One more thing: this issue actually applies to all files of any type. Anything bigger than about 30K gets truncated.
--Ed >From: "Edward Wong" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Corrupt Jar and Cab files >Date: Tue, 20 Aug 2002 16:49:56 -0700 >MIME-Version: 1.0 >X-Originating-IP: [156.153.254.10] >Received: from [195.27.130.252] by hotmail.com (3.2) with ESMTP id >MHotMailBF2C214600B44004310CC31B82FC073D0; Tue, 20 Aug 2002 16:52:48 -0700 >Received: by mmx.engelschall.com (Postfix)id 6744E19493; Wed, 21 Aug 2002 >01:52:12 +0200 (CEST) >Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch >[129.132.7.153])by mmx.engelschall.com (Postfix) with ESMTP id >1F9B719389for <[EMAIL PROTECTED]>; Wed, 21 Aug 2002 >01:52:12 +0200 (CEST) >Received: by en5.engelschall.com (Sendmail 8.9.2) for modssl-users-Lid >BAA25227; Wed, 21 Aug 2002 01:51:15 +0200 (MET DST) >Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for ><[EMAIL PROTECTED]>from hotmail.com id BAA25223; Wed, 21 Aug 2002 >01:51:02 +0200 (MET DST) >Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; >Tue, 20 Aug 2002 16:49:57 -0700 >Received: from 156.153.254.10 by lw11fd.law11.hotmail.msn.com with >HTTP;Tue, 20 Aug 2002 23:49:56 GMT >From [EMAIL PROTECTED] Tue, 20 Aug 2002 16:53:34 >-0700 >Message-ID: <[EMAIL PROTECTED]> >X-OriginalArrivalTime: 20 Aug 2002 23:49:57.0039 (UTC) >FILETIME=[49D5F3F0:01C248A4] >Sender: [EMAIL PROTECTED] >Precedence: bulk >X-Sender: "Edward Wong" <[EMAIL PROTECTED]> >X-List-Manager: Majordomo [version 1.94.4] >X-List-Name: modssl-users > >Hello All, > >I'm seeing strange behavior when running apache 2.0.39 on Windows XP, where >jar and cab files are truncated after after only 16K or so (my jar/cab >files are actually around 100K). This seems to happen with just about any >browser, regardless of the JVM. Also, this issue only occurs on Windows >XP. Win2k, WinNT, and Linux all work properly. > >In Windows XP under http, everything seems to work just fine. Under https, >everything works fine EXCEPT for the jar and cab files. Taking a look at >the java cache shows that natually, the jar and cab files are missing. My >ssl conf files are as follows: > >-------------------ssl.conf------------------------ > ># ># This is the Apache server configuration file providing SSL support. ># It contains the configuration directives to instruct the server how to ># serve pages over an https connection. For detailing information about >these ># directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html> ># ># For the moment, see <URL:http://www.modssl.org/docs/> for this info. ># The documents are still being prepared from material donated by the ># modssl project. ># > ># ># When we also provide SSL we have to listen to the ># standard HTTP port (see above) and to the HTTPS port ># > >include conf/ssllisten.conf > >## >## SSL Global Context >## >## All SSL configuration in this context applies both to >## the main server and all SSL-enabled virtual hosts. >## > ># ># Some MIME-types for downloading Certificates and CRLs ># >AddType application/x-x509-ca-cert .crt >AddType application/x-pkcs7-crl .crl >AddType application/x-509-ca-cert .csr > ># Pass Phrase Dialog: ># Configure the pass phrase gathering process. ># The filtering dialog program (`builtin' is a internal ># terminal dialog) has to provide the pass phrase on stdout. >#SSLPassPhraseDialog exec:certificates/getPassword.exe > ># Inter-Process Session Cache: ># Configure the SSL Session Cache: First the mechanism ># to use and second the expiring timeout (in seconds). >#SSLSessionCache none >#SSLSessionCache shmht:logs/ssl_scache(512000) >#SSLSessionCache shmcb:logs/ssl_scache(512000) >SSLSessionCache dbm:logs/ssl_scache >SSLSessionCacheTimeout 300 > ># Semaphore: ># Configure the path to the mutual exclusion semaphore the ># SSL engine uses internally for inter-process synchronization. >SSLMutex file:logs/ssl_mutex > ># Pseudo Random Number Generator (PRNG): ># Configure one or more sources to seed the PRNG of the ># SSL library. The seed data should be of good random quality. ># WARNING! On some platforms /dev/random blocks if not enough entropy ># is available. This means you then cannot use the /dev/random device ># because it would lead to very long connection times (as long as ># it requires to make more entropy available). But usually those ># platforms additionally provide a /dev/urandom device which doesn't ># block. So, if available, use this one instead. Read the mod_ssl User ># Manual for more details. >SSLRandomSeed startup builtin >SSLRandomSeed connect builtin >#SSLRandomSeed startup file:/dev/random 512 >#SSLRandomSeed startup file:/dev/urandom 512 >#SSLRandomSeed connect file:/dev/random 512 >#SSLRandomSeed connect file:/dev/urandom 512 > ># Logging: ># The home of the dedicated SSL protocol logfile. Errors are ># additionally duplicated in the general error log file. Put ># this somewhere where it cannot be used for symlink attacks on ># a real server (i.e. somewhere where only root can write). ># Log levels are (ascending order: higher ones include lower ones): ># none, error, warn, info, trace, debug. >#SSLLog logs/ssl_engine_log >#SSLLogLevel warn > > ># SSL Cipher Suite: >include conf/ciphers.conf > >## >## SSL Virtual Host Context >## > >include conf/sslvirtualhost.conf > > > > >--------and sslvirtualhost.conf-------- > > > ><VirtualHost _default_:8443> >#DocumentRoot "doc" >#ServerAdmin [EMAIL PROTECTED] >ErrorLog logs/error_log >TransferLog logs/access_log >UseCanonicalName On > ># SSL Engine Switch: ># Enable/Disable SSL for this virtual host. >SSLEngine on > ># Server Certificate: ># Point SSLCertificateFile at a PEM encoded certificate. If ># the certificate is encrypted, then you will be prompted for a ># pass phrase. Note that a kill -HUP will prompt again. A test ># certificate can be generated with `make certificate' under ># built time. Keep in mind that if you've both a RSA and a DSA ># certificate you can configure both in parallel (to also allow ># the use of DSA ciphers, etc.) > >SSLCertificateFile certificates/server.crt > > ># Server Private Key: ># If the key is not combined with the certificate, use this ># directive to point at the key file. Keep in mind that if ># you've both a RSA and a DSA private key you can configure ># both in parallel (to also allow the use of DSA ciphers, etc.) > >SSLCertificateKeyFile certificates/server.key > > ># Server Certificate Chain: ># Point SSLCertificateChainFile at a file containing the ># concatenation of PEM encoded CA certificates which form the ># certificate chain for the server certificate. Alternatively ># the referenced file can be the same as SSLCertificateFile ># when the CA certificates are directly appended to the server ># certificate for convinience. > >#SSLCertificateChainFile certificates/server.crt > > ># Certificate Authority (CA): ># Set the CA certificate verification path where to find CA ># certificates for client authentication or alternatively one ># huge file containing all of them (file must be PEM encoded) ># Note: Inside SSLCACertificatePath you need hash symlinks ># to point to the certificate files. Use the provided ># Makefile to update the hash symlinks after changes. >#SSLCACertificatePath /Apache2/conf/ssl.crt >#SSLCACertificateFile /Apache2/conf/ssl.crt/ca-bundle.crt > ># Certificate Revocation Lists (CRL): ># Set the CA revocation path where to find CA CRLs for client ># authentication or alternatively one huge file containing all ># of them (file must be PEM encoded) ># Note: Inside SSLCARevocationPath you need hash symlinks ># to point to the certificate files. Use the provided ># Makefile to update the hash symlinks after changes. >#SSLCARevocationPath /Apache2/conf/ssl.crl >#SSLCARevocationFile /Apache2/conf/ssl.crl/ca-bundle.crl > ># Client Authentication (Type): ># Client certificate verification type and depth. Types are ># none, optional, require and optional_no_ca. Depth is a ># number which specifies how deeply to verify the certificate ># issuer chain before deciding the certificate is not valid. >#SSLVerifyClient require >#SSLVerifyDepth 10 > ># Access Control: ># With SSLRequire you can do per-directory access control based ># on arbitrary complex boolean expressions containing server ># variable checks and other lookup directives. The syntax is a ># mixture between C and Perl. See the mod_ssl documentation ># for