tried your patch. It does *not* fix the issue. > One difference it makes is , triggers failure early at 20/30 files(PUT > requests) instead of 20k files earlier. Can you get a packet dump/trace from the client side? Is the

Re: fixing an httpd test which is confused about which modules are loaded in the test conf

On Fri, Oct 16, 2009 at 03:32:04PM -0400, Jeff Trawick wrote: .. > --- Apache-Test/lib/Apache/TestConfigParse.pm (revision 822728) > +++ Apache-Test/lib/Apache/TestConfigParse.pm (working copy) > @@ -224,15 +224,15 @@ > > $name = $modname_alias{$name} if $modname_alias{$name}; > > -

Re: svn commit: r823703 - in /httpd/httpd/trunk: CHANGES modules/dav/fs/repos.c modules/dav/main/mod_dav.h

On Mon, Oct 12, 2009 at 05:14:33PM -0400, Brian J. France wrote: > mod_dav_acl would use the filename to validate the acls. Like I said, I > don't know if get_pathname is needed or we should just use r->filename > and make sure a mod_dav_fs_db module updated it. Why does mod_dav_acl care about

Re: Dav Locks corrupting; need some troubleshooting tools

On Thu, Oct 15, 2009 at 03:27:29PM +0100, Dick Davies wrote: > [sorry for the crosspost, but not sure where this should go]. > > To answer my own question: > > got to the bottom of it; looks to me like the > lock DB is a hash of > > inode <-> locktoken > > Steps to reproduce: > > * PUT file >

Re: SSLRequire: requiring a particular OID in extKeyUsage

On Thu, Oct 15, 2009 at 03:43:36PM +0200, Graham Leggett wrote: > Joe Orton wrote: > > > Are you trying to match against the contents of the (single) extKeyUsage > > extension? That isn't how PeerExtList works, or at least, was written > > and documented to w

Re: SSLRequire: requiring a particular OID in extKeyUsage

On Fri, Oct 09, 2009 at 07:56:42PM +0200, Graham Leggett wrote: > I am trying to solve the problem of limiting access to those who present > a client cert containing a specific extKeyUsage OID. > > So far, the config that I have for httpd-trunk is this: > > SSLRequire "1.3.6.1.5.5.7.3.4" in P

Re: svn commit: r823703 - in /httpd/httpd/trunk: CHANGES modules/dav/fs/repos.c modules/dav/main/mod_dav.h

On Mon, Oct 12, 2009 at 04:17:00PM -0400, Brian J. France wrote: > On Oct 12, 2009, at 3:58 AM, Joe Orton wrote: >> On Sat, Oct 10, 2009 at 10:04:57AM +0200, Ruediger Pluem wrote: >>> This creates the following warning: >>> >>> repos.c:1827: warning: initializ

Re: svn commit: r823703 - in /httpd/httpd/trunk: CHANGES modules/dav/fs/repos.c modules/dav/main/mod_dav.h

On Mon, Oct 12, 2009 at 04:23:59PM -0400, Brian J. France wrote: > On Oct 12, 2009, at 3:57 AM, Joe Orton wrote: >> On Fri, Oct 09, 2009 at 09:41:32PM -, Graham Leggett wrote: >>> --- httpd/httpd/trunk/modules/dav/main/mod_dav.h (original) >>> +++ httpd/httpd/trunk

Re: svn commit: r823703 - in /httpd/httpd/trunk: CHANGES modules/dav/fs/repos.c modules/dav/main/mod_dav.h

On Sat, Oct 10, 2009 at 10:04:57AM +0200, Ruediger Pluem wrote: > On 10/09/2009 11:41 PM, minf...@apache.org wrote: > > == > > --- httpd/httpd/trunk/modules/dav/fs/repos.c (original) > > +++ httpd/httpd/trunk/modules/dav/fs

<    2   3   4   5   6   7   8   9   10   11   >