[users@httpd] Digest: secret not used
Hi all, I've been trying digest authentication for a while now and just noticed a strange behavior when working on cluster. Actually I've 2 apaches behind a load balancer (so serving same domain), and I noticed that an authentication sent to apache A is valid when sent on apache B. Let me explain: 1. My client connects to Apache A, it receives an authentication required with a nonce (valid for 1h). 2. My client authenticate itself on Apache A using the received nonce 3. Few minutes later, the same client issues another request directly using the nonce already received, but the request goes on Apache B --- No problem the nonce is valid ! Looking at the code, it seems everything is done to prevent this by using a randomly generated secret in the nonce hash. However, debugging a bit it seems the nonce_ctx initialization is performed BEFORE the secret initialization, so it is always initialized with the same empty secret and generated nonce are valid everywhere. So basically, in mod_auth_digest.c, set_realm function is called before initialize_secret. Actually this behavior fit my needs for now but I wanted to know if it is a desired behavior, if it is a bug and if it might change in future version ? I checked this on apache 2.4.2 and 2.4.4 under unbuntu. Thanks ! -- Nicolas Daniels Blue Pimento Service s.p.r.l. Rue Louis de Geer 6 B-1348 Louvain-la-neuve ?+32 10 390 014 ?+32 498 089 725 Fax. +32 10 390 001 Visit our web site: www.bluepimento.eu http://www.bluepimento.eu
[users@httpd] [Solved]Re: [users@httpd] Certificate mismatch error
Hi Edward, The issue is now resolved after importing the correct intermediate certs. Their test steps were having some issue. Now all works fine. Thanks for your help. With Best Regards, Bijayant Kumar On Wed, Feb 27, 2013 at 2:23 AM, Edward Quick edwardqu...@hotmail.comwrote: Ok, I guess your job is to show that apache is set up correctly and the fault is on the client side, so try these tests: Using curl, with your root certificate file (you shouldn't need the intermediate one if you set apache up right), run this: Test 1: $ curl --cacert ./root.pem https://abc.com $ curl --cacert ./root.pem https://xyz.com If that returns an error, try: Test 2: $ curl -k --cacert ./root.pem https://abc.com That should work (but disables ssl validation). If it doesn't, try curl -v or read the curl man page :-) If that worked try: Test 3: Concatenate the intermediate cert (pem format) to the end of root.crt, and rerun the curl script: $ curl --cacert ./root_and_intermediate.pem https://abc.com $ curl --cacert ./root_and_intemediate.pem https://xyz.com -- Date: Tue, 26 Feb 2013 20:49:54 +0530 From: bijayant@gmail.com To: users@httpd.apache.org Subject: Re: [users@httpd] Certificate mismatch error Just got an update from client that after importing the intermediate cert also, the issue is not resolved !! *ORA-06512: at SYS.UTL_HTTP, line 1029* *ORA-29024: Certificate validation failure (-29273)* * * *Thanks Regards,* *BIjayant Kumar* On Tue, Feb 26, 2013 at 7:49 PM, Kumar Bijayant bijayant@gmail.comwrote: The certificate is installed by third party (trust center). I think the same and asked them to check and install if it is not there. Just waiting for their reply now. Thanks for your help so far! Thanks Regards, Bijayant Kumar On Tue, Feb 26, 2013 at 5:47 PM, Edward Quick edwardqu...@hotmail.comwrote: Is your certificate issued by an internal CA or someone like Verisign/Komodo etc? I wonder if the Oracle DB connecting has the CA root certificate installed in their truststore. If they do, check the certificate chain for your site to make sure the intermediate is correctly set up. -- Date: Tue, 26 Feb 2013 14:29:29 +0530 From: bijayant@gmail.com To: users@httpd.apache.org Subject: Re: [users@httpd] Certificate mismatch error Hi Edward, I just renewed the server certificate on the Apache webserver. Oracle DB is not in our scope, that was the message from client. Thanks, Bijayant Kumar On Mon, Feb 25, 2013 at 7:31 PM, Edward Quick edwardqu...@hotmail.comwrote: Could you clarify, when you say : The Certificate was installed into a Wallet-Manager of the ORACLE-DB. I need this Certificate for a communication between ORACLE-DB to the Webserver. Does that mean you are doing client certificate verification? Or are you just renewing the server certificate on your web server? -- Date: Mon, 25 Feb 2013 18:34:21 +0530 From: bijayant@gmail.com To: users@httpd.apache.org Subject: Re: [users@httpd] Certificate mismatch error Hi Edward, Yes, the intermediate certs have been set up on the Apache server. By any chance you know what else information can I ask from client to pin point their/DB problem? Thanks Regards, Bijayant Kumar On Sun, Feb 24, 2013 at 2:16 PM, Edward Quick edwardqu...@hotmail.comwrote: Hi Bijayant, You don't need another certificate if xyz.com is a subject alternate name of the primary certificate abc.com, so your understanding there is correct. Is the intermediate certificate set up? Regards, Edward. -- Date: Sun, 24 Feb 2013 12:49:45 +0530 From: bijayant@gmail.com To: users@httpd.apache.org Subject: [users@httpd] Certificate mismatch error Hello List, I have an issue to connect SSL enabled site to Oracle database server. Let me explain you with an example here. My website name is abc.com and it has another name as well say xyz.comand that is listed in additional DNS name field of certificates. Primary name is abc.com only. Now client is saying The Certificate was installed into a Wallet-Manager of the ORACLE-DB. I need this Certificate for a communication between ORACLE-DB to the Webserver. When the ORACLE DB communicate with the the Webserve, the following error massage was created: *ORA-06512: at SYS.UTL_HTTP, line 1029* *ORA-29024: Certificate validation failure (-29273)* Now they are asking me to create a new certificate with the name xyz.comonly. But as far as my knowledge goes, this should not create any issue as I have used both the name in my certificate and also I am not getting any error while browsing the website with either name. Please correct me if I am wrong or any other pointer that will be helpful. Thanks Regards, Bijayant Kumar
[users@httpd] Re: Graceful Restart fails because of SSL Keys with Passphrase?
