[users@httpd] Digest: secret not used

[Nicolas Daniels]

Hi all,

I've been trying digest authentication for a while now and just noticed 
a strange behavior when working on cluster.


Actually I've 2 apaches behind a load balancer (so serving same domain), 
and I noticed that an authentication sent to apache A is valid when sent 
on apache B.

Let me explain:

1. My client connects to Apache A, it receives an authentication 
required with a nonce (valid for 1h).

2. My client authenticate itself on Apache A using the received nonce
3. Few minutes later, the same client issues another request directly 
using the nonce already received, but the request goes on Apache B --- 
No problem the nonce is valid !


Looking at the code, it seems everything is done to prevent this by 
using a randomly generated secret in the nonce hash.


However, debugging a bit it seems the nonce_ctx initialization is 
performed BEFORE the secret initialization, so it is always initialized 
with the same empty secret and generated nonce are valid everywhere.


So basically, in mod_auth_digest.c, set_realm function is called before 
initialize_secret.


Actually this behavior fit my needs for now but I wanted to know if it 
is a desired behavior, if it is a bug and if it might change in future 
version ?


I checked this on apache 2.4.2 and 2.4.4 under unbuntu.

Thanks !

--
Nicolas Daniels
Blue Pimento Service s.p.r.l.
Rue Louis de Geer 6
B-1348 Louvain-la-neuve
?+32 10 390 014
?+32 498 089 725
Fax. +32 10 390 001

Visit our web site: www.bluepimento.eu http://www.bluepimento.eu

[users@httpd] [Solved]Re: [users@httpd] Certificate mismatch error

[Kumar Bijayant]

Hi Edward,

The issue is now resolved after importing the correct intermediate certs.
Their test steps were having some issue. Now all works fine.

Thanks for your help.

With Best Regards,
Bijayant Kumar

On Wed, Feb 27, 2013 at 2:23 AM, Edward Quick edwardqu...@hotmail.comwrote:

 Ok, I guess your job is to show that apache is set up correctly and the
 fault is on the client side, so try these tests:

 Using curl, with your root certificate file (you shouldn't need the
 intermediate one if you set apache up right), run this:

 Test 1:

 $ curl --cacert ./root.pem https://abc.com
 $ curl --cacert ./root.pem https://xyz.com

 If that returns an error, try:

 Test 2:
 $ curl -k --cacert ./root.pem https://abc.com

 That should work (but disables ssl validation). If it doesn't, try curl -v
 or read the curl man page :-)

 If that worked try:

 Test 3:
 Concatenate the intermediate cert (pem format) to the end of root.crt, and
 rerun the curl script:

 $ curl --cacert ./root_and_intermediate.pem https://abc.com
 $ curl --cacert ./root_and_intemediate.pem https://xyz.com



 --
 Date: Tue, 26 Feb 2013 20:49:54 +0530

 From: bijayant@gmail.com
 To: users@httpd.apache.org
 Subject: Re: [users@httpd] Certificate mismatch error

 Just got an update from client that after importing the intermediate cert
 also, the issue is not resolved !!

 *ORA-06512: at SYS.UTL_HTTP, line 1029*
 *ORA-29024: Certificate validation failure (-29273)*
 *
 *
 *Thanks  Regards,*
 *BIjayant Kumar*


 On Tue, Feb 26, 2013 at 7:49 PM, Kumar Bijayant bijayant@gmail.comwrote:

 The certificate is installed by third party (trust center). I think the
 same and asked them to check and install if it is not there. Just waiting
 for their reply now.

 Thanks for your help so far!

 Thanks  Regards,
 Bijayant Kumar


 On Tue, Feb 26, 2013 at 5:47 PM, Edward Quick edwardqu...@hotmail.comwrote:

 Is your certificate issued by an internal CA or someone like
 Verisign/Komodo etc?
 I wonder if the Oracle DB connecting has the CA root certificate installed
 in their truststore. If they do, check the certificate chain for your site
 to make sure the intermediate is correctly set up.

 --
 Date: Tue, 26 Feb 2013 14:29:29 +0530

 From: bijayant@gmail.com
 To: users@httpd.apache.org
 Subject: Re: [users@httpd] Certificate mismatch error

 Hi Edward,

 I just renewed the server certificate on the Apache webserver. Oracle DB
 is not in our scope, that was the message from client.