more details. >#<Location /> >#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ ># and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ ># and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ ># and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ ># and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ ># or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ >#</Location> > ># SSL Engine Options: ># Set various options for the SSL engine. ># o FakeBasicAuth: ># Translate the client X.509 into a Basic Authorisation. This means >that ># the standard Auth/DBMAuth methods can be used for access control. >The ># user name is the `one line' version of the client's X.509 >certificate. ># Note that no password is obtained from the user. Every entry in the >user ># file needs this password: `xxj31ZMTZzkVA'. ># o ExportCertData: ># This exports two additional environment variables: SSL_CLIENT_CERT >and ># SSL_SERVER_CERT. These contain the PEM-encoded certificates of the ># server (always existing) and the client (only existing when client ># authentication is used). This can be used to import the certificates ># into CGI scripts. ># o StdEnvVars: ># This exports the standard SSL/TLS related `SSL_*' environment >variables. ># Per default this exportation is switched off for performance reasons, ># because the extraction step is an expensive operation and is usually ># useless for serving static content. So one usually enables the ># exportation for CGI and SSI requests only. ># o CompatEnvVars: ># This exports obsolete environment variables for backward >compatibility ># to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use >this ># to provide compatibility to existing CGI scripts. ># o StrictRequire: ># This denies access when "SSLRequireSSL" or "SSLRequire" applied even ># under a "Satisfy any" situation, i.e. when it applies access is >denied ># and no other module can change it. ># o OptRenegotiate: ># This enables optimized SSL connection renegotiation handling when SSL ># directives are used in per-directory context. >SSLOptions +StdEnvVars +StrictRequire +OptRenegotiate ><Files ~ "\.(cgi|shtml|phtml|php3?)$"> > SSLOptions +StdEnvVars ></Files> > > ># SSL Protocol Adjustments: ># The safe and default but still SSL/TLS standard compliant shutdown ># approach is that mod_ssl sends the close notify alert but doesn't wait >for ># the close notify alert from client. When you need a different shutdown ># approach you can use one of the following variables: ># o ssl-unclean-shutdown: ># This forces an unclean shutdown when the connection is closed, i.e. >no ># SSL close notify alert is send or allowed to received. This violates ># the SSL/TLS standard but is needed for some brain-dead browsers. Use ># this when you receive I/O errors because of the standard approach >where ># mod_ssl sends the close notify alert. ># o ssl-accurate-shutdown: ># This forces an accurate shutdown when the connection is closed, i.e. >a ># SSL close notify alert is send and mod_ssl waits for the close notify ># alert of the client. This is 100% SSL/TLS standard compliant, but in ># practice often causes hanging connections with brain-dead browsers. >Use ># this only for browsers where you know that their SSL implementation ># works correctly. ># Notice: Most problems of broken clients are also related to the HTTP ># keep-alive facility, so you usually additionally want to disable ># keep-alive for those clients, too. Use variable "nokeepalive" for this. ># Similarly, one has to force some clients to use HTTP/1.0 to workaround ># their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and ># "force-response-1.0" for this. >SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > ># Per-Server Logging: ># The home of a custom SSL log file. Use this when you want a ># compact non-error SSL logfile on a virtual host basis. >CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > ></VirtualHost> > > >Any and all help is greatly appreciated. > >--Edward Wong > > >_________________________________________________________________ >Send and receive Hotmail on your mobile device: http://mobile.msn.com > >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]