Maybe I should ask a more distinct question first: When we use apachectl graceful, is the expected functionality that apache does not ask for pass-phrases again? Presumably because it has the decrypted keys already in memory? Or, does apache restart they key loading process all over again? Presently, sometimes it doesn't ask, sometimes it does. I'm sorry, I think I misunderstood your question before. I was thinking of a full restart, not a graceful restart, aka reload. If I understand the docs right, the same main server process will normally continue, just rereading its configuration files. I would think the expected behavior would be not to reprompt, since the passphrases are already stored in memory. But I don't see that in the docs anywhere. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Slow transaction on a balance member is holding subsequent requests
Hi, I've configured a reverse proxy with two workers with lbmethod=bybusyness Given that the back-end servers are supporting only one single connection concurrently I've configured each member with max=1 Now in a first connection to the server, I send a request to a resource that is going to take 20 seconds to respond. Short after, with a second connection I send a request to a resource that is going respond immediately. Everything looks fine. I send immediately a third request to retrieve the fast resource but I unexpectedly have to wait that the first request has finished before getting an answer to the third. I was expecting the 'bybusyness' algorithm to give priority to the non busy balancer member but instead it seems that it is queuing the third request to the one being busy. Is this behavior expected, should I confgiure somnething differently or can this be considered a bug? Config snippet: Proxy balancer://session BalancerMember http://10.10.1.1:26240 connectiontimeout=10 max=1 BalancerMember http://10.10.1.1:26241 connectiontimeout=10 max=1 /Proxy VirtualHost 10.1.1.1:80 KeepAlive On ServerName session.lifeware.ch ProxyPass/balancer://session/ lbmethod=bybusyness /VirtualHost Apache version 2.2.16, distributed with Debian Squeeze. Thanks for your help! Regards, Federico - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] apache 2.4 performance tuning
Hi, I have recently switch to apache 2.4. I am running it on a somewhat under powered system with only 1 GB of ram. I would like to get better performance from this system and I am wondering what else I can do? This is what my httpd-mpm.conf looks like: IfModule mpm_prefork_module StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxRequestWorkers 250 MaxConnectionsPerChild 5 /IfModule IfModule mpm_worker_module StartServers40 MinSpareThreads500 MaxSpareThreads 1000 ThreadsPerChild103 MaxRequestWorkers 4096 MaxConnectionsPerChild 0 /IfModule Thanks, Al - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod_ssl help
I'm testing a client authentication using: SSLCACertificateFile /path/to/pemfile.pem LocationMatch /test SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +StdEnvVars +ExportCertData SSLRequire %{SSL_CLIENT_I_DN} eq /C=US/O=acme/OU=acme/CN=acme /LocationMatch I should use two different CA with the same DN (file /path/to/pemfile.pem) When i try to use this configuration I receive: Access totest denied for 10.10.10.10 (requirement expression not fulfilled) Failed expression: %{SSL_CLIENT_I_DN} eq ... The only way it works is without the SSLRequire directive. or Using only one CA in the file (file /path/to/pemfile.pem) Some suggestions? Regards Michele Masè
[users@httpd] headers null in a custom module
why the heck some of the essential headers present in the request are null when being processed in a custom apache module/hook function? if this list is dead, is there another list dedicated for apache module developers?
Re: [users@httpd] headers null in a custom module
At 11:13 AM 3/1/2013 -0800, Crne We wrote: why the heck some of the essential headers present in the request are null when being processed in a custom apache module/hook function? Perhaps because you coding skills are at the same level as your societal skills writing to this list for assistance? plonkCrne We crn...@yahoo.com/plonk P. The only two things that are infinite in size are the universe and human stupidity. And I'm not completely sure about the universe. -- Albert Einstein if this list is dead, is there another list dedicated for apache module developers? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] headers null in a custom module
On Fri, Mar 1, 2013 at 2:13 PM, Crne We crn...@yahoo.com wrote: why the heck some of the essential headers present in the request are null when being processed in a custom apache module/hook function? Which ones are missing, and which ones are essential? Did the client actually send them? What hook are you running in and how are you trying to read them? if this list is dead, is there another list dedicated for apache module developers? Why would it be dead? If it were dead, who would answer? A casual search should bring you here: http://httpd.apache.org/lists.html which lists the details for modules-...@httpd.apache.org. -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] How to compile Apache without dynamic libraries
Hi all, I'm Santiago from Paris, France, new subscriber to this mailing list. Hope I will be of some help even though I just completed today my very first compilation of Apache HTTP from source. So as I said, I just compiled Apache HTTP from source. It's working fine so I'm very happy and proud. Now I'm trying to chroot Apache so I added the directive *ChrootDir /var/www * in */usr/local/httpd-2.4.4/conf/httpd.conf*. Then Apache HTTP fails with the message *libgcc_s.so.1 must be installed for pthread_cancel to work*. I found various solutions where people just copy the library into the jail and I tested it and it works. But what I would like to do is to *re-compile Apache so that it includes the library into the standalone program*. How is that possible? Thanks for your help. - *Santiago DIEZ*
Re: [users@httpd] How to compile Apache without dynamic libraries
But what I would like to do is to re-compile Apache so that it includes the library into the standalone program. How is that possible? libgcc_s is a special case, so you probably want to use the libgcc_s specific info for static usage. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org