 Thanks,
 Bijayant Kumar


 On Mon, Feb 25, 2013 at 7:31 PM, Edward Quick edwardqu...@hotmail.comwrote:

 Could you clarify, when you say :

 The Certificate was installed into a Wallet-Manager of the ORACLE-DB.
 I need this Certificate for a communication between ORACLE-DB to the
 Webserver.

 Does that mean you are doing client certificate verification?

 Or are you just renewing the server certificate on your web server?

 --
 Date: Mon, 25 Feb 2013 18:34:21 +0530
 From: bijayant@gmail.com
 To: users@httpd.apache.org
 Subject: Re: [users@httpd] Certificate mismatch error


 Hi Edward,

 Yes, the intermediate certs have been set up on the Apache server.

 By any chance you know what else information can I ask from client to pin
 point their/DB problem?

 Thanks  Regards,
 Bijayant Kumar


 On Sun, Feb 24, 2013 at 2:16 PM, Edward Quick edwardqu...@hotmail.comwrote:

 Hi Bijayant,

 You don't need another certificate if xyz.com is a subject alternate name
 of the primary certificate abc.com, so your understanding there is
 correct.
 Is the intermediate certificate set up?

 Regards,
 Edward.

 --
 Date: Sun, 24 Feb 2013 12:49:45 +0530
 From: bijayant@gmail.com
 To: users@httpd.apache.org
 Subject: [users@httpd] Certificate mismatch error


 Hello List,

 I have an issue to connect SSL enabled site to Oracle database server. Let
 me explain you with an example here.

 My website name is abc.com and it has another name as well say xyz.comand 
 that is listed in additional DNS name field of certificates. Primary
 name is abc.com only.

 Now client is saying

 The Certificate was installed into a Wallet-Manager of the ORACLE-DB.
 I need this Certificate for a communication between ORACLE-DB to the
 Webserver. When the ORACLE DB communicate with the the Webserve, the
 following error massage was created:
 *ORA-06512: at SYS.UTL_HTTP, line 1029*
 *ORA-29024: Certificate validation failure (-29273)*
 Now they are asking me to create a new certificate with the name xyz.comonly. 
 But as far as my knowledge goes, this should not create any issue as
 I have used both the name in my certificate and also I am not getting any
 error while browsing the website with either name.
 Please correct me if I am wrong or any other pointer that will be helpful.



 Thanks  Regards,
 Bijayant Kumar

[users@httpd] Re: Graceful Restart fails because of SSL Keys with Passphrase?

[Andrew Schulman]

 Maybe I should ask a more distinct question first:
 
 When we use apachectl graceful, is the expected functionality that apache 
 does not ask for pass-phrases again?  Presumably because it has the decrypted 
 keys already in memory?  Or, does apache restart they key loading process all 
 over again?
 
 Presently, sometimes it doesn't ask, sometimes it does.

I'm sorry, I think I misunderstood your question before.  I was thinking of a
full restart, not a graceful restart, aka reload.

If I understand the docs right, the same main server process will normally
continue, just rereading its configuration files.  I would think the expected
behavior would be not to reprompt, since the passphrases are already stored in
memory.  But I don't see that in the docs anywhere.  


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Slow transaction on a balance member is holding subsequent requests

[Federico Mennite]

Hi,
I've configured a reverse proxy with two workers with lbmethod=bybusyness
Given that the back-end servers are supporting only one single 
connection concurrently I've configured each member with max=1


Now in a first connection to the server, I send a request to a resource 
that is going to take 20 seconds to respond.
Short after, with a second connection I send a request to a resource 
that is going respond immediately. Everything looks fine.


I send immediately a third request to retrieve the fast resource but I 
unexpectedly have to wait that the first request has finished before 
getting an answer to the third.
I was expecting the 'bybusyness' algorithm to give priority to the non 
busy balancer member but instead it seems that it is queuing the third 
request to the one being busy.


Is this behavior expected, should I confgiure somnething differently or 
can this be considered a bug?


