Re: [AOLSERVER] nsopenssl and "unexpected eof" on write
Haig Didizian, Check out the AOLSERVER listserv archives for the discussions with subjects "SSL data truncation" and "differences between ns_httppost and sockets?" I'll post the final point, here I made earlier, but for more insight to the problem see those threads. Am 04.02.10 11:46, schrieb Torben Brosten: > John Caruso et al, > > Could xotcl-core[2] be the work around/solution to this SSL > ns_httpsget bug[1]? The mentioned bug [1] looks like a buffering problem to me. Since OpenSSL has its own buffering layer, the interaction can be tricky and might as well differ depending on the OpenSSL version. It has been a while, since i fiddled with this in another context (pound + streaming connections). I am not aware of the problem in the tls implementation, but we are not using tls intensively. In general, the http-client functions of xotcl-core provide an alternative http/https implementation based directly on the Tcl I/O functionality. So, this is indeed a different integration with OpenSSL, which can be tested/debugged also outside of aolserver. While the aolserver built-in functions work mostly without add-ons (nsopenssl), xotcl-core functions require (1) the tcl thread library (in this context for event driven I/O and mutex functionality), (2) tls and (3) xotcl. -gustaf neumann > > cheers, > > Torben > > 1. On July 15 2009 John Caruso wrote: > > We've run into a bug with AOLserver 4.5.1 / nsopenssl 3.0beta26. The > > bug is fully documented here: > > > > > https://sourceforge.net/tracker/?func=detail&aid=2822117&group_id=3152&atid=103152 > > > > > > > But the short version is that when using the nsopenssl client-side > > routines (e.g. ns_httpsget), the result may be truncated if the > > client starts reading before all of the data has been received. This > > bug ONLY occurs with an AOLserver client (any version) running > > against an AOLserver 4 / nsopenssl 3.0beta26 server. We've > > reproduced the bug on RHEL4, RHEL5, and Mac OS X. > > > > The bug is easily demonstrated by copying the file I've attached to > > this message (sslbug.tcl) to the top-level context of a web server > > running AOLserver 4.x/nsopenssl 3.0beta26 and then navigating to > > https:///sslbug.tcl. If you comment out the ns_httpsget and > > use ns_httpget instead, you'll see that the bug disappears. > > > > We've done a lot of instrumenting of nsopenssl/AOLserver, but haven't > > been able to track down the root cause. It seems likely that it's > > related to data buffering, which seems like it would be occurring > > within AOLserver or Tcl...but the issue is definitely specific to > > SSL, which implies that it's something in nsopenssl 3.0beta26. > > > > Does anyone have any idea what might be causing this problem? > > > > - John > > > > > > -- AOLserver - http://www.aolserver.com/ > > > > To Remove yourself from this list, simply send an email to > > with the body of "SIGNOFF AOLSERVER" in > > the email message. You can leave the Subject: field of your email > > blank. > > > > 2. On Feb 4, 2010, at 1:21 AM, Gustaf Neumann wrote: > >> Dear Brian and all, >> >> xotcl-core of OpenACS contains a full set of HTTP client >> support, including POST requests and https (via the >> tcl tls package). Below is the description included in the >> source >> >> best regards >> -gustaf neumann >> >> === >> >> # Defined classes >> # 1) HttpCore (common base class) >> # 2) HttpRequest (for blocking requests + timeout support) >> # 3) AsyncHttpRequest (for non-blocking requests + timeout support) >> # 4) HttpRequestTrace (mixin class) >> # 5) Tls (mixin class, applicable to various protocols) >> # >> ## >> # >> # 1 HttpRequest >> # >> # HttpRequest is a class to implement the client side >> # for the HTTP methods GET and POST. >> # >> # Example of a GET request: >> # >> # set r [::xo::HttpRequest new -url http://www.openacs.org/] >> # >> # The resulting object $r contains all information >> # about the requests, such as e.g. status_code or >> # data (the response body from the server). For details >> # look into the output of [$r serialize]. The result >> # object $r is automatically deleted at cleanup of >> # a connection thread. >> # >> # Example of a POST request with a form with var1 and var2 >> # (providing post_data causes the POST request). >> # >> # set r [::xo::HttpRequest new \ >> # -url http://yourhost.yourdomain/yourpath \ >> # -post_data [export_vars {var1 var2}] \ >> # -content_type application/x-www-form-urlencoded] >> # >> # More recently, we added timeout support for blocking http >> # requests. By passing a timeout parameter, you gain control >> # on the total roundtrip time (in milliseconds, ms): >> # >> # set r [::xo::HttpRequest new \ >> # -url http://www.openacs.org/ \ >> # -timeout 1500] >>
Re: [AOLSERVER] nsopenssl fails to load
Maurizio, File pasted below. -PT # # The contents of this file are subject to the AOLserver Public License # Version 1.1 (the "License"); you may not use this file except in # compliance with the License. You may obtain a copy of the License at # http://aolserver.com. # # Software distributed under the License is distributed on an "AS IS" # basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See # the License for the specific language governing rights and limitations # under the License. # # Alternatively, the contents of this file may be used under the terms # of the GNU General Public License (the "GPL"), in which case the # provisions of GPL are applicable instead of those above. If you wish # to allow use of your version of this file only under the terms of the # GPL and not to allow others to use your version of this file under the # License, indicate your decision by deleting the provisions above and # replace them with the notice and other provisions required by the GPL. # If you do not delete the provisions above, a recipient may use your # version of this file under either the License or the GPL. # # Copyright (C) 2001-2003 Scott S. Goodwin # # Portions created by AOL are Copyright (C) 1999 America Online, Inc. All # Rights Reserved. # # # $Header: /cvsroot/aolserver/nsopenssl/Makefile,v 1.44 2004/11/20 06:42:54 dossy Exp $ # AOLSERVER ?= ../aolserver ifndef OPENSSL all: @echo "** " @echo "** OPENSSL variable not set." @echo "** nsopenssl will not be built." @echo "** " install: all clean: else # # Version number used in release tags. Valid VERs are "1.1c", "2.1", # "2.2beta7". VER "1.1c" will be translated into "v1_1c" by this Makefile. # VER_ = $(subst .,_,$(VER)) MODNAME = nsopenssl LIB = nsopenssl LIBOBJS = sslcontext.o ssl.o tclcmds.o x509.o LIBLIBS = -L$(OPENSSL)/lib -lssl -lcrypto MOD = nsopenssl.so MODOBJS = nsopenssl.o HDRS = nsopenssl.h MODLIBS = -L$(OPENSSL)/lib -lssl -lcrypto TCLMOD = https.tcl # Add static compilation ability, per grax3272 ifeq ($(STATIC),1) MODLIBS = $(OPENSSL)/lib/libssl.a $(OPENSSL)/lib/libcrypto.a endif # # Kerberos headers are included in case your OpenSSL library was built with # Kerberos support. This is generally true on RedHat 9 and possibly Fedora # Core. If OPENSSL_NO_KRB5 is define in then OpenSSL # *was not* compiled with Kerberos support. # CFLAGS += -I$(OPENSSL)/include -I/usr/kerberos/include INSTALL = install-https.tcl include $(AOLSERVER)/include/Makefile.module ## ## Extra install targets. ## install-https.tcl: $(INSTALL_SH) $(TCLMOD) $(INSTTCL) .PHONY: install-https.tcl # # Help the poor developer # help: @echo "**" @echo "** DEVELOPER HELP FOR THIS $(MODNAME)" @echo "**" @echo "** make tag VER=X.Y" @echo "** Tags the module CVS code with the given tag." @echo "** You can tag the CVS copy at any time, but follow the rules." @echo "** VER must be of the form:" @echo "** X.Y" @echo "** X.YbetaN" @echo "** You should browse CVS at SF to find the latest tag." @echo "**" @echo "** make file-release VER=X.Y" @echo "** Checks out the code for the given tag from CVS." @echo "** The result will be a releaseable tar.gz file of" @echo "** the form: module-X.Y.tar.gz." @echo "**" # # Tag the code in CVS right now # tag: @if [ "$(VER)" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi cvs rtag v$(VER_) $(MODNAME) # # Create a distribution file release # file-release: @if [ "$(VER)" = "" ]; then echo 1>&2 "VER must be set to version number!"; exit 1; fi @echo "(Just hit the return key when prompted for CVS password)" cvs -d :pserver:anonym...@cvs.sf.net:/cvsroot/aolserver login cd /tmp && cvs -d :pserver:anonym...@cvs.sf.net:/cvsroot/aolserver co -rv$(VER_) -d$(MODNAME)-$(VER) $(MODNAME) && tar cf - $(MODNAME)-$ (VER) | gzip -c > $(MODNAME)-$(VER).tar.gz echo "--- FILE RELEASE is: /tmp/$(MODNAME)-$(VER).tar.gz" endif On Jul 17, 2009, at 6:46 AM, Maurizio Martignano wrote: Could I have copy of your Makefile? Thanks in advance, Maurizio -Original Message- From: AOLserver Discussion [mailto:aolser...@listserv.aol.com] On Behalf Of Prem Thomas Sent: 17 July 2009 00:41 To: AOLSERVER@LISTSERV.AOL.COM Subject: Re: [AOLSERVER] nsopenssl fails to load Maurizio, Thanks for the reply. A Win32 OpenACS! I
Re: [AOLSERVER] nsopenssl fails to load
Could I have copy of your Makefile? Thanks in advance, Maurizio -Original Message- From: AOLserver Discussion [mailto:aolser...@listserv.aol.com] On Behalf Of Prem Thomas Sent: 17 July 2009 00:41 To: AOLSERVER@LISTSERV.AOL.COM Subject: Re: [AOLSERVER] nsopenssl fails to load Maurizio, Thanks for the reply. A Win32 OpenACS! I checked my build directory (below) and it has all the files you mentioned. I think this is a problem with loading and linking on Solaris. drwxr-xr-x 6 root root 26 Jul 15 23:54 . drwxr-xr-x 16 root root 26 Jul 15 23:50 .. drwxr-xr-x 2 root root 6 Jul 15 23:50 CVS -rw-r--r-- 1 root root 40468 Nov 20 2004 ChangeLog -rw-r--r-- 1 root root3981 Nov 20 2004 Makefile -rw-r--r-- 1 root root 15485 Aug 25 2004 README -rw-r--r-- 1 root root2172 Apr 9 2004 TODO drwxr-xr-x 3 root root 6 Jul 15 23:50 ca -rw-r--r-- 1 root root1450 Jun 23 2004 defaults.h drwxr-xr-x 3 root root 3 Jul 15 23:50 docs -rw-r--r-- 1 root root 13877 Jun 16 2004 https.tcl -rwxr-xr-x 1 root root 1312755 Jul 15 23:51 libnsopenssl.so -rw-r--r-- 1 root root8538 Oct 27 2004 nsd.tcl -rw-r--r-- 1 root root 30910 Nov 20 2004 nsopenssl.c -rw-r--r-- 1 root root 7 Mar 28 2006 nsopenssl.h -rw-r--r-- 1 root root 12496 Jul 15 23:51 nsopenssl.o -rwxr-xr-x 1 root root 15067 Jul 15 23:54 nsopenssl.so -rw-r--r-- 1 root root 23439 Mar 28 2006 ssl.c -rw-r--r-- 1 root root8648 Jul 15 23:51 ssl.o -rw-r--r-- 1 root root 51954 Mar 28 2006 sslcontext.c -rw-r--r-- 1 root root 17484 Jul 15 23:51 sslcontext.o -rw-r--r-- 1 root root 56427 Jun 13 2004 tclcmds.c -rw-r--r-- 1 root root 24404 Jul 15 23:51 tclcmds.o drwxr-xr-x 3 root root 18 Jul 15 23:50 tests -rw-r--r-- 1 root root9446 Apr 13 2004 x509.c -rw-r--r-- 1 root root5804 Jul 15 23:51 x509.o -Prem Thomas On Jul 16, 2009, at 8:54 AM, Maurizio Martignano wrote: > Hello Thomas, > the variable you seem to be missing > > Tcl_HashTable NsOpenSSLServers; > > is declared inside the file > > sslcontext.c > > > From the errors you're getting I believe you have not included this > file in > your build. > > I'm currently working on providing my Win32-OpenACS > > http://www.friendlybits.com/en/inf_tec_en/win32openacs_en/ > > distribution with HTTPS/SSL support and up to now I didn't find any > problem > whatsoever. > > Of course I'm using makefiles and development tools different from > yours, > anyhow I believe you should make sure the following files are > included in > your build: > > nsopenssl.c > ssl.c > sslcontext.c > tclcmds.c > x509.c > > Hope this helps, > Maurizio > > > > -Original Message- > From: AOLserver Discussion [mailto:aolser...@listserv.aol.com] On > Behalf Of > Prem Thomas > Sent: 16 July 2009 01:28 > To: AOLSERVER@LISTSERV.AOL.COM > Subject: [AOLSERVER] nsopenssl fails to load > > I'm having trouble loading nsopenssl with AOLserver 4.5.1. Despite > multiple attempts to address the problem, I'm going nowhere. Details > below. I'd greatly appreciate advice. --Prem Thomas > > Details > === > > 64-bit x86 > OpenSolaris (Nexenta: SunOS 5.11 kernel with a Ubuntu Hardy 8.04 > userland) > AOLserver 4.5.1 > TCL 8.5.7 > OpenSSL 0.9.8k > nsopenssl 3.0.b26 > GNU Make 3.81 > gcc (GCC) 4.2.3 (Ubuntu 4.2.3-2nexenta7) > > Both OpenSSL and nsopenssl built successfully. When I start > AOLserver, I get this fatal error: > > [12/Jul/2009:23:26:14][1142.1][-main-] Notice: modload: loading '/usr/ > local/aolserver/bin/nsopenssl.so' > [12/Jul/2009:23:26:14][1142.1][-main-] Warning: modload: could not > load /usr/local/aolserver/bin/nsopenssl.so: ld.so.1: nsd: fatal: > relocation error: file /usr/local/aolserver/bin/nsopenssl.so: symbol > NsOpenSSLServers: referenced symbol not found > [12/Jul/2009:23:26:14][1142.1][-main-] Fatal: modload: failed to load > module '/usr/local/aolserver/bin/nsopenssl.so' > > > After googling around, and reading this: http://openacs.org/forums/ > message-view?message_id=51691 > I tried building nsopenssl with the -Bstatic flag: > > # make install OPENSSL=/usr/local/ssl AOLSERVER=${NS} MODLIBS="- > Bstatic -L${OPENSSL}/lib -lssl -lcrypto -L/usr/lib/gcc/i386-pc- > solaris2.11/4.2.3 -lgcc" > > Same error. > > > I also tried rebuilding OpenSSL with the no-asm config option: > > # ./Configure solaris-x86-gcc no-asm > > Build succeeded and I rebuilt nsopenssl. But I still get the same > error. > > > I tried rebuilding nsopenssl with make CC="gcc -fPIC" but this > produced errors: > > shlib_target=; if [ -n "" ]; then \ >
Re: [AOLSERVER] nsopenssl fails to load
Maurizio, Thanks for the reply. A Win32 OpenACS! I checked my build directory (below) and it has all the files you mentioned. I think this is a problem with loading and linking on Solaris. drwxr-xr-x 6 root root 26 Jul 15 23:54 . drwxr-xr-x 16 root root 26 Jul 15 23:50 .. drwxr-xr-x 2 root root 6 Jul 15 23:50 CVS -rw-r--r-- 1 root root 40468 Nov 20 2004 ChangeLog -rw-r--r-- 1 root root3981 Nov 20 2004 Makefile -rw-r--r-- 1 root root 15485 Aug 25 2004 README -rw-r--r-- 1 root root2172 Apr 9 2004 TODO drwxr-xr-x 3 root root 6 Jul 15 23:50 ca -rw-r--r-- 1 root root1450 Jun 23 2004 defaults.h drwxr-xr-x 3 root root 3 Jul 15 23:50 docs -rw-r--r-- 1 root root 13877 Jun 16 2004 https.tcl -rwxr-xr-x 1 root root 1312755 Jul 15 23:51 libnsopenssl.so -rw-r--r-- 1 root root8538 Oct 27 2004 nsd.tcl -rw-r--r-- 1 root root 30910 Nov 20 2004 nsopenssl.c -rw-r--r-- 1 root root 7 Mar 28 2006 nsopenssl.h -rw-r--r-- 1 root root 12496 Jul 15 23:51 nsopenssl.o -rwxr-xr-x 1 root root 15067 Jul 15 23:54 nsopenssl.so -rw-r--r-- 1 root root 23439 Mar 28 2006 ssl.c -rw-r--r-- 1 root root8648 Jul 15 23:51 ssl.o -rw-r--r-- 1 root root 51954 Mar 28 2006 sslcontext.c -rw-r--r-- 1 root root 17484 Jul 15 23:51 sslcontext.o -rw-r--r-- 1 root root 56427 Jun 13 2004 tclcmds.c -rw-r--r-- 1 root root 24404 Jul 15 23:51 tclcmds.o drwxr-xr-x 3 root root 18 Jul 15 23:50 tests -rw-r--r-- 1 root root9446 Apr 13 2004 x509.c -rw-r--r-- 1 root root5804 Jul 15 23:51 x509.o -Prem Thomas On Jul 16, 2009, at 8:54 AM, Maurizio Martignano wrote: Hello Thomas, the variable you seem to be missing Tcl_HashTable NsOpenSSLServers; is declared inside the file sslcontext.c From the errors you're getting I believe you have not included this file in your build. I'm currently working on providing my Win32-OpenACS http://www.friendlybits.com/en/inf_tec_en/win32openacs_en/ distribution with HTTPS/SSL support and up to now I didn't find any problem whatsoever. Of course I'm using makefiles and development tools different from yours, anyhow I believe you should make sure the following files are included in your build: nsopenssl.c ssl.c sslcontext.c tclcmds.c x509.c Hope this helps, Maurizio -Original Message- From: AOLserver Discussion [mailto:aolser...@listserv.aol.com] On Behalf Of Prem Thomas Sent: 16 July 2009 01:28 To: AOLSERVER@LISTSERV.AOL.COM Subject: [AOLSERVER] nsopenssl fails to load I'm having trouble loading nsopenssl with AOLserver 4.5.1. Despite multiple attempts to address the problem, I'm going nowhere. Details below. I'd greatly appreciate advice. --Prem Thomas Details === 64-bit x86 OpenSolaris (Nexenta: SunOS 5.11 kernel with a Ubuntu Hardy 8.04 userland) AOLserver 4.5.1 TCL 8.5.7 OpenSSL 0.9.8k nsopenssl 3.0.b26 GNU Make 3.81 gcc (GCC) 4.2.3 (Ubuntu 4.2.3-2nexenta7) Both OpenSSL and nsopenssl built successfully. When I start AOLserver, I get this fatal error: [12/Jul/2009:23:26:14][1142.1][-main-] Notice: modload: loading '/usr/ local/aolserver/bin/nsopenssl.so' [12/Jul/2009:23:26:14][1142.1][-main-] Warning: modload: could not load /usr/local/aolserver/bin/nsopenssl.so: ld.so.1: nsd: fatal: relocation error: file /usr/local/aolserver/bin/nsopenssl.so: symbol NsOpenSSLServers: referenced symbol not found [12/Jul/2009:23:26:14][1142.1][-main-] Fatal: modload: failed to load module '/usr/local/aolserver/bin/nsopenssl.so' After googling around, and reading this: http://openacs.org/forums/ message-view?message_id=51691 I tried building nsopenssl with the -Bstatic flag: # make install OPENSSL=/usr/local/ssl AOLSERVER=${NS} MODLIBS="- Bstatic -L${OPENSSL}/lib -lssl -lcrypto -L/usr/lib/gcc/i386-pc- solaris2.11/4.2.3 -lgcc" Same error. I also tried rebuilding OpenSSL with the no-asm config option: # ./Configure solaris-x86-gcc no-asm Build succeeded and I rebuilt nsopenssl. But I still get the same error. I tried rebuilding nsopenssl with make CC="gcc -fPIC" but this produced errors: shlib_target=; if [ -n "" ]; then \ shlib_target="solaris-shared"; \ elif [ -n "" ]; then \ FIPSLD_CC=gcc -fpic; CC=../fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="-L.. -lssl -L.. -lcrypto" ; \ [ "x" = "xlibfips" ] && LIBRARIES="$LIBRARIES -lfips"; \ make -f ../Makefile.shared -e \ CC=${CC} APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o cms.o" \ LIBDEPS=" $LIBRARIES -lsocket -lnsl -ldl" \ link_app.${sh
Re: [AOLSERVER] nsopenssl fails to load
Hello Thomas, the variable you seem to be missing Tcl_HashTable NsOpenSSLServers; is declared inside the file sslcontext.c >From the errors you're getting I believe you have not included this file in your build. I'm currently working on providing my Win32-OpenACS http://www.friendlybits.com/en/inf_tec_en/win32openacs_en/ distribution with HTTPS/SSL support and up to now I didn't find any problem whatsoever. Of course I'm using makefiles and development tools different from yours, anyhow I believe you should make sure the following files are included in your build: nsopenssl.c ssl.c sslcontext.c tclcmds.c x509.c Hope this helps, Maurizio -Original Message- From: AOLserver Discussion [mailto:aolser...@listserv.aol.com] On Behalf Of Prem Thomas Sent: 16 July 2009 01:28 To: AOLSERVER@LISTSERV.AOL.COM Subject: [AOLSERVER] nsopenssl fails to load I'm having trouble loading nsopenssl with AOLserver 4.5.1. Despite multiple attempts to address the problem, I'm going nowhere. Details below. I'd greatly appreciate advice. --Prem Thomas Details === 64-bit x86 OpenSolaris (Nexenta: SunOS 5.11 kernel with a Ubuntu Hardy 8.04 userland) AOLserver 4.5.1 TCL 8.5.7 OpenSSL 0.9.8k nsopenssl 3.0.b26 GNU Make 3.81 gcc (GCC) 4.2.3 (Ubuntu 4.2.3-2nexenta7) Both OpenSSL and nsopenssl built successfully. When I start AOLserver, I get this fatal error: [12/Jul/2009:23:26:14][1142.1][-main-] Notice: modload: loading '/usr/ local/aolserver/bin/nsopenssl.so' [12/Jul/2009:23:26:14][1142.1][-main-] Warning: modload: could not load /usr/local/aolserver/bin/nsopenssl.so: ld.so.1: nsd: fatal: relocation error: file /usr/local/aolserver/bin/nsopenssl.so: symbol NsOpenSSLServers: referenced symbol not found [12/Jul/2009:23:26:14][1142.1][-main-] Fatal: modload: failed to load module '/usr/local/aolserver/bin/nsopenssl.so' After googling around, and reading this: http://openacs.org/forums/ message-view?message_id=51691 I tried building nsopenssl with the -Bstatic flag: # make install OPENSSL=/usr/local/ssl AOLSERVER=${NS} MODLIBS="- Bstatic -L${OPENSSL}/lib -lssl -lcrypto -L/usr/lib/gcc/i386-pc- solaris2.11/4.2.3 -lgcc" Same error. I also tried rebuilding OpenSSL with the no-asm config option: # ./Configure solaris-x86-gcc no-asm Build succeeded and I rebuilt nsopenssl. But I still get the same error. I tried rebuilding nsopenssl with make CC="gcc -fPIC" but this produced errors: shlib_target=; if [ -n "" ]; then \ shlib_target="solaris-shared"; \ elif [ -n "" ]; then \ FIPSLD_CC=gcc -fpic; CC=../fips/fipsld; export CC FIPSLD_CC; \ fi; \ LIBRARIES="-L.. -lssl -L.. -lcrypto" ; \ [ "x" = "xlibfips" ] && LIBRARIES="$LIBRARIES -lfips"; \ make -f ../Makefile.shared -e \ CC=${CC} APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o cms.o" \ LIBDEPS=" $LIBRARIES -lsocket -lnsl -ldl" \ link_app.${shlib_target} make[2]: Entering directory `/usr/local/src/openssl-0.9.8k/apps' make[2]: pic: No such file or directory make[2]: *** No rule to make target `pic'. Stop. I tried adding extra paths to LD_LIBRARY_PATH, but to no avail. #echo $LD_LIBRARY_PATH /usr/local/src/aolserver45/nsopenssl:/usr/local/pgsql/lib:/usr/local/ ssl/lib:/usr/local/aolserver/lib:/usr/lib/gcc/i386-pc-solaris2.11/4.2.3: Here's a grep of the symbol in the source and aolserver directories: # grep -r NsOpenSSLServers /usr/local/src/aolserver45/nsopenssl Binary file ./nsopenssl.o matches ./sslcontext.c:Tcl_HashTable NsOpenSSLServers; ./sslcontext.c:hPtr = Tcl_FindHashEntry(&NsOpenSSLServers, server); ./nsopenssl.c:extern Tcl_HashTable NsOpenSSLServers; ./nsopenssl.c:Tcl_InitHashTable(&NsOpenSSLServers, TCL_STRING_KEYS); ./nsopenssl.c:hPtr = Tcl_CreateHashEntry(&NsOpenSSLServers, server, &new); Binary file ./nsopenssl.so matches Binary file ./libnsopenssl.so matches Binary file ./sslcontext.o matches # grep -r NsOpenSSLServers /usr/local/aolserverBinary file /usr/local/aolserver/bin/nsopenssl.so matches Binary file /usr/local/aolserver/lib/libnsopenssl.so matches I also tried ldd -d (see http://docs.sun.com/app/docs/doc/ 806-1075/6jacsnimr?a=view) #ldd -d /usr/local/aolserver/bin/nsd libnsd.so => /usr/local/aolserver/lib/libnsd.so libnsthread.so =>/usr/local/aolserver/lib/ libnsthread.so libtcl8.5.so => /usr/local/aolserver/lib/libtcl8.5.so libdl.so.1 =>/lib/libdl.so.1 libsocket.so.1 =>/lib/libsocket.so.1 libpthread.so.1 => /lib/l
Re: [AOLSERVER] nsopenssl client file descriptor issues
I haven't been able to reproduce the crashing... I tried beta26 and beta27. It works out of the box for me. -Andrew On Fri, May 1, 2009 at 9:58 AM, Tom Jackson wrote: > Andrew, > > Do you have any up-to-date instructions on compiling nsopenssl? For some > reason I'm getting a segfault the instant I try to use the client > ns_httpspost. > > I'm think it is related to the linux distribution, but the crash isn't > the random problem you are seeing. > > Thanks, > > tom jackson > > On Thu, 2009-04-30 at 17:59 -0500, Andrew Steets wrote: >> Hello, >> >> We recently discovered a problem with the nsopenssl ns_httpsXXX client >> commands which was causing SSL close notify alerts (a.k.a. random >> binary garbage) to be written to unrelated (non-ssl) file descriptors >> in certain cases. While we were trying to come up with a fix, we >> stumbled across some other nsopenssl issues. >> >> If you aren't using the nsopenssl *client* functionality this is >> probably not interesting. If you aren't interested in hacking the >> nsopenssl code then you should realize that this may be a potential >> source of frustration. For anyone else, details follow. >> >> All of the ns_https client TCL (https.tcl) commands eventually call >> ns_openssl_sockopen to open an SSL connection to a server. >> ns_openssl_sockopen, like ns_sockopen, returns two TCL channel ids, >> one of which is for reading and the other for writing. The TCL >> channels are created in CreateTclChannel() in nsopenssl's tclcmds.c. >> The channels are stored in a pair of structs with the following >> definition: >> >> typedef struct ChanInfo { >> NsOpenSSLConn *sslconn; >> SOCKET socket; >> Tcl_Channel chan; >> void *otherchaninfo; >> } ChanInfo; >> >> so the write chaninfo holds a pointer to the read chaninfo and vice >> versa. The channels are currently constructed such that the read >> channel is associated with the original socket fd created for the ssl >> connection, and the write channel is associated with another fd >> dup()'ed from the original. They are both associated with the same >> NsOpenSSLConn struct, which itself holds the original socket fd as >> well. >> >> The channel close function, ChanCloseProc(), has to deal with this two >> fd situation, and that is where we run into problems. The close proc >> will close the fd associated with whichever channel is being closed, >> but will only shutdown the ssl connection when both channels have been >> closed. >> >> Here is the slightly edited close chan code: >> >> static int >> ChanCloseProc(ClientData arg, Tcl_Interp *interp) >> { >> ChanInfo *chaninfo = (ChanInfo *) arg; >> ChanInfo *otherchaninfo = NULL; >> >> Tcl_UnregisterChannel(interp, chaninfo->chan); >> ns_sockclose(chaninfo->socket); >> chaninfo->socket = INVALID_SOCKET; >> otherchaninfo = (ChanInfo *) chaninfo->otherchaninfo; >> >> if (otherchaninfo->socket == INVALID_SOCKET) { >> ns_free(otherchaninfo); >> NsOpenSSLConnDestroy(chaninfo->sslconn); >> ns_free(chaninfo); >> } >> >> return TCL_OK; >> } >> >> One problem is that the ns_sockclose() call precedes the >> NsOpenSSLConnDestroy() call. NsOpenSSLConnDestroy() calls >> SSL_shutdown() on the file descriptor which was previously closed with >> ns_sockclose(). SSL_shutdown() tries to write some ssl close notify >> messages on the fd. There is no way this can succeed because the fd >> was already closed. The error is siliently ignored. Clearly the sock >> close needs to come after NsOpenSSLConnDestroy(). >> >> But there is more. Now we need to examine two possible cases. >> >> Case 1: The write channel is closed before the read channel. In this >> case the dup fd is closed first, and the original FD is closed second. >> There is a teensy little race condition here. After the >> ns_sockclose() call, the OS may context switch to another thread which >> may call open(), dup(), socket() or anything that gets a new FD. It's >> also possible that the FD that the OS returns for that call may have >> been the one which was previously closed with ns_sockclose(). If we >> then switch back to the original thread and call >> NsOpenSSLConnDestroy() -> SSL_shutdown(), then we will end up writing >> and reading on somebody else's file file descriptor! This is >> obviously bad, but the chances of this race actually occuring are >> probably slim. >> >> Case 2: The read channel is closed before the write channel. This is >> the worst. The original fd, the one in the NsOpenSSLConn struct is >> closed, but NsOpenSSLConnDestroy is not called because the write >> channel is still open and the sslconn * still holds the now invalid >> fd. Now we have a much larger window for that FD to be recycled by >> the OS and we don't necessarily need an unlikely context switch to be >> stung by the race. The following ADP highlights this condition. >> >> <% >> set fds [ns_openssl_sockopen -no
Re: [AOLSERVER] nsopenssl client file descriptor issues
Andrew, Do you have any up-to-date instructions on compiling nsopenssl? For some reason I'm getting a segfault the instant I try to use the client ns_httpspost. I'm think it is related to the linux distribution, but the crash isn't the random problem you are seeing. Thanks, tom jackson On Thu, 2009-04-30 at 17:59 -0500, Andrew Steets wrote: > Hello, > > We recently discovered a problem with the nsopenssl ns_httpsXXX client > commands which was causing SSL close notify alerts (a.k.a. random > binary garbage) to be written to unrelated (non-ssl) file descriptors > in certain cases. While we were trying to come up with a fix, we > stumbled across some other nsopenssl issues. > > If you aren't using the nsopenssl *client* functionality this is > probably not interesting. If you aren't interested in hacking the > nsopenssl code then you should realize that this may be a potential > source of frustration. For anyone else, details follow. > > All of the ns_https client TCL (https.tcl) commands eventually call > ns_openssl_sockopen to open an SSL connection to a server. > ns_openssl_sockopen, like ns_sockopen, returns two TCL channel ids, > one of which is for reading and the other for writing. The TCL > channels are created in CreateTclChannel() in nsopenssl's tclcmds.c. > The channels are stored in a pair of structs with the following > definition: > > typedef struct ChanInfo { > NsOpenSSLConn *sslconn; > SOCKET socket; > Tcl_Channel chan; > void*otherchaninfo; > } ChanInfo; > > so the write chaninfo holds a pointer to the read chaninfo and vice > versa. The channels are currently constructed such that the read > channel is associated with the original socket fd created for the ssl > connection, and the write channel is associated with another fd > dup()'ed from the original. They are both associated with the same > NsOpenSSLConn struct, which itself holds the original socket fd as > well. > > The channel close function, ChanCloseProc(), has to deal with this two > fd situation, and that is where we run into problems. The close proc > will close the fd associated with whichever channel is being closed, > but will only shutdown the ssl connection when both channels have been > closed. > > Here is the slightly edited close chan code: > > static int > ChanCloseProc(ClientData arg, Tcl_Interp *interp) > { > ChanInfo *chaninfo = (ChanInfo *) arg; > ChanInfo *otherchaninfo = NULL; > > Tcl_UnregisterChannel(interp, chaninfo->chan); > ns_sockclose(chaninfo->socket); > chaninfo->socket = INVALID_SOCKET; > otherchaninfo = (ChanInfo *) chaninfo->otherchaninfo; > > if (otherchaninfo->socket == INVALID_SOCKET) { > ns_free(otherchaninfo); > NsOpenSSLConnDestroy(chaninfo->sslconn); > ns_free(chaninfo); > } > > return TCL_OK; > } > > One problem is that the ns_sockclose() call precedes the > NsOpenSSLConnDestroy() call. NsOpenSSLConnDestroy() calls > SSL_shutdown() on the file descriptor which was previously closed with > ns_sockclose(). SSL_shutdown() tries to write some ssl close notify > messages on the fd. There is no way this can succeed because the fd > was already closed. The error is siliently ignored. Clearly the sock > close needs to come after NsOpenSSLConnDestroy(). > > But there is more. Now we need to examine two possible cases. > > Case 1: The write channel is closed before the read channel. In this > case the dup fd is closed first, and the original FD is closed second. > There is a teensy little race condition here. After the > ns_sockclose() call, the OS may context switch to another thread which > may call open(), dup(), socket() or anything that gets a new FD. It's > also possible that the FD that the OS returns for that call may have > been the one which was previously closed with ns_sockclose(). If we > then switch back to the original thread and call > NsOpenSSLConnDestroy() -> SSL_shutdown(), then we will end up writing > and reading on somebody else's file file descriptor! This is > obviously bad, but the chances of this race actually occuring are > probably slim. > > Case 2: The read channel is closed before the write channel. This is > the worst. The original fd, the one in the NsOpenSSLConn struct is > closed, but NsOpenSSLConnDestroy is not called because the write > channel is still open and the sslconn * still holds the now invalid > fd. Now we have a much larger window for that FD to be recycled by > the OS and we don't necessarily need an unlikely context switch to be > stung by the race. The following ADP highlights this condition. > > <% > set fds [ns_openssl_sockopen -nonblock www.att.com 443] > > set rfd [lindex $fds 0] > set wfd [lindex $fds 1] > > ns_adp_puts "rfd: $rfd" > ns_adp_puts "wfd: $wfd" > > _ns_https_puts 5 $wfd "GET / HTTP/1.0\r" > > close $rfd > > set tmpfd [open /tmp/nsopenssl w] > > ns_adp_puts "tmpfd: $tmpfd" > >
Re: [AOLSERVER] nsopenssl : socket gone
Thanks for the answer, but it is not that 1) A had this (or an other) "incompatibility" stuff, but that was because my mkey/cert were wrong 2) Part of the page is loaded ... correctly . Html is loaded, but no css, no images ... eh that can be a direction: seems that first connection is ok, but when then browser reconnect to get other stuff (like images and css) nsopenssl goes wrong Hard to be sure of the validity of this theory, but it makes sens . Tom Jackson a écrit : It may be that your browser can't find a protocol in common with the server. I noticed that newer Mozilla browsers no longer connect with an old version of nsssl (not openssl). But Konqueror still connects. Everytime it happens it takes a few minutes for me to remember the issue. All I get is a blank page, but not much of an indication of what is wrong. tom jackson On Friday 30 November 2007 05:19, Marc Kalberer wrote: Ref: Aolserver-4.0.10 / OpenSSL 0.9.8 / GCC 4.0.3 / libc 2.3.6 ... debian system (grsecurity/vserver) Hello, I have a problem setting up ssl on aolserver4. It seems to work, the server begin to serve the page, but after a small amout of time I get a " Warning: nsopenssl (rezo): SSL read: socket gone; disconnected by client?". And the page stop loading. Any idea on how to correct this problem ? ++ Marc -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- Programmers.ch Solutions libres et Opensources Tel: ++41 76 44 888 72 Site: http://www.programmers.ch -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl : socket gone
It may be that your browser can't find a protocol in common with the server. I noticed that newer Mozilla browsers no longer connect with an old version of nsssl (not openssl). But Konqueror still connects. Everytime it happens it takes a few minutes for me to remember the issue. All I get is a blank page, but not much of an indication of what is wrong. tom jackson On Friday 30 November 2007 05:19, Marc Kalberer wrote: > Ref: Aolserver-4.0.10 / OpenSSL 0.9.8 / GCC 4.0.3 / libc 2.3.6 ... > debian system (grsecurity/vserver) > Hello, > I have a problem setting up ssl on aolserver4. It seems to work, the > server begin to serve the page, but after a small amout of time I get a > " Warning: nsopenssl (rezo): SSL read: socket gone; disconnected by > client?". > And the page stop loading. > Any idea on how to correct this problem ? > ++ > Marc -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl install error - gmake: execvp: /usr/local/nsd2: Permission denied gmake: *** [install-mod] Error 127
Hi, Seems this was caused by using INST. I removed this and just used AOLSERVER to indicate where the install was and it installed correctly. Thanks Nick - Original Message - From: Nick To: AOLSERVER@LISTSERV.AOL.COM Sent: Sunday, May 27, 2007 3:50 PM Subject: [AOLSERVER] nsopenssl install error - gmake: execvp: /usr/local/nsd2: Permission denied gmake: *** [install-mod] Error 127 Hi all, I am having an issue installing nsopenssl with AOLServer 4.5 on Fedora Core 2. The nsd is in /usr/local/nsd2 and openSSL (including devel) is installed in /usr (default for FC2). I am running the following commands: gmake OPENSSL=/usr INST=/usr/local/nsd2 AOLSERVER=/usr/local/nsd2 gmake install OPENSSL=/usr INST=/usr/local/nsd2 AOLSERVER=/usr/local/nsd2 The make works fine, the make install gives the following: /usr/local/nsd2 AOLSERVER=/usr/local/nsd2 /usr/local/nsd2/bin/install-sh -c https.tcl /usr/local/nsd2/modules/tcl /usr/local/nsd2 -d /usr/local/nsd2/bin -e nsopenssl.so gmake: execvp: /usr/local/nsd2: Permission denied gmake: *** [install-mod] Error 127 The same happens when I use make. I have checked that /usr/local/nsd2 and all sub folders except log directory and page roots are owned by root and I am running the above as root. Any help is greatly appreciated. Thanks Nick Web-site: http://www.nickmiller.me.uk -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl
On Wed, 2006-09-20 at 17:30 -0400, Dossy Shiobara wrote: Lets put together a TODO list for nsopenssl_v3_r1, divide up the work (or, assign it all to me, doesn't matter) and I'll try to put an estimate on it. So: what are you (plural -- all of you) still waiting for to be done in nsopenssl? I don't think I'm waiting for anything specific in terms of features but given the critical nature of the component I am interested in stability. I remembered you mentioning that you'd been working on it some time ago (many thanks), so I was curious as to where we were at. Steve Steve Manning - Mandrake Linux 10.1 - Gnome 2.6 East Goscote - Leicester - UK +44 (0)116 260 5457 E-Mail: [EMAIL PROTECTED] - Web: www.festinalente.co.uk AIM: verbomania - Public Key: 25665CAF from: wwwkeys.pgp.net There are only 10 types of people in this world Those who understand binary and those who don't -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl
On Sep 20, 2006, at 2:30 PM, Dossy Shiobara wrote: So: what are you (plural -- all of you) still waiting for to be done in nsopenssl? I'm not waiting for anything; it works fine for me, except for the already-mentioned overly verbose logging. janine -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl
On 2006.09.20, Steve Manning <[EMAIL PROTECTED]> wrote: > Could you give us an update on the current state of nsopenssl. > > I'm currently using v3_0beta26 but I'm seeing increasing numbers of "SSL > read error: ssl handshake failure" and "SSL write error: bad write > retry" errors in the log as the site gets more busy (currently about > 1.4m requests/day). I see there has been some activity in CVS - > v3_0beta27 and Head and I'm wondering if these changes are worth having > and if there anything else in the pipeline. I'm sitting on a whole chunk of changes ... and some of that logging needs to be rationalized ... either demoted to "Debug" level, or removed entirely. At this point in time, are there any serious remaining bugs with nsopenssl? I'd like to finally declare "nsopenssl 3.0" final ... probably just call it "nsopenssl 3.1" to avoid all the confusion with the MANY 3.0-beta-something versions. Lets put together a TODO list for nsopenssl_v3_r1, divide up the work (or, assign it all to me, doesn't matter) and I'll try to put an estimate on it. So: what are you (plural -- all of you) still waiting for to be done in nsopenssl? -- Dossy -- Dossy Shiobara | [EMAIL PROTECTED] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl dropping connections
Hi Scott, This is fantastic information and definitely gives me some direction in my effort to keep things stable under heavy load. I really appreciate your help on this. On a somewhat related topic... I'm sure that at least a few of you are running some high-traffic sites on AOLserver. I've been told that I need to prep our system to handle bursts of 100+ page views per second by the end of the year. What kind of setups are other people using to handle this kind of traffic? We will be outsourcing our DB management, so I'm not as concerned about that side of things. I'm mostly interested in knowing what kind of hardware configurations people are using on the webserver side of the equation (load balancers, web servers, etc.) and if there are any special AOLserver configuration tweaks that would help with these kinds of loads. -Scott At 08:35 PM 7/23/2006, you wrote: I've done more research on the issues you had with your very heavily loaded server, and here's a summary of some of the configurable parameters that affect how many connections a server can handle at one time. Part I: The Operating System listen backlog limits Network applications use the listen() system call to notify the operating system that they want to receive connections on a specific port. The operating system's TCP stack receives new connections and holds them until the application uses the accept() system call which ties the new connection to the userspace application. The TCP stack can hold a limited number of new connections that have not yet been accept()ed by the application -- this is called the "listen backlog". Eons ago, the default maximum listen backlog for most Unices was 5; when there were 5 new connections in the listen queue that had not been accept()ed by the application, all new connections coming in were dropped until the backlog dropped below 5. Most operating systems have higher defaults as specified by the SOMAXCONN defined in the /usr/include/socket.h file: the Linux 2.6 kernel and Mac OS 10.4.x both set SOMAXCONN to 128. If your server is receiving new connections at a rate faster than your application can accept() them, and the listen backlog builds to 128, new connections after that will be dropped until the backlog is reduced to below 128. This doesn't mean you're stuck with this value, this is just what the operating system will default to at boot time. You can change this value on Solaris with: /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024 and on Linux with: /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1024 In fact, my Gentoo system modifies this parameter at boot time to be 1024. My guess is that your operating system has max listen backlog set to 1024 or higher, but I don't have a Solaris system to check or test this (yet). Part II: AOLserver listen backlog limits You can change the max listen backlog with the listen() call itself on a per-application basis: the second argument to listen() is an integer value of what you want the backlog to be set to for that application. If you set the backlog to be greater than the operating system setting, you'll get the operating system's listen backlog value, not what you requested, but you won't know that because normally your setting is silently truncated to match the lower operating system value. If you set the listen backlog to less than the operating system's max listen backlog, you'll get what you asked for. This is a good way to prevent a single application on a system where there are several network server applications running from hogging the listen backlog. AOLserver 3.5.6 limits the listen backlog to 32 new connections via the BACKLOG define in nsconf.h. If your server is getting new connections at a rate faster than AOLserver can accept them, and you reach the limit of 32 in the listen queue, connections will be dropped until the backlog drops below 32. You can change AOLserver's listen backlog by creating the "listenbacklog" param in your nsd.tcl file and setting it to an integer value you would like. I'm guessing that this param should be set in the server section, but I haven't validated this. You could also change it by changing the BACKLOG define and recompiling. Part III: Thread and select()/poll() interactions The bad news is that this may not be what you saw on your server. I say that because if connections are being dropped by the operating system before they are accepted by the application, then the application would never even see them or know the connection attempts had been made, and so could not log that the connection had been dropped. But, according to the notes in the accept() man page on Linux: "There may not always be a connection waiting after a SIGIO is delivered or select(2) or poll(2) return a readability event because the connection might have been removed by an asynchronous network error or another thread before accept() is calle
Re: [AOLSERVER] nsopenssl dropping connections
Hi Scott, that's really very interesting! > Be aware that using keepalive holds a connection open for longer > periods of time; I haven't looked at the code to determine whether > those connections take up a slot in the 'maxconnections' bucket, but > I suspect that they do as AOLserver needs to maintain the connection > information. I assume default settings of listenbacklog = 32 maxconnections = 100 maxthreads = 10 Would it be correct to say: (A) If keepalive is turned off and it is known or very likely that your threads are long running and computing expensive tasks, "listenbacklog" may become a limiting factor when "maxthreads" (default 10) are reached and waste away in parallel. The 23rd+ visitor/request would be dropped (listenbacklog minus maxthreads). "maxconnections" is not really relevant here. (B) If keepalive is turned on at least "maxconnections" people are served for a keepalive period of time. Not every request is served immediately of course that depends on "maxthreads". Let's assume 10 threads serve 10 connections each ("maxconnections" reached) then there is a "buffer" of "listenbacklog" for new requests. The 133rd request is dropped. Scenario (A) and (B) always assume "maxthreads" are reached. In (A) it would make sense to increase the "listenbacklog". In (B) it would make sense to increase "maxconnections". Of course, increasing "maxthreads" would also work, depending on the available memory resources. Ha, and the admin of (B) could trick and set "connsperthread" = 1 ... ;-) Bernd. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl dropping connections
Bernd's earlier message about maxconnections led me to the code that explains your "connection closed" problem. maxconnections limits the number of connections that AOLserver can be servicing simultaneously. The server pre-allocates enough space for that many simultaneous connections, which defaults to 100 in AOLserver 3.5.6. If you are servicing 100 connections, AOLserver's Ns_QueueConn function will begin to return NS_ERROR when called upon to append a connection to the run queue. nsopenssl 2.x manages its own connection services separately from AOLserver, and I have nsopenssl closing the connection when Ns_QueueConn returns with something other than NS_OK. The AOLserver 3.5.6 processing code holds the connection until it can process it, which is the right thing to do. So nsopenssl is at fault here, and that is my fault, and you have my apologies. This problem can be fixed. Those of you still using nsopenssl 2.x for PRODUCTION services that have experienced this problem or may in the future, please contact me directly at [EMAIL PROTECTED] I do not want to do work on this legacy code unless people are using this in their business and may be losing clients or money as a result. By the way, nsopenssl 3.x used with AOLserver 4.x shouldn't have this problem because the connection servicing code is all in AOLserver, with a callback to nsopenssl for the SSL portion. Thanks for your patience. /s. On Jul 22, 2006, at 8:59 PM, Scott Goodwin wrote: AOLserver actually manages the connections for nsopenssl. The nsopenssl code in question is: if (Ns_QueueConn(sdPtr->driver, scPtr) != NS_OK) { Ns_Log(Warning, "%s: connection dropped", sdPtr->module); (void) SockClose(scPtr); } nsopenssl is getting something other than NS_OK back from Ns_QueueConn when the latter tries to append the connection to the run queue. AOLserver in turn may not have been keeping up with the load, but I'd first check your OS TCP pending connection limits. If your system was being hammered, it's possible your OS was turning away conns. I'm not sure I should have put this message in the log as it may not reflect what actually happened. Unless someone responds with a better answer, I'll take a closer look at the code tomorrow. /s. On Jul 22, 2006, at 7:45 PM, William Scott Jordan wrote: Hi all! We had a situation recently of extremely high traffic, during which connections were being rejected/dropped with following warning showing up in the logs: "Warning: nsopenssl: connection dropped" I guess my questions are, what "limit" in nsopenssl is causing connections to be dropped? Can this limit be adjusted? Is there any way to catch this error to allow for a more graceful degredation, such as with a redirect to an unencrypted "Server Too Busy" page? This is on AOLServer 3.5.6, nsopenssl 2.1a, and FC3. Any light that anyone can shed on this would be greatly appreciated. -Scott -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl dropping connections
maxconnections and listen backlog do not overlap. maxconnections limits the number of active connections AOLserver is processing at any one time, and AOLserver pre-allocates space for that many connection structures. The listen backlog limits the number of new connections your operating system will hold for your application to accept() before it starts refusing new connections at the operating system level. Setting the listen backlog to 32 while maxconnections is set to 100 seems reasonable as long as AOLserver is processing and closing those connections fast enough to accept new ones from the listen backlog so that the backlog doesn't reach 32. If there are 100 connections being processed by AOLserver and 32 connections on the listen backlog at the same time, the operating system will refuse new connections until the backlog is reduced by at least 1. Is there an optimum value for the listen backlog? That is determined by whether you prefer people wait or get refused immediately by your (busy) server. A connection that is sitting in the listen backlog will probably be dropped after the TCP timeout (usually greater than 2 minutes), but don't quote me on that. Be aware that using keepalive holds a connection open for longer periods of time; I haven't looked at the code to determine whether those connections take up a slot in the 'maxconnections' bucket, but I suspect that they do as AOLserver needs to maintain the connection information. There is an interaction between maxthreads and maxconnections, however. If maxthreads is greater than maxconnections, then maxthreads will be set equal to maxconnections. /s. It would be interesting to know in what way the maxconnections and listenbacklog settings affect each other, as: is the maxconnections default setting of "100" always overruled by "32" of listenbacklog? [...] ns_section ns/parameters # Number of sockets to use in listen call (default 32) ns_param listenbacklog 32 ns_section ns/server/$server # Max connections to put on queue ns_parammaxconnections 100 [...] On Jul 24, 2006, at 9:01 AM, Bernd Eidenschink wrote: Hi! AOLserver 3.5.6 limits the listen backlog to 32 new connections via the BACKLOG define in nsconf.h. If your server is getting new connections at a rate faster than AOLserver can accept them, and you reach the limit of 32 in the listen queue, connections will be dropped until the backlog drops below 32. Bernd. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl dropping connections
Hi! > AOLserver 3.5.6 limits the listen backlog to 32 new connections via > the BACKLOG define in nsconf.h. If your server is getting new > connections at a rate faster than AOLserver can accept them, and you > reach the limit of 32 in the listen queue, connections will be > dropped until the backlog drops below 32. It would be interesting to know in what way the maxconnections and listenbacklog settings affect each other, as: is the maxconnections default setting of "100" always overruled by "32" of listenbacklog? [...] ns_section ns/parameters # Number of sockets to use in listen call (default 32) ns_param listenbacklog 32 ns_section ns/server/$server # Max connections to put on queue ns_parammaxconnections 100 [...] Bernd. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl dropping connections
Very interesting stuff, be sure to put it on the Wiki for prosperity! On Monday, July 24, 2006 4:35, Scott Goodwin said: > I've done more research on the issues you had with your very heavily > loaded server, and here's a summary of some of the configurable > parameters that affect how many connections a server can handle at > one time. > > > Part I: The Operating System listen backlog limits > > Network applications use the listen() system call to notify the > operating system that they want to receive connections on a specific > port. The operating system's TCP stack receives new connections and > holds them until the application uses the accept() system call which > ties the new connection to the userspace application. The TCP stack > can hold a limited number of new connections that have not yet been > accept()ed by the application -- this is called the "listen backlog". > Eons ago, the default maximum listen backlog for most Unices was 5; > when there were 5 new connections in the listen queue that had not > been accept()ed by the application, all new connections coming in > were dropped until the backlog dropped below 5. Most operating > systems have higher defaults as specified by the SOMAXCONN defined in > the /usr/include/socket.h file: the Linux 2.6 kernel and Mac OS > 10.4.x both set SOMAXCONN to 128. If your server is receiving new > connections at a rate faster than your application can accept() them, > and the listen backlog builds to 128, new connections after that will > be dropped until the backlog is reduced to below 128. > > This doesn't mean you're stuck with this value, this is just what the > operating system will default to at boot time. You can change this > value on Solaris with: > > /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024 > > and on Linux with: > > /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1024 > > In fact, my Gentoo system modifies this parameter at boot time to be > 1024. > > My guess is that your operating system has max listen backlog set to > 1024 or higher, but I don't have a Solaris system to check or test > this (yet). > > > Part II: AOLserver listen backlog limits > > You can change the max listen backlog with the listen() call itself > on a per-application basis: the second argument to listen() is an > integer value of what you want the backlog to be set to for that > application. If you set the backlog to be greater than the operating > system setting, you'll get the operating system's listen backlog > value, not what you requested, but you won't know that because > normally your setting is silently truncated to match the lower > operating system value. > > If you set the listen backlog to less than the operating system's max > listen backlog, you'll get what you asked for. This is a good way to > prevent a single application on a system where there are several > network server applications running from hogging the listen backlog. > > AOLserver 3.5.6 limits the listen backlog to 32 new connections via > the BACKLOG define in nsconf.h. If your server is getting new > connections at a rate faster than AOLserver can accept them, and you > reach the limit of 32 in the listen queue, connections will be > dropped until the backlog drops below 32. > > You can change AOLserver's listen backlog by creating the > "listenbacklog" param in your nsd.tcl file and setting it to an > integer value you would like. I'm guessing that this param should be > set in the server section, but I haven't validated this. You could > also change it by changing the BACKLOG define and recompiling. > > > Part III: Thread and select()/poll() interactions > > The bad news is that this may not be what you saw on your server. I > say that because if connections are being dropped by the operating > system before they are accepted by the application, then the > application would never even see them or know the connection attempts > had been made, and so could not log that the connection had been > dropped. But, according to the notes in the accept() man page on > Linux: "There may not always be a connection waiting after a SIGIO is > delivered or select(2) or poll(2) return a readability event because > the connection might have been removed by an asynchronous network > error or another thread before accept() is called." It's quite > possible that AOLserver was getting readability events but when it > went to process them, the connections were gone -- whether that means > they were already handled by another thread or dropped I do not know. > > Conclusion: > > I'm not yet a guru when it comes to the TCP stack and its interaction > with userspace applications and threads, so don't bet the ranch on my > analysis. It's also possible that there's some issue in OpenSSL or > nsopenssl that is causing this problem. The fact that nsopenssl is > calling Ns_QueueConn and failing on the result tells me that the > problem is occuring in AOLserver's connection management or in the > operati
Re: [AOLSERVER] nsopenssl dropping connections
I've done more research on the issues you had with your very heavily loaded server, and here's a summary of some of the configurable parameters that affect how many connections a server can handle at one time.Part I: The Operating System listen backlog limitsNetwork applications use the listen() system call to notify the operating system that they want to receive connections on a specific port. The operating system's TCP stack receives new connections and holds them until the application uses the accept() system call which ties the new connection to the userspace application. The TCP stack can hold a limited number of new connections that have not yet been accept()ed by the application -- this is called the "listen backlog". Eons ago, the default maximum listen backlog for most Unices was 5; when there were 5 new connections in the listen queue that had not been accept()ed by the application, all new connections coming in were dropped until the backlog dropped below 5. Most operating systems have higher defaults as specified by the SOMAXCONN defined in the /usr/include/socket.h file: the Linux 2.6 kernel and Mac OS 10.4.x both set SOMAXCONN to 128. If your server is receiving new connections at a rate faster than your application can accept() them, and the listen backlog builds to 128, new connections after that will be dropped until the backlog is reduced to below 128.This doesn't mean you're stuck with this value, this is just what the operating system will default to at boot time. You can change this value on Solaris with: /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024and on Linux with: /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1024In fact, my Gentoo system modifies this parameter at boot time to be 1024. My guess is that your operating system has max listen backlog set to 1024 or higher, but I don't have a Solaris system to check or test this (yet).Part II: AOLserver listen backlog limitsYou can change the max listen backlog with the listen() call itself on a per-application basis: the second argument to listen() is an integer value of what you want the backlog to be set to for that application. If you set the backlog to be greater than the operating system setting, you'll get the operating system's listen backlog value, not what you requested, but you won't know that because normally your setting is silently truncated to match the lower operating system value.If you set the listen backlog to less than the operating system's max listen backlog, you'll get what you asked for. This is a good way to prevent a single application on a system where there are several network server applications running from hogging the listen backlog.AOLserver 3.5.6 limits the listen backlog to 32 new connections via the BACKLOG define in nsconf.h. If your server is getting new connections at a rate faster than AOLserver can accept them, and you reach the limit of 32 in the listen queue, connections will be dropped until the backlog drops below 32.You can change AOLserver's listen backlog by creating the "listenbacklog" param in your nsd.tcl file and setting it to an integer value you would like. I'm guessing that this param should be set in the server section, but I haven't validated this. You could also change it by changing the BACKLOG define and recompiling.Part III: Thread and select()/poll() interactionsThe bad news is that this may not be what you saw on your server. I say that because if connections are being dropped by the operating system before they are accepted by the application, then the application would never even see them or know the connection attempts had been made, and so could not log that the connection had been dropped. But, according to the notes in the accept() man page on Linux: "There may not always be a connection waiting after a SIGIO is delivered or select(2) or poll(2) return a readability event because the connection might have been removed by an asynchronous network error or another thread before accept() is called." It's quite possible that AOLserver was getting readability events but when it went to process them, the connections were gone -- whether that means they were already handled by another thread or dropped I do not know.Conclusion:I'm not yet a guru when it comes to the TCP stack and its interaction with userspace applications and threads, so don't bet the ranch on my analysis. It's also possible that there's some issue in OpenSSL or nsopenssl that is causing this problem. The fact that nsopenssl is calling Ns_QueueConn and failing on the result tells me that the problem is occuring in AOLserver's connection management or in the operating system limitations. This may not be the result of a bug or bugs, it may just be what happens when you load the system beyond it's performance boundaries -- systems tend to become non-deterministic when pushed too far. I'd have to overload a server and watch its behavior many times with different settings and instrumentation to see what migh
Re: [AOLSERVER] nsopenssl dropping connections
AOLserver actually manages the connections for nsopenssl. The nsopenssl code in question is: if (Ns_QueueConn(sdPtr->driver, scPtr) != NS_OK) { Ns_Log(Warning, "%s: connection dropped", sdPtr->module); (void) SockClose(scPtr); } nsopenssl is getting something other than NS_OK back from Ns_QueueConn when the latter tries to append the connection to the run queue. AOLserver in turn may not have been keeping up with the load, but I'd first check your OS TCP pending connection limits. If your system was being hammered, it's possible your OS was turning away conns. I'm not sure I should have put this message in the log as it may not reflect what actually happened. Unless someone responds with a better answer, I'll take a closer look at the code tomorrow. /s. On Jul 22, 2006, at 7:45 PM, William Scott Jordan wrote: Hi all! We had a situation recently of extremely high traffic, during which connections were being rejected/dropped with following warning showing up in the logs: "Warning: nsopenssl: connection dropped" I guess my questions are, what "limit" in nsopenssl is causing connections to be dropped? Can this limit be adjusted? Is there any way to catch this error to allow for a more graceful degredation, such as with a redirect to an unencrypted "Server Too Busy" page? This is on AOLServer 3.5.6, nsopenssl 2.1a, and FC3. Any light that anyone can shed on this would be greatly appreciated. -Scott -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl "Error: driver: loadable drivers no longer supported"
On Wed, Mar 29, 2006 at 04:57:35PM +0400, aT wrote: > On starting aolserver i get this error . > > "Error: driver: loadable drivers no longer supported" > > Aolserver 4.0.10 > nsopenssl-2.1a > OpenSSL 0.9.8a > AMD 64 , Linux rhes64 I don't know whether it's the cause of your problem or not, but that version of nsopenssl is very old, it dates from 2003 or so. Try the nsopenssl from the CVS Head instead. (Or use v3_0beta27, but it and the CVS Head are almost identical anyway.) -- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl, new certificate not loading, yet old one does
Thanks, Scott & Dossy, Knowing that "not readable" means "does not have permission to read" made all the difference. Turned out to be permissions on the dir. Testing with the old cert didn't catch it, because I was using a different dir (certs2005 instead of certs2006). Thanks again. Happy new year! Torben. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl, new certificate not loading, yet old one does
On 2006.01.05, Torben Brosten <[EMAIL PROTECTED]> wrote: [...] > During startup, aolserver reports "certificate file is not readable or > does not exist" (see log lines below). > > The files *do* exist. Using identical filename and permissions, I was > able to use the previous domain (still valid) certificate without errors. [...] According to your logfile: [04/Jan/2006:21:40:53][25144.2684415336][-main-] Debug: KeyFile = /usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.key.pem; CertFile = /usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.crt2.pem [04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl (openacs-5.1.5): 'client' certificate file is not readable or does not exist Looking at the error string and the sslcontext.c source you pointed to: if ((access(sslcontext->certFile, F_OK) != 0) || (access(sslcontext->certFile, R_OK) != 0)) { Ns_Log(Error, "%s (%s): '%s' certificate file is not readable or does not exist", MODULE, sslcontext->server, sslcontext->name); return NS_ERROR; } That's the only place the log message you see in your log could be generated from. It's very clearly saying it is either failing on F_OK (file exists) or R_OK (file is readable). What's the output of this command return: $ ls -l /usr/local/www/service0/openacs-5.1.5/etc/certs2006/ > Checking the certificates via openssl fails the same for both the domain > cert that works and the new domain, so this has no diagnostic value, > unless there is a way to get "openssl verify" to work: > > openssl verify -purpose sslserver -verbose certfile.pem > (certificate info) > error 20 at 0 depth lookup:unable to get local issuer certificate This isn't an "error" for a self-signed certificate if you don't specify the CA you used to self-sign with: $ openssl verify -verbose certificate.pem certificate.pem: /C=US/ST=New Jersey/O=Panoptic Computer Network/CN=www.panoptic.com/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate vs: $ openssl verify -verbose -CAfile /etc/ssl/ca/demoCA/cacert.pem certificate.pem certificate.pem: OK For certificates signed by a real CA, you'll need to get their CA cert if you want to fully verify/validate. > What else should I check for? If "openssl verify" returns the certificate info, then it's parsing it correctly. I'm pretty sure the code isn't confused here. The file might exist, but it might not be readable to the nsd process' user. I'd check and re-check the permissions on the file. If the owner of the cert file isn't the same user that the nsd will be running as, then make sure the file is readable to that other user. -- Dossy -- Dossy Shiobara | [EMAIL PROTECTED] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl, new certificate not loading, yet old one does
btw, there is no change when commenting out settings in config.tcl to use utf-8 encoding (and restarting aolserver). Torben Brosten wrote: I'm migrating an aolserver site from one domain on a freebsd4.x system to another on apple Xserve 10.4. The old non-self signed certificate works in the new site, but the new one does not. ... Might some of the characters in the certificate get somehow pre-processed when loading in nsopenssl, such as with forward slashes or plus signs or some other character sequence etc? -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl 3.x and the "libnsopenssl.so" module
On Mon, Jul 11, 2005 at 05:14:19PM -0400, Dossy Shiobara wrote: > refactor and simplify it, and want to ask: does ANYONE actually use the > libnsopenssl.so stand-alone in their own custom C programs? Nope. Oh, is that the only thing libnsopenssl.so is for, so you can use it outside of AOLserver? > I'd like to do away with the libnsopenssl.so and just roll that > functionality back into nsopenssl.so, under the (perhaps false) belief Hm, the boiler plate to build libfoo.so libraries in addition to foo.so AOLserver modules is in "aolserver/include/Makefile.module". I hadn't realized that. I guess you want to move some of the sslcontext.c, ssl.c, tclcmds.c, or x509.c code back into nsopenssl.c? [shrug] Whatever you like, doesn't matter either way to me. It would be super cool if most of AOLserver itself, as well as its many add-on modules, became tclsh-compatible packages for AOLserver 5, as Jim D. has occasionally mused about on this list. But, hacking away at nsopenssl now to simplify is more likely to end up helping that sort of goal than retaining the baroque libnsopenssl.so feature. -- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl 3.x and the "libnsopenssl.so" module
Just to answer the survey: we use only nsopenssl.so here @ KnowNow. -- ReC -Original Message- From: AOLserver Discussion [mailto:[EMAIL PROTECTED] On Behalf Of Dossy Shiobara Sent: Monday, July 11, 2005 2:14 PM To: AOLSERVER@LISTSERV.AOL.COM Subject: [AOLSERVER] nsopenssl 3.x and the "libnsopenssl.so" module Hi, I've pretty much adopted the nsopenssl module (especially since I work with folks who are writing code that depends on it) and want to further refactor and simplify it, and want to ask: does ANYONE actually use the libnsopenssl.so stand-alone in their own custom C programs? I'd like to do away with the libnsopenssl.so and just roll that functionality back into nsopenssl.so, under the (perhaps false) belief that anyone using nsopenssl is using it within AOLserver, and if you're going to use OpenSSL in your C programs, you're going to use the OpenSSL C API directly and not through nsopenssl's libnsopenssl.so. And, since there's no Nsopenssl_Init defined, you can't just [load libnsopenssl.so] from within a Tcl shell and use the Tcl API, either. Considering that the "tls"[1] package already exists, which provides a Tcl binding to the OpenSSL libs, making libnsopenssl.so loadable in a tclsh seems like duplication of effort, except for the slight benefit of providing the same Tcl APIs as you'd have under AOLserver, which might make code reuse slightly easier. I'm not sure if it's worth the mess in the nsopenssl code to keep this /potential/ capability around if no one's actually using it. Thoughts? Comments? Complaints? -- Dossy Footnotes: [1] http://www.flightlab.com/~joe/gutter/doc/tls-1.4/tls.htm -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl and godaddy SSL certificate
On 2005.05.18, Wojciech Kocjan <[EMAIL PROTECTED]> wrote: > > My company has just bought an SSL certificate from > certificates.godaddy.com and they said to do the following: ... > I have a .crt (from godaddy) and .key file, as well as 'sf_issuing.crt'. > Can anyone please tell me how do I install it on AOLserver? http://www.mail-archive.com/aolserver@listserv.aol.com/msg06815.html | Re: [AOLSERVER] Problems with Verisign certificate with nsopenssl | Scott Goodwin; Fri, 27 Feb 2004 15:11:02 -0800 | | When I worked at DoD I placed their root CA cert first, then the | intermediate CAs after, all concatenated into one file that I then | pointed to with ServerCAFile -- this worked fine. Ensure you don't | have any corruption of the file, as might happen if it has | DOS-style line endings. Hope this helps, -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl howto
On Tue, 2005-02-22 at 19:37 -0500, Kevin S. Davis wrote: > And another question: > > How do you handle virtual hosts via nsopenssl? [snip] The short answer is that you don't.* =) > So I > define another server in the config files, say foobar.com-ssl which > doesn't actually load nssock, has it's own pageroot, and I set the > server to foobar.com:443 in the nsopenssl config section. In my > browser, https://foobar.com works, https://www.foobar.com returns > https://foobar.com which is basically the same thing, but > https://yada.com and https://www.yada.com also return https://foobar.com > which is not desirable. The somewhat longer answer is that the HTTPS protocol doesn't understand name-based virtualhosts; it's a protocol limitation caused by the fact that SSL negotiation takes place before the Host headers are parsed out of the incoming datastream. If you want to have multiple SSL sites on the same box, you have two simple options and one more complex one. Simple #1: Get a second IP address and run an SSL instance on each IP address Simple #2: Run the SSL sites on different ports (443 and 444, for instance). Of course, this means that you'll have to explicitly pass a port in your URL (https://www.yada.com:444/) and, of course, https://www.foobar.com:444 would return the same content. Complex answer: Once the data stream has been decrypted, your webserver (and by extension, any application running on that server) will have access to the clear-text version of the request. You could write pagecode which performed the proper Voodoo(tm) to drop the person into the proper area of the site. Answer #1 is far and away the easiest solution here, and the least error-prone. -- Noah Robin * As always, there are exceptions to everything. In theory (and I've not tried this) one can have multiple vhosts on the same port/IP. HOWEVER, assuming one of those vhosts has a valid SSL certificate, any attempts to access the other site will result in that pop-up we all know and love; the one which states that the site you're requesting doesn't match the certificate being presented by the server. I can't speak for AOLServer's config in this regard, but see http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html for how to do this in apache, and some additional details on SSL/virtualhosting. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl howto
And another question: How do you handle virtual hosts via nsopenssl? Perhaps I need to elaborate a bit on the setup... Let's say I have one IP and at least two domains, say foobar.com and yada.com. I set up virtual hosts in the usual manner so that foobar.com:80 returns something different than yada.com:80. In the same fashion I set up 2 more virtual hosts but return the same content respectively, www.foobar.com:80 and www.yada.com:80. Now let's say I also want to serve foobar.com:443. However, I don't want to simply provide all the same content over 443, e.g. I want admin pages to be only on 443. So I define another server in the config files, say foobar.com-ssl which doesn't actually load nssock, has it's own pageroot, and I set the server to foobar.com:443 in the nsopenssl config section. In my browser, https://foobar.com works, https://www.foobar.com returns https://foobar.com which is basically the same thing, but https://yada.com and https://www.yada.com also return https://foobar.com which is not desirable. Kevin Kevin S. Davis wrote: Thank you and the others for the help, I've got it up and running. And a couple dumb questions: I've got CADir/File commented out as in Torben's reference. I get an error in the log that it can't find/load the CA cert file, ca.pem. Obviously because it's not there, but I'm not running a CA, I'm self signed, and I can still make SSL connections without this file. Is this a bug or am I not understanding something here? Can I just ignore this error? It also seems the default CipherSuite has an extra '+' in there. What's *not* encrypted? Just the hostname? How about the URL, usernames/passwords via nsperm? Thanks again, Kevin Torben Brosten wrote: Kevin, Here's a direct url to the config.tcl file: http://cvs.openacs.org/cvs/*checkout*/openacs-4/etc/config.tcl?rev=1.19.2.21 cheers, Torben On Feb 22, 2005, at 8:31 AM, Trenton Cameron wrote: http://openacs.org/doc/openacs-5-1/install-nsopenssl.html is a pretty good tutorial on howto install nsopenssl on aolserver Janine Sisk wrote: That's good for installation, but not so much for configuration. However, if you download the OpenACS tarball and grab the config file (etc/config.tcl, IIRC) it has a section in it for nsopenssl that will show you one way it can be done (I'm sure there are others). -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl howto
Thank you and the others for the help, I've got it up and running. And a couple dumb questions: I've got CADir/File commented out as in Torben's reference. I get an error in the log that it can't find/load the CA cert file, ca.pem. Obviously because it's not there, but I'm not running a CA, I'm self signed, and I can still make SSL connections without this file. Is this a bug or am I not understanding something here? Can I just ignore this error? It also seems the default CipherSuite has an extra '+' in there. What's *not* encrypted? Just the hostname? How about the URL, usernames/passwords via nsperm? Thanks again, Kevin Torben Brosten wrote: Kevin, Here's a direct url to the config.tcl file: http://cvs.openacs.org/cvs/*checkout*/openacs-4/etc/config.tcl?rev=1.19.2.21 cheers, Torben On Feb 22, 2005, at 8:31 AM, Trenton Cameron wrote: http://openacs.org/doc/openacs-5-1/install-nsopenssl.html is a pretty good tutorial on howto install nsopenssl on aolserver Janine Sisk wrote: That's good for installation, but not so much for configuration. However, if you download the OpenACS tarball and grab the config file (etc/config.tcl, IIRC) it has a section in it for nsopenssl that will show you one way it can be done (I'm sure there are others). -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl howto
Kevin, Here's a direct url to the config.tcl file: http://cvs.openacs.org/cvs/*checkout*/openacs-4/etc/config.tcl?rev=1.19.2.21 cheers, Torben On Feb 22, 2005, at 8:31 AM, Trenton Cameron wrote: http://openacs.org/doc/openacs-5-1/install-nsopenssl.html is a pretty good tutorial on howto install nsopenssl on aolserver Janine Sisk wrote: That's good for installation, but not so much for configuration. However, if you download the OpenACS tarball and grab the config file (etc/config.tcl, IIRC) it has a section in it for nsopenssl that will show you one way it can be done (I'm sure there are others). -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl howto
On Feb 22, 2005, at 8:31 AM, Trenton Cameron wrote: http://openacs.org/doc/openacs-5-1/install-nsopenssl.html is a pretty good tutorial on howto install nsopenssl on aolserver That's good for installation, but not so much for configuration. However, if you download the OpenACS tarball and grab the config file (etc/config.tcl, IIRC) it has a section in it for nsopenssl that will show you one way it can be done (I'm sure there are others). janine -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl howto
Is there a 'nsopenssl howto' some where? Some how I've gotten away without ssl all these years and need to look into it now. I'm looking for basic setup info and config options. http://openacs.org/doc/openacs-5-1/install-nsopenssl.html is a pretty good tutorial on howto install nsopenssl on aolserver -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
At Tuesday 02:58 PM 10/26/2004, Steve wrote: I will apply it and remake the module to see if it helps. Thanks. Off hand can you remember what symptoms you saw with your 2.1a problems? Did the server restart? Did you get browser errors? Did it log errors? I'm just trying to see if your problem correlates with mine. It logged errors like the following...: [02/Jun/2003:08:51:09][2634.98316][-conn4-] Error: nsopenssl: sockclient: connection closed by peer ...which comes from the one function that represents the only substantive change between nsopenssl 2.1 and 2.1a: NsOpenSSLRecv(). I never did get the full details of the failures, but this was a description I received from the development staff: "Servers posting to themselves report a connection failure. In other places in the application, we just get weird and intermittent failures." We'd deployed 2.1a during a QA cycle, and it caused so many problems in QA that we just immediately pulled it and went back to 2.1. After we reverted to 2.1 the failures disappeared. - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
I will apply it and remake the module to see if it helps. Thanks. Off hand can you remember what symptoms you saw with your 2.1a problems? Did the server restart? Did you get browser errors? Did it log errors? I'm just trying to see if your problem correlates with mine. Thanks Steve On Tue, 2004-10-26 at 22:13, John Caruso wrote: At Tuesday 01:54 PM 10/26/2004, Steve wrote: Thats a bit worrying as I was under the impression that 2.1a was solid. I don't believe that I have any large posts but could you define what your calling a large post for me. As I recall, larger than 8K--in our environment. It may vary in yours. But the code in question is most definitely broken, both in 2.1 and 2.1a. Of the two things I mentioned I'd think that nsopenssl 2.1a is more likely to be the source of your problems, since as I said it caused connection issues for us. But even if the patch doesn't address your particular problem, it does fix a genuine bug. - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
At Tuesday 01:54 PM 10/26/2004, Steve wrote: Thats a bit worrying as I was under the impression that 2.1a was solid. I don't believe that I have any large posts but could you define what your calling a large post for me. As I recall, larger than 8K--in our environment. It may vary in yours. But the code in question is most definitely broken, both in 2.1 and 2.1a. Of the two things I mentioned I'd think that nsopenssl 2.1a is more likely to be the source of your problems, since as I said it caused connection issues for us. But even if the patch doesn't address your particular problem, it does fix a genuine bug. - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On Tue, 2004-10-26 at 21:25, Torben Brosten wrote: > What hardware are you running this on? > It's in 1 of about 20 VMs on a Dual-III 1.2Ghz, 4Gig RAM server. Thanks -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Thanks John Thats a bit worrying as I was under the impression that 2.1a was solid. I don't believe that I have any large posts but could you define what your calling a large post for me. Steve On Tue, 2004-10-26 at 18:21, John Caruso wrote: At Tuesday 09:59 AM 10/26/2004, John Caruso wrote: At Monday 01:08 PM 10/25/2004, Steve wrote: [-conn17-] Error: nsopenssl: EOF during SSL handshake [-conn0-] Error: nsopenssl: nsdserver: connection closed by peer [-conn15-] Error: nsopenssl: error during SSL handshake: Connection reset by peer There's a bug in NsOpenSSLSend() in nsopenssl 2.1/2.1a; the retry code is seriously broken. The bug results in intermittent failures of large POSTs. This may or may not be the source of your problem, but it's worth a shot. Ack, sorry, but I should also have mentioned in the prior posting that we tried nsopenssl 2.1a and had to ditch it because it was causing connection errors when servers tried to connect to themselves, as well as other intermittent errors. So you may also want to try falling back to nsopenssl 2.1. If you do and are interested in using the patch I mentioned, here's the 2.1 version: -- 8< -- --- nsopenssl/ssl.c.orig Wed Feb 13 19:32:45 2002 +++ nsopenssl/ssl.c Tue Dec 30 17:31:33 2003 @@ -256,13 +256,11 @@ int rc; - int total; - - total = towrite; do { rc = SSL_write(ccPtr->ssl, buffer, towrite); - towrite -= rc; + if (rc > 0) + return rc; #if 0 -- 8< -- - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Steve Manning (Netidentity) wrote: Running openacs-4.6.3, aolserver 3.4.2 with the oacs modifications, and nsopenssl2.1a on freebsd 4 stable, we see the same errors, as well as: Error: nsopenssl: error -1/1 during SSL handshake without any problems reported from end-users. We reboot aolserver once a week which seems to help reduce the frequency of an occasional (less than 1/week) "crypto" error that causes aolserver to crash. From aolserver tuning page, RSS/VSZ is at about 93%. We use these tunning parameter values: stacksize [expr 32*8192] maxthreads 30 minthreads 30 maxconnections 80 Yes I think that a lot of the nsopenssl 'errors' are safe to ignore. What hardware are you running this on? It's in 1 of about 20 VMs on a Dual-III 1.2Ghz, 4Gig RAM server. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
At Tuesday 09:59 AM 10/26/2004, John Caruso wrote: At Monday 01:08 PM 10/25/2004, Steve wrote: [-conn17-] Error: nsopenssl: EOF during SSL handshake [-conn0-] Error: nsopenssl: nsdserver: connection closed by peer [-conn15-] Error: nsopenssl: error during SSL handshake: Connection reset by peer There's a bug in NsOpenSSLSend() in nsopenssl 2.1/2.1a; the retry code is seriously broken. The bug results in intermittent failures of large POSTs. This may or may not be the source of your problem, but it's worth a shot. Ack, sorry, but I should also have mentioned in the prior posting that we tried nsopenssl 2.1a and had to ditch it because it was causing connection errors when servers tried to connect to themselves, as well as other intermittent errors. So you may also want to try falling back to nsopenssl 2.1. If you do and are interested in using the patch I mentioned, here's the 2.1 version: -- 8< -- --- nsopenssl/ssl.c.orig Wed Feb 13 19:32:45 2002 +++ nsopenssl/ssl.c Tue Dec 30 17:31:33 2003 @@ -256,13 +256,11 @@ int rc; - int total; - - total = towrite; do { rc = SSL_write(ccPtr->ssl, buffer, towrite); - towrite -= rc; + if (rc > 0) + return rc; #if 0 -- 8< -- - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
At Monday 01:08 PM 10/25/2004, Steve wrote: [-conn17-] Error: nsopenssl: EOF during SSL handshake [-conn0-] Error: nsopenssl: nsdserver: connection closed by peer [-conn15-] Error: nsopenssl: error during SSL handshake: Connection reset by peer Steve, There's a bug in NsOpenSSLSend() in nsopenssl 2.1/2.1a; the retry code is seriously broken. The bug results in intermittent failures of large POSTs. This may or may not be the source of your problem, but it's worth a shot. Here's the patch we're using to get around this issue (for 2.1a--if you need a 2.1 version, just say so): 8< --- --- nsopenssl/ssl.c.orig Wed Dec 31 11:50:51 2003 +++ nsopenssl/ssl.c Wed Dec 31 11:53:34 2003 @@ -235,7 +235,8 @@ do { rc = SSL_write(ccPtr->ssl, buffer, towrite); - towrite -= rc; + if (rc > 0) + return rc; } while (BIO_should_retry(ccPtr->ssl->wbio) && BIO_should_write(ccPtr->ssl->wbio)); 8< --- We've been using this in production for 9 months now, with no problems (and no recurrences of the bug it was intended to fix). Hope this helps. - John -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Hi Torben On Tue, 2004-10-26 at 11:51, Torben Brosten wrote: Hi Steve, Running openacs-4.6.3, aolserver 3.4.2 with the oacs modifications, and nsopenssl2.1a on freebsd 4 stable, we see the same errors, as well as: Error: nsopenssl: error -1/1 during SSL handshake without any problems reported from end-users. We reboot aolserver once a week which seems to help reduce the frequency of an occasional (less than 1/week) "crypto" error that causes aolserver to crash. From aolserver tuning page, RSS/VSZ is at about 93%. We use these tunning parameter values: stacksize [expr 32*8192] maxthreads 30 minthreads 30 maxconnections 80 Yes I think that a lot of the nsopenssl 'errors' are safe to ignore. What hardware are you running this on? Is it possible that your mozilla error is the result of aolserver serving an image via http from an ssl connection? Don't think so - its happened on the fulfillment page which is pretty diverse of images. Its not been as bad so far today although we have had one occurrence reported to us by the client this afternoon. I did nothing and it hasn't reoccurred - orders are still coming in. Steve -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Hi Steve, Running openacs-4.6.3, aolserver 3.4.2 with the oacs modifications, and nsopenssl2.1a on freebsd 4 stable, we see the same errors, as well as: Error: nsopenssl: error -1/1 during SSL handshake without any problems reported from end-users. We reboot aolserver once a week which seems to help reduce the frequency of an occasional (less than 1/week) "crypto" error that causes aolserver to crash. From aolserver tuning page, RSS/VSZ is at about 93%. We use these tunning parameter values: stacksize [expr 32*8192] maxthreads 30 minthreads 30 maxconnections 80 >>> They seem to cause a variety of errors in different browsers. I've >>> been >>> on the receiving end of one of these and in Mozilla it gave a popup >>> message: >> >> >> Are you able to reproduce this error on demand? Or is it completely >> random? Is it possible that your mozilla error is the result of aolserver serving an image via http from an ssl connection? Torben -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On Tue, 2004-10-26 at 01:06, Dossy Shiobara wrote: I assume it's too late in the game to upgrade your dev/QA environments to AOLserver 4.0.8 and nsopenssl v3_0beta23, do the necessary smoke tests then attempt a re-deployment of your production env.? If it isn't, I'd suggest doing it to see if it makes the negative user experience go away. I'd like to move back to 4 and I'll certainly make the suggestion but the problems we experienced with nsopenssl v3 verses the previous reliability of v2.1 will probably mean that other routes are exhausted first. > Do you think these errors relate to a performance issue somewhere? Do > you think a change of config would help - I'm running with maxthreads > 20, minthreads 20, maxconnections 100 and maxkeepalive 0? No, and no. The bugs I had in mind caused the server to crash, and since that's not happening in your scenario, I'm only assuming that they aren't the cause of your problems. I asked the config question because I'm concerned that its possibly related to performance as yesterday was the busiest day for the site so far. I was wondering if reducing the number of threads might improve throughput if the cpu is maxed out? Going back to basics do we know what each of the nsopenssl errors and warnings mean and how significant they each are? > mii-tool gives an error - I'll check that out tomorrow. ifconfig was my > first port of call and its showing 0 errors, 0 dropped, 0 overruns etc. > No problem there that I can see. At least ifconfig isn't showing errors. That's good news. mii-tool may throw an error if your NIC's driver doesn't support the PHY stuff. Gotta be some way to figure out what speed the NIC is connected at. Maybe this is a dead-end anyway ... I'll ask the client to ask their ISP but I suspect its only connected on a 100 meg link. If it is a performance issue then having a gig connection would probably help. > > (Maybe someone stepped on your ethernet cable in the co-lo recently.) > > Only if they climbed in the rack :-) Don't laugh ... I've had a host go off the 'net because the ethernet cable was run up inside the rack and while a new server was being slid into the rack, the cable got severed by one of the rails. "Is the link light on?" was a fun question to ask ... I know what you mean we had an IBM engineer run over the ethernet cable of an AS/400 with the AS/400's own cabinet - that took some finding. Steve -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On 2004.10.25, Steve <[EMAIL PROTECTED]> wrote: > I felt a disturbance in the force when I originally used AOLs 4 > and nsopenssl 3 so for the launch I switched to 3.3oacs1 and > nsopenssl 2.1a. Its been rock solid up until now and your questions > suggest that you have something in mind. I assume it's too late in the game to upgrade your dev/QA environments to AOLserver 4.0.8 and nsopenssl v3_0beta23, do the necessary smoke tests then attempt a re-deployment of your production env.? If it isn't, I'd suggest doing it to see if it makes the negative user experience go away. > Do you think these errors relate to a performance issue somewhere? Do > you think a change of config would help - I'm running with maxthreads > 20, minthreads 20, maxconnections 100 and maxkeepalive 0? No, and no. The bugs I had in mind caused the server to crash, and since that's not happening in your scenario, I'm only assuming that they aren't the cause of your problems. You may want to turn full debugging on ("ns_param debug on" in the nsopenssl config wherever appropriate) and see if anything interesting pops out, but unless you know what you're looking for, it's just more noise ... > mii-tool gives an error - I'll check that out tomorrow. ifconfig was my > first port of call and its showing 0 errors, 0 dropped, 0 overruns etc. > No problem there that I can see. At least ifconfig isn't showing errors. That's good news. mii-tool may throw an error if your NIC's driver doesn't support the PHY stuff. Gotta be some way to figure out what speed the NIC is connected at. Maybe this is a dead-end anyway ... > > (Maybe someone stepped on your ethernet cable in the co-lo recently.) > > Only if they climbed in the rack :-) Don't laugh ... I've had a host go off the 'net because the ethernet cable was run up inside the rack and while a new server was being slid into the rack, the cable got severed by one of the rails. "Is the link light on?" was a fun question to ask ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On Mon, 2004-10-25 at 23:22, Dossy Shiobara wrote: On 2004.10.25, Steve <[EMAIL PROTECTED]> wrote: > > How large is the nsd process memory footprint? What modules are you > > loading? Did you upgrade anything at ALL lately? What OS is this on? > > Is it a single front-end host or a farm of them? If it's a farm, is it > > behind a load balancer, if so what make/model? > > OK its OACS 5.1 so apart from nsopenssl its loading tDom, nspostgres, > nssha1 and nscache. We haven't changed anything in over a week. its > Linux 2.4 series kernel on a single host. Does OACS 5.1 support AOLserver 3.3 still? Yes. There's been a series of bugs fixed in nsopenssl 3 and AOLserver 4 that have not been backported to older nsopenssl 2.1a and AOLserver 3 -- you could be getting bitten by one of those. However, those were all server-crashing bugs so if your nsd isn't crashing/restarting, then perhaps these are not the bugs you are looking for ... move along. I felt a disturbance in the force when I originally used AOLs 4 and nsopenssl 3 so for the launch I switched to 3.3oacs1 and nsopenssl 2.1a. Its been rock solid up until now and your questions suggest that you have something in mind. Do you think these errors relate to a performance issue somewhere? Do you think a change of config would help - I'm running with maxthreads 20, minthreads 20, maxconnections 100 and maxkeepalive 0? > > Is your upstream bandwidth > > provider having routing issues? What kind of uplink exists on the host > > (10mbit, 100mbit, half or full duplex, configured or auto-negotiate)? > > What make/model switch is/are the hosts connected to? Are the switches > > configured or auto-negotiate? Is there any other traffic on your > > network segment or is it just these front-end webservers? > > Its co-lo. I've asked the host company to check the routing but so far > they haven't turned up anything they'd admit too. Check the output of "mii-tool" and see if it's actually negotiated a gig-e connection and if it's full/half duplex, etc. Check output of ifconfig and see if you're seeing any packet loss/etc. Basically, if any of the error counters are non-zero, you have some investigation to do ... mii-tool gives an error - I'll check that out tomorrow. ifconfig was my first port of call and its showing 0 errors, 0 dropped, 0 overruns etc. No problem there that I can see. (Maybe someone stepped on your ethernet cable in the co-lo recently.) Only if they climbed in the rack :-) Steve -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On 2004.10.25, Steve <[EMAIL PROTECTED]> wrote: > > How large is the nsd process memory footprint? What modules are you > > loading? Did you upgrade anything at ALL lately? What OS is this on? > > Is it a single front-end host or a farm of them? If it's a farm, is it > > behind a load balancer, if so what make/model? > > OK its OACS 5.1 so apart from nsopenssl its loading tDom, nspostgres, > nssha1 and nscache. We haven't changed anything in over a week. its > Linux 2.4 series kernel on a single host. Does OACS 5.1 support AOLserver 3.3 still? There's been a series of bugs fixed in nsopenssl 3 and AOLserver 4 that have not been backported to older nsopenssl 2.1a and AOLserver 3 -- you could be getting bitten by one of those. However, those were all server-crashing bugs so if your nsd isn't crashing/restarting, then perhaps these are not the bugs you are looking for ... move along. > > Is your upstream bandwidth > > provider having routing issues? What kind of uplink exists on the host > > (10mbit, 100mbit, half or full duplex, configured or auto-negotiate)? > > What make/model switch is/are the hosts connected to? Are the switches > > configured or auto-negotiate? Is there any other traffic on your > > network segment or is it just these front-end webservers? > > Its co-lo. I've asked the host company to check the routing but so far > they haven't turned up anything they'd admit too. Check the output of "mii-tool" and see if it's actually negotiated a gig-e connection and if it's full/half duplex, etc. Check output of ifconfig and see if you're seeing any packet loss/etc. Basically, if any of the error counters are non-zero, you have some investigation to do ... (Maybe someone stepped on your ethernet cable in the co-lo recently.) -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
FWIW. I see this same behavior with a similar configuration. The only differences are that I'm using oracle and am running on Sun Solaris 9. It gets worse under heavy load. I never get complaints and have never experienced a 'browser side' problem so I assumed it didn't affect users. I get at least one of these errors an hour during the day when users are hitting the site. Keith Steve wrote: On Mon, 2004-10-25 at 22:05, Dossy Shiobara wrote: /On 2004.10.25, Steve <[EMAIL PROTECTED]> wrote: They seem to cause a variety of errors in different browsers. I've been on the receiving end of one of these and in Mozilla it gave a popup message: Are you able to reproduce this error on demand? Or is it completely random?/ Random. At least I can't seem to trigger it to happen. / Unfortunately the logs are going to quickly for me to determine which error gave the message. The site is getting to be very busy in the run up to halloween so I wondered if it was related to the load apart from these errors the system doesn't seem to have any problems and the response is good. What do you mean by "going too quickly"? Aren't you logging to disk? Can't you just roll the log and then inspect it at your leisure?/ I meant more trying to tie the event in real time to a message in the log. I can look at the log at leisure but it wouldn't be tied to any specific event. /How large is the nsd process memory footprint? What modules are you loading? Did you upgrade anything at ALL lately? What OS is this on? Is it a single front-end host or a farm of them? If it's a farm, is it behind a load balancer, if so what make/model?/ OK its OACS 5.1 so apart from nsopenssl its loading tDom, nspostgres, nssha1 and nscache. We haven't changed anything in over a week. its Linux 2.4 series kernel on a single host. / Is your upstream bandwidth provider having routing issues? What kind of uplink exists on the host (10mbit, 100mbit, half or full duplex, configured or auto-negotiate)? What make/model switch is/are the hosts connected to? Are the switches configured or auto-negotiate? Is there any other traffic on your network segment or is it just these front-end webservers? / Its co-lo. I've asked the host company to check the routing but so far they haven't turned up anything they'd admit too. / Is there a RDBMS involved, and is it running on its own dedicated host? On the same network segment? Do you serve static assets from these front-end hosts, or are you using a dedicated server for them and/or a CDN?/ Yes its running Postgresql on the same host. Not much in the way of static assets just some templating all served from the same box. Steve -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- Keith Paskett[EMAIL PROTECTED] Space Dynamics LaboratoryEncrypted mail preferred 1695 North Research Parkway 435-797-4195 Logan, Utah 84341 -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On Mon, 2004-10-25 at 22:05, Dossy Shiobara wrote: On 2004.10.25, Steve <[EMAIL PROTECTED]> wrote: > They seem to cause a variety of errors in different browsers. I've been > on the receiving end of one of these and in Mozilla it gave a popup > message: Are you able to reproduce this error on demand? Or is it completely random? Random. At least I can't seem to trigger it to happen. > Unfortunately the logs are going to quickly for me to determine which > error gave the message. The site is getting to be very busy in the run > up to halloween so I wondered if it was related to the load apart from > these errors the system doesn't seem to have any problems and the > response is good. What do you mean by "going too quickly"? Aren't you logging to disk? Can't you just roll the log and then inspect it at your leisure? I meant more trying to tie the event in real time to a message in the log. I can look at the log at leisure but it wouldn't be tied to any specific event. How large is the nsd process memory footprint? What modules are you loading? Did you upgrade anything at ALL lately? What OS is this on? Is it a single front-end host or a farm of them? If it's a farm, is it behind a load balancer, if so what make/model? OK its OACS 5.1 so apart from nsopenssl its loading tDom, nspostgres, nssha1 and nscache. We haven't changed anything in over a week. its Linux 2.4 series kernel on a single host. Is your upstream bandwidth provider having routing issues? What kind of uplink exists on the host (10mbit, 100mbit, half or full duplex, configured or auto-negotiate)? What make/model switch is/are the hosts connected to? Are the switches configured or auto-negotiate? Is there any other traffic on your network segment or is it just these front-end webservers? Its co-lo. I've asked the host company to check the routing but so far they haven't turned up anything they'd admit too. Is there a RDBMS involved, and is it running on its own dedicated host? On the same network segment? Do you serve static assets from these front-end hosts, or are you using a dedicated server for them and/or a CDN? Yes its running Postgresql on the same host. Not much in the way of static assets just some templating all served from the same box. Steve -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
FWIW, I saw those messages too, when I was using nsopenssl2.1, and I see similar ones using AOLserver 4 and the latest nsopenssl. The only difference is that I've never had a user complaint related to them, so I was assuming that they were victimless crimes. Perhaps that is not the case, though we usually do hear pretty quickly if something's not working right from the user's perspective. janine On Oct 25, 2004, at 5:05 PM, Dossy Shiobara wrote: On 2004.10.25, Steve <[EMAIL PROTECTED]> wrote: They seem to cause a variety of errors in different browsers. I've been on the receiving end of one of these and in Mozilla it gave a popup message: Are you able to reproduce this error on demand? Or is it completely random? Unfortunately the logs are going to quickly for me to determine which error gave the message. The site is getting to be very busy in the run up to halloween so I wondered if it was related to the load apart from these errors the system doesn't seem to have any problems and the response is good. What do you mean by "going too quickly"? Aren't you logging to disk? Can't you just roll the log and then inspect it at your leisure? I'd be grateful is someone could shed some light on these errors or point me at a way to diagnose the problem without adversely effecting the site. How large is the nsd process memory footprint? What modules are you loading? Did you upgrade anything at ALL lately? What OS is this on? Is it a single front-end host or a farm of them? If it's a farm, is it behind a load balancer, if so what make/model? Is your upstream bandwidth provider having routing issues? What kind of uplink exists on the host (10mbit, 100mbit, half or full duplex, configured or auto-negotiate)? What make/model switch is/are the hosts connected to? Are the switches configured or auto-negotiate? Is there any other traffic on your network segment or is it just these front-end webservers? Is there a RDBMS involved, and is it running on its own dedicated host? On the same network segment? Do you serve static assets from these front-end hosts, or are you using a dedicated server for them and/or a CDN? This is just a short list of questions to get a better picture of what you're running, what your network architecture looks like and some things I've personally seen before that could possibly be responsible for the badness you're seeing. Lets eliminate the low-hanging fruit first ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On 2004.10.25, Steve <[EMAIL PROTECTED]> wrote: > They seem to cause a variety of errors in different browsers. I've been > on the receiving end of one of these and in Mozilla it gave a popup > message: Are you able to reproduce this error on demand? Or is it completely random? > Unfortunately the logs are going to quickly for me to determine which > error gave the message. The site is getting to be very busy in the run > up to halloween so I wondered if it was related to the load apart from > these errors the system doesn't seem to have any problems and the > response is good. What do you mean by "going too quickly"? Aren't you logging to disk? Can't you just roll the log and then inspect it at your leisure? > I'd be grateful is someone could shed some light on these errors or > point me at a way to diagnose the problem without adversely effecting > the site. How large is the nsd process memory footprint? What modules are you loading? Did you upgrade anything at ALL lately? What OS is this on? Is it a single front-end host or a farm of them? If it's a farm, is it behind a load balancer, if so what make/model? Is your upstream bandwidth provider having routing issues? What kind of uplink exists on the host (10mbit, 100mbit, half or full duplex, configured or auto-negotiate)? What make/model switch is/are the hosts connected to? Are the switches configured or auto-negotiate? Is there any other traffic on your network segment or is it just these front-end webservers? Is there a RDBMS involved, and is it running on its own dedicated host? On the same network segment? Do you serve static assets from these front-end hosts, or are you using a dedicated server for them and/or a CDN? This is just a short list of questions to get a better picture of what you're running, what your network architecture looks like and some things I've personally seen before that could possibly be responsible for the badness you're seeing. Lets eliminate the low-hanging fruit first ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl debugging
On 2004.08.24, Jade Rubick <[EMAIL PROTECTED]> wrote: > I have been having very similar problems to Bruno's, but on a Debian > stable Linux box. So I'm not so sure that this is a Mac OS problem. If > I have some time tomorrow, I'll test things out. Interesting -- I have yet to reproduce this on my ix86 Debian stable box. > Could we put up a page on the Wiki that has the test page that Dossy > proposed, links to the patches, etc..? I'd like to help test this, but > have deleted the previous postings, and I haven't had a reliable way to > reproduce the errors you mention. http://panoptic.com/wiki/aolserver/nsopenssl I don't have links to the patches or the test page up there (yet) -- I'll be adding that in the next few minutes or so. > My symptoms are on something like Aolserver 4.01 + nsopenssl 3 beta 17 > or so. Some fixes have gone into AOLserver since 4.0.5 and nsopenssl 3.0 beta 21. If you can, test using the HEAD of aolserver_v40_bp branch as well as nsopenssl. > I only have about 15 users on my production box, and about once > a day, the connections get gradually taken up, and the load gradually > rises, until it's unreachable. I have a keepalive script going, so it > restarts the Aolserver instance whenever it's unreachable. The load > then goes down to near zero and the whole process starts over again. > > This happens on my dev box as well, which has the same configuration. > But that happens much less often, because I'm the only user on the > system. If you could at least upgrade your dev. box to the either AOLserver 4.0.7 (the last official release) or 4.0.8a (HEAD of aolserver_v40_bp branch) as well as HEAD of nsopenssl and see if the problem is still reproducible, that would help. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl debugging
On Aug 24, 2004, at 11:58 AM, Bernd Eidenschink wrote: Hi, My symptoms are on something like Aolserver 4.01 + nsopenssl 3 beta 17 or so. I only have about 15 users on my production box, and about once a day, the connections get gradually taken up, and the load gradually rises, until it's unreachable. I see this with a AOLserver 4.0.5, nsopenssl 3 beta 17, Linux Kernel 2.6.5-x (SuSE). FWIW, there's a file descriptor leak in beta 17. On Solaris, it manifests as an ever-increasing number of connections in the BOUND state, as reported by netstat. I know, 'cause I reported it to Scott, who fixed it shortly thereafter. =) Noah Robin System Administrator, America Online -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl debugging
Hi, > My symptoms are on something like Aolserver 4.01 + nsopenssl 3 beta 17 > or so. I only have about 15 users on my production box, and about once > a day, the connections get gradually taken up, and the load gradually > rises, until it's unreachable. I see this with a AOLserver 4.0.5, nsopenssl 3 beta 17, Linux Kernel 2.6.5-x (SuSE). netstat shows about 25 connections on the https port in CLOSE_WAIT state, right now e.g. all owned by googlebot-crawlers (...) The connections stay and stay open and load increases very slow (fortunately). I restart the server manually every 3 or 4 days. I'll try the latest nsopenssl beta soon, as I wasn't able to check it out the last days due to cvs problems at sourceforge. Regards, Bernd. tcp 0 0 linux.site:https crawl34.googlebot:39207 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:39973 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:58923 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:63281 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:58125 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:55057 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:40729 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:51552 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:47722 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:36714 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:52548 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:64590 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:37710 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:63317 CLOSE_WAIT tcp 0 0 linux.site:https crawl35.googlebot:46458 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:51551 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:41890 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:65184 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:58283 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:56465 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:56289 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:53224 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:40686 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:54767 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:54768 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:34299 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:41976 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:46335 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:62147 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:46538 CLOSE_WAIT tcp 0 0 linux.site:https crawl34.googlebot:49112 CLOSE_WAIT -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl, might have found the culprit
On 2004.08.25, Bruno Mattarollo <[EMAIL PROTECTED]> wrote: > Well, it looks like I might have been to quick to shout "victory" ... > :( It didn't solve the problem ... G X-( > > OK, time to get back to do some more "looking around" ... As I said in the chat, there are deeper fundamental issues with the way nsopenssl is implemented -- I'm going to sit down and take a stab at rewriting parts of it today. Stay tuned ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl, might have found the culprit
Well, it looks like I might have been to quick to shout "victory" ... :( It didn't solve the problem ... G X-( OK, time to get back to do some more "looking around" ... /B On Aug 25, 2004, at 00:02, Bruno Mattarollo wrote: [ ... ] It's, as I pointed out before, in the "NsOpenSSLConnOp" function in the "ssl.c" file of nsopenssl. That function has a "switch" statement that contains: [ ... ] -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl again ...
Wow, you guys had a busy weekend! It sounds like this is probably not stable enough for me to install on a production site. I can put it on the staging site, but I doubt it gets enough use to yield any useful data. We do have lots of Macs here, but unfortunately they are all on our office network and not accessible from outside. I will ask Mike if we have any server-ish systems we could put at our hosting facility, if it turns out you (Dossy) need one to use for this. If there's anything I can do to help, just let me know. janine -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors debugging
On 2004.08.23, Scott Goodwin <[EMAIL PROTECTED]> wrote: > I haven't found precisely where this is occurring because I haven't > been able to duplicate the problem yet. I'm hoping to get my hands on a OSX 10.3.5 box this week to try and reproduce the problem ... I definitely have not been able to reproduce it on Linux. > Interestingly enough, applying the patch referred to in this thread to > the 40_bp branch causes my server to not respond to any requests at all > on Mac OS 10.3.5. I made a mistake in the v40_bp branch patch -- I uploaded a corrected one last night just around midnight or so. Sorry about that ... grab the updated patch and try again. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors continued
On Aug 23, 2004, at 14:40, Bruno Mattarollo wrote: Perhaps this is a MacOS X-specific issue? What version of OpenSSL are you running? And, what version of nsopenssl 3 -- what's the file revision on sslcontext.c (latest is 1.8)? Are you testing with AOLserver 4.0.x or 4.1.x? OpenSSL 0.9.7d 17 Mar 2004 Sorry, it's compiled against OpenSSL 0.9.7b 10 Apr 2003 and not the version mentioned in my previous email. I will try with the latest version ... /B -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors continued
On Aug 23, 2004, at 13:46, Dossy Shiobara wrote: Even with Firefox from WinXP, you were able to reproduce the problem? Yes, indeed. Perhaps this is a MacOS X-specific issue? What version of OpenSSL are you running? And, what version of nsopenssl 3 -- what's the file revision on sslcontext.c (latest is 1.8)? Are you testing with AOLserver 4.0.x or 4.1.x? OpenSSL 0.9.7d 17 Mar 2004 I am running "nsopenssl" from CVS HEAD (rev 1.8 for sslcontext.c). I am also testing AOLServer from CVS HEAD (4.1.x). If I can reproduce this issue on my win32 or linux dev. environments, that'll be good. Otherwise, I'll have to dig for a macosx box I can tinker with. I don't have access to my linux box at the moment, so can't really test on anything else than my Mac OS X laptop ... Hopefully I will be more settled in soon and will be able to have a duplicate but on linux ... /B -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors debugging
I think that there should be an "else" aftr the SSL_write function and raise an error if the write wasn't successful ... ? Actually, once the SSL_read or write has been performed and the total number of bytes is adjusted, control passes to the switch statement after it to handle any errors (unless we've actually reached total, in which case we return cleanly). It appears that clicking away from the current connection while it's in process may sometimes leave it in a state where the server thinks the connection is still open, leaving the core comm API to continue trying to aggressively read from the socket, thus spinning up your CPU to 100%. I haven't found precisely where this is occurring because I haven't been able to duplicate the problem yet. Interestingly enough, applying the patch referred to in this thread to the 40_bp branch causes my server to not respond to any requests at all on Mac OS 10.3.5. /s. On Aug 22, 2004, at 11:12 PM, Bruno Mattarollo wrote: Hello again (yeah, sorry) ... Trying to debug with DDD and it seems to me that there seem to be a problem at the following funtions and (see below code): NsOpenSSLConnOp (in line 664, "total" and "bytes" are both "0" -zero-). 632 NsOpenSSLConnOp(SSL *ssl, void *buffer, int bytes, int type) 633 { 634 intrc = 0; 635 inttotal = 0; 636 NsOpenSSLConn *sslconn = SSL_get_app_data(ssl); 637 SOCKET socket = SSL_get_fd(ssl); 638 639 /* 640 * OpenSSL man page for SSL_read() states that if SSL_read() generates an 641 * SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, you *must* call SSL_read() 642 * again with the same arguments. This means we don't do any buffer 643 * management ourselves, so we don't use an offset into the buffer for 644 * multiple calls to SSL_read(). 645 */ 646 647 do { 648 switch(type) { 649 case NSOPENSSL_RECV: 650 rc = SSL_read(ssl, (char *) buffer, bytes); 651 if (rc > 0) { 652 total += rc; 653 } 654 if (rc == 0 && SSL_pending(ssl) == 0) { 655 return total; 656 } 657 break; 658 case NSOPENSSL_SEND: 659 rc = SSL_write(ssl, (char *) buffer, bytes); 660 if (rc > 0) { 661 total += rc; 662 } 663 if (total >= bytes) { 664 return total; 665 } 666 break; 667 default: 668 Ns_Log(Error, "%s (%s): Invalid command", MODULE, sslconn->server); 669 break; 670 } I also set a breakpoint in Ns_ConnSend Breakpoint 1, Ns_ConnSend (conn=0x26d8008, bufs=0xf0683000, nbufs=2) at connio.c:170 164 while (towrite > 0) { 165 n = NsSockSend(connPtr->sockPtr, bufs, nbufs); 166 if (n < 0) { 167 break; 168 } 169 towrite -= n; 170 nwrote += n; 171 if (towrite > 0) { 172 for (i = 0; i < nbufs && n > 0; ++i) { 173 if (n > (int) bufs[i].iov_len) { 174 n -= bufs[i].iov_len; 175 bufs[i].iov_base = NULL; 176 bufs[i].iov_len = 0; 177 } else { 178 bufs[i].iov_base = (char *) bufs[i].iov_base + n; 179 bufs[i].iov_len -= n; 180 n = 0; 181 } 182 } 183 } 184 } At line 170, "towrite" is 4910 "nwrote" is 255 and at line 172 "n" is 0 ... (repeated that many times and both vars have always the same values) And in NsOpenSSLConnOp it goes to line 658 SSL_write returns -1 (which, according to the documentation [ http://www.openssl.org/docs/ssl/SSL_write.html ] means that write operation wasn't successful). It then goes into the "if (total >= bytes) {" and both "total" and "bytes" are 0 -zero- each. 632 NsOpenSSLConnOp(SSL *ssl, void *buffer, int bytes, int type) 633 { 634 intrc = 0; 635 inttotal = 0; 636 NsOpenSSLConn *sslconn = SSL_get_app_data(ssl); 637 SOCKET socket = SSL_get_fd(ssl); 638 639 /* 640 * OpenSSL man page for SSL_read() states that if SSL_read() generates an 641 * SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, you *must* call SSL_read() 642 * again with the same arguments. This means we don't do any buffer 643 * management ourselves, so we don't use an offset into the buffer for 644 * multiple calls to SSL_read(). 645 */ 646 647 do { 648 switch(type) { 649 case NSOPENSSL_RECV: 650 rc = SSL_read(ssl, (char *) buffer, bytes); 651 if (rc >
Re: [AOLSERVER] nsopenssl errors continued
On 2004.08.22, Dossy Shiobara <[EMAIL PROTECTED]> wrote: > Ah, interesting -- I repeated the test with 4.0.8a and this is the error > in the log: > > [22/Aug/2004:23:37:44][27971.1088318384][-conn:server1::2] Debug: SSLOp(15-0): > SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > [22/Aug/2004:23:37:44][27971.1088318384][-conn:server1::2] Error: nsopenssl > (server1): SSL error on reading data I just had someone test from a OSX 10.3.5 using Safari 1.2.3 (v125.9) and got this in my log: [22/Aug/2004:23:51:25][28821.1088252848][-conn:server1::1] Debug: SSLOp(17-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [22/Aug/2004:23:51:26][28821.1088252848][-conn:server1::1] Error: nsopenssl (server1): SSL error on reading data This time, it's SSLOp 17-0 instead of 15-0. Wonder if that says something interesting ... Anyhow, I'll keep poking around tomorrow or the next day ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors continued
On 2004.08.23, Bruno Mattarollo <[EMAIL PROTECTED]> wrote: > I've tried with: > > (from Mac OS X) > Safari 1.2.3 (v125.9) > Firefox 0.9.3 > Mozilla 1.7: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; > rv:1.7) Gecko/2004051 > > (From a Windows XP box) > IE 6.0.2800.1106.xpsp2 > Firefox 0.9.2 > > The strangest thing is that I couldn't reproduce the error with IE but > I could with all the other browsers! :( I tried exactly the same steps > with each browser. Even with Firefox from WinXP, you were able to reproduce the problem? I just had someone hit my AOLserver 4.1.0a (w/ nsopenssl 3 beta HEAD) server running on Linux from their MacOS X machine running Mozilla 1.8, and wasn't able to reproduce the problem. What I was able to elicit in the logs was this: [22/Aug/2004:23:28:16][24459.1088261040][-nsopenssl:reader-] Debug: SSLOp(15-0): SSL_ERROR_SSL: bytes = 199; total = 0; rc = -1 [22/Aug/2004:23:28:16][24459.1088261040][-nsopenssl:reader-] Error: nsopenssl (server1): SSL error on reading data But, no CPU utilization spike at all. I had the person request this simple ADP page: <% ns_log notice "connected from [ns_conn peeraddr]" ns_sleep 10 %> test Instructed them to access the URL to the page, hit "stop" in their browser, then reload to fetch it again. Saw two log entries, and that error shown above in between ... but again, I'm running the AOLserver from Linux. Perhaps this is a MacOS X-specific issue? What version of OpenSSL are you running? And, what version of nsopenssl 3 -- what's the file revision on sslcontext.c (latest is 1.8)? Are you testing with AOLserver 4.0.x or 4.1.x? Ah, interesting -- I repeated the test with 4.0.8a and this is the error in the log: [22/Aug/2004:23:37:44][27971.1088318384][-conn:server1::2] Debug: SSLOp(15-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [22/Aug/2004:23:37:44][27971.1088318384][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data Slightly different: on 4.1.0a, bytes=199. On 4.0.8a, bytes=16000. What's also interesting is after this error, while my CPU isn't going to 100%, the server's refusing to answer new connections from other browsers. Strangely though, from the machine itself, I can connect using openssl from command-line just fine ... If I can reproduce this issue on my win32 or linux dev. environments, that'll be good. Otherwise, I'll have to dig for a macosx box I can tinker with. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors continued
Hello again, On Aug 23, 2004, at 02:10, Dossy Shiobara wrote: What browser are you using to test that you're able to reproduce this problem with? I've tried with: (from Mac OS X) Safari 1.2.3 (v125.9) Firefox 0.9.3 Mozilla 1.7: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7) Gecko/2004051 (From a Windows XP box) IE 6.0.2800.1106.xpsp2 Firefox 0.9.2 The strangest thing is that I couldn't reproduce the error with IE but I could with all the other browsers! :( I tried exactly the same steps with each browser. I am not sure if this matters but I am using AOLServer + OpenACS ... I tried this with a standard AOLServer without OpenACS but I can't click fast enough to cancel a request when serving static pages ... I will try to create a .tcl file and does some stuff (like a loop) before returning now. Thanks, got it. Reviewed it, but nothing too interesting in there. The fact that while nsd is at 100% CPU, you're not getting a constant stream of output in ktrace ... we need to figure out why. I tried "ktrace -idt cnisw ..." and still no additional output to the trace file :( The problem here is that if there's some tight loop somewhere in AOLserver code, ktrace won't show it as it really only traces I/O and syscalls and such. To really get to the heart of the issue, I'll probably need to get my hands on a 10.3.5 box and reproduce the issue while running gdb ... I tried with "DDD" but I am not experienced enough to make it run and debug what's going on ... Cheers /B -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors continued
On 2004.08.23, Bruno Mattarollo <[EMAIL PROTECTED]> wrote: > >OK, so you're running on Mac OS X. What version? > > Latest, 10.3.5. What browser are you using to test that you're able to reproduce this problem with? > It's 70 MB Just for the start and then making it go crazy immediately > after it's up. Removing all up to the start leaves around 490K. I am > sending you the file compressed with BZIP2 on another message. Thanks, got it. Reviewed it, but nothing too interesting in there. The fact that while nsd is at 100% CPU, you're not getting a constant stream of output in ktrace ... we need to figure out why. > Well, I started "ktrace -d /usr/local/aolserver" and according to > the ktrace man page: > > -d Descendants; perform the operation for all current > children of > > I have also tried: > > ktrace -id /usr/local/... > > And I can't see the ktrace dump growing after getting "nsd" to take > 100% of the CPU. According to the ktrace man page: http://developer.apple.com/documentation/Darwin/Reference/ManPages/html/ktrace.1.html Try this: ktrace -idt cnisw /usr/local/... The problem here is that if there's some tight loop somewhere in AOLserver code, ktrace won't show it as it really only traces I/O and syscalls and such. To really get to the heart of the issue, I'll probably need to get my hands on a 10.3.5 box and reproduce the issue while running gdb ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors continued
Hello Dossy, On Aug 22, 2004, at 21:37, Dossy Shiobara wrote: OK, so you're running on Mac OS X. What version? Latest, 10.3.5. If a thread is spinning out of control, it may not process the shutdown notification right away ... in which case you *could* kill -9 the nsd which isn't very friendly, or you could wait ~30 seconds for it to hopefully timeout the threads and exit. I tried but maybe I was too impatient but I reckon it was more than 30 seconds. Trying again to see what happens. How large is the ktrace output? Can you put it up on a web site somewhere so I can download it and look at it? It's 70 MB Just for the start and then making it go crazy immediately after it's up. Removing all up to the start leaves around 490K. I am sending you the file compressed with BZIP2 on another message. If the process is eating 100% CPU, that ktrace ought to be HUGE with whatever is happening that's eating all that CPU. If not, perhaps you're missing some cmdline args to ktrace to tell it to trace all child threads ... Well, I started "ktrace -d /usr/local/aolserver" and according to the ktrace man page: -d Descendants; perform the operation for all current children of I have also tried: ktrace -id /usr/local/... And I can't see the ktrace dump growing after getting "nsd" to take 100% of the CPU. I just tried again and after I kill the AOLServer process from the console, it doesn't actually come back, the last lines from my console are: [23/Aug/2004:00:20:50][12431.2684396012][-main-] Notice: nsmain: AOLserver/4.1.0a stopping [23/Aug/2004:00:20:50][12431.2684396012][-main-] Notice: driver: stopping: nsopenssl [23/Aug/2004:00:20:50][12431.2684396012][-main-] Notice: driver: stopping: nssock [23/Aug/2004:00:20:50][12431.25187328][-nsopenssl:reader-] Notice: exiting [23/Aug/2004:00:20:50][12431.25186304][-nssock:driver-] Notice: exiting [23/Aug/2004:00:21:10][12431.2684396012][-main-] Warning: timeout waiting for connection thread exit [23/Aug/2004:00:21:10][12431.2684396012][-main-] Notice: sched: shutdown pending [23/Aug/2004:00:21:10][12431.2684396012][-main-] Warning: sched: timeout waiting for sched exit [23/Aug/2004:00:21:10][12431.2684396012][-main-] Notice: driver: stopped: nsopenssl [23/Aug/2004:00:21:10][12431.25184256][-sched-] Notice: sched: shutdown started [23/Aug/2004:00:21:10][12431.25184256][-sched-] Notice: sched: waiting for event threads... [23/Aug/2004:00:21:10][12431.25169920][-sched:idle0-] Notice: exiting [23/Aug/2004:00:21:10][12431.25184256][-sched-] Notice: sched: shutdown complete But I don't get the prompt back, the "nsd" is taking 100% of cpu, the ktrace dump is not growing, even attaching a new ktrace doesn't create any output and the last lines from the ktrace dump are: 12431 nsd RET write 92/0x5c 12431 nsd CALL write(0x2,0x337c8ec,0x46) 12431 nsd GIO fd 2 wrote 70 bytes "[23/Aug/2004:00:21:10][12431.25169920][-sched:idle0-] Notice: exiting " 12431 nsd RET write 70/0x46 12431 nsd CALL #331(0x1) 12431 nsd RET #331 0 12431 nsd CALL fcntl(0x2,0x3,0) 12431 nsd RET fcntl 2 12431 nsd CALL fcntl(0x2,0x4,0x2) 12431 nsd RET fcntl 0 12431 nsd CALL fcntl(0x2,0x3,0x2) 12431 nsd RET fcntl 2 12431 nsd CALL fcntl(0x1,0x3,0) 12431 nsd RET fcntl 2 12431 nsd CALL fcntl(0x1,0x4,0x2) 12431 nsd RET fcntl 0 12431 nsd CALL fcntl(0x1,0x3,0x2) 12431 nsd RET fcntl 2 12431 nsd CALL fcntl(0,0x3,0) 12431 nsd RET fcntl 0 12431 nsd CALL fcntl(0,0x4,0) 12431 nsd RET fcntl -1 errno 19 Operation not supported by device 12431 nsd CALL write(0x2,0x337c8ec,0) 12431 nsd GIO fd 2 wrote 0 bytes "" 12431 nsd RET write 0 12431 nsd CALL write(0x2,0x582ec,0x51) 12431 nsd GIO fd 2 wrote 81 bytes "[23/Aug/2004:00:21:10][12431.25184256][-sched-] Notice: sched: shutdown complete " 12431 nsd RET write 81/0x51 12431 nsd CALL #331(0x1) 12431 nsd RET #331 0 12431 nsd CALL write(0x2,0x582ec,0) 12431 nsd GIO fd 2 wrote 0 bytes "" 12431 nsd RET write 0 I will send you the ktrace dump as mentioned above (all from the time the server starts listening). Puzzled, /B -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors continued
On 2004.08.22, Bruno Mattarollo <[EMAIL PROTECTED]> wrote: > > OK, I have started already twice the server with "ktrace" (a utility > similar to "strace" but for Mac OS X) OK, so you're running on Mac OS X. What version? > and, before I even mention > anything about what I see on the dump file, the strangest problem is > that I need to actually do a "kill -9 NSD_PID" to shut it down as the > "nsd" process is still taking 100% of the CPU after stopping AOLServer > (I start it on the foreground and stop it with CTRL+C). If a thread is spinning out of control, it may not process the shutdown notification right away ... in which case you *could* kill -9 the nsd which isn't very friendly, or you could wait ~30 seconds for it to hopefully timeout the threads and exit. > From the "ktrace" dump, when I look for the nsopenssl error (after > canceling a request), this is what I see: > >"[22/Aug/2004:19:59:12][12261.25187328][-nsopenssl