Config snippet:
Proxy balancer://session
  BalancerMember http://10.10.1.1:26240 connectiontimeout=10 max=1
  BalancerMember http://10.10.1.1:26241 connectiontimeout=10 max=1
/Proxy
VirtualHost 10.1.1.1:80
  KeepAlive On
  ServerName session.lifeware.ch
  ProxyPass/balancer://session/ 
lbmethod=bybusyness

/VirtualHost

Apache version 2.2.16, distributed with Debian Squeeze.

Thanks for your help!

Regards,
Federico




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] apache 2.4 performance tuning

[Al Zick]

Hi,

I have recently switch to apache 2.4. I am running it on a somewhat  
under powered system with only 1 GB of ram. I would like to get  
better performance from this system and I am wondering what else I  
can do?


This is what my httpd-mpm.conf looks like:

IfModule mpm_prefork_module
StartServers 5
MinSpareServers  5
MaxSpareServers 10
MaxRequestWorkers  250
MaxConnectionsPerChild   5
/IfModule

IfModule mpm_worker_module
StartServers40
MinSpareThreads500
MaxSpareThreads   1000
ThreadsPerChild103
MaxRequestWorkers 4096
MaxConnectionsPerChild   0
/IfModule

Thanks,
Al


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] mod_ssl help

[Michele Mase']

I'm testing a client authentication using:

SSLCACertificateFile /path/to/pemfile.pem
LocationMatch /test
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData
SSLRequire  %{SSL_CLIENT_I_DN} eq /C=US/O=acme/OU=acme/CN=acme
/LocationMatch


I should use two different CA with the same DN (file /path/to/pemfile.pem)
When i try to use this configuration I receive:
Access totest denied for 10.10.10.10 (requirement expression not fulfilled)
Failed expression: %{SSL_CLIENT_I_DN} eq ...

The only way it works is without the SSLRequire directive.
or
Using only one CA in the file (file /path/to/pemfile.pem)

Some suggestions?

Regards
Michele Masè

[users@httpd] headers null in a custom module

[Crne We]

why the heck some of the essential headers present in the request are null when 
being processed in a custom apache module/hook function?

if this list is dead, is there another list dedicated for apache module 
developers?

Re: [users@httpd] headers null in a custom module

[Stormy]

At 11:13 AM 3/1/2013 -0800, Crne We wrote:
why the heck some of the essential headers present in the request are null 
when being processed in a custom apache module/hook function?


Perhaps because you coding skills are at the same level as your societal 
skills writing to this list for assistance?


plonkCrne We crn...@yahoo.com/plonk

P.
The only two things that are infinite in size are the universe and human 
stupidity. And I'm not

completely sure about the universe. -- Albert Einstein


if this list is dead, is there another list dedicated for apache module 
developers?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] headers null in a custom module

[Eric Covener]

On Fri, Mar 1, 2013 at 2:13 PM, Crne We crn...@yahoo.com wrote:
 why the heck some of the essential headers present in the request are null
 when being processed in a custom apache module/hook function?

Which ones are missing, and which ones are essential?  Did the
client actually send them?  What hook are you running in and how are
you trying to read them?

 if this list is dead, is there another list dedicated for apache module
 developers?

Why would it be dead? If it were dead, who would answer?  A casual
search should bring you here: http://httpd.apache.org/lists.html which
lists the details for modules-...@httpd.apache.org.

--
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] How to compile Apache without dynamic libraries

[Santiago DIEZ]

Hi all,

I'm Santiago from Paris, France, new subscriber to this mailing list.
Hope I will be of some help even though I just completed today my very
first compilation of Apache HTTP from source.

So as I said, I just compiled Apache HTTP from source.
It's working fine so I'm very happy and proud.

Now I'm trying to chroot Apache so I added the directive *ChrootDir /var/www
* in */usr/local/httpd-2.4.4/conf/httpd.conf*.
Then Apache HTTP fails with the message *libgcc_s.so.1 must be installed
for pthread_cancel to work*.
I found various solutions where people just copy the library into the jail
and I tested it and it works.

But what I would like to do is to *re-compile Apache so that it includes
the library into the standalone program*.
How is that possible?

Thanks for your help.

-
*Santiago DIEZ*

Re: [users@httpd] How to compile Apache without dynamic libraries

[Eric Covener]

 But what I would like to do is to re-compile Apache so that it includes the
 library into the standalone program.
 How is that possible?


libgcc_s is a special case, so you probably want to use the libgcc_s
specific info for static usage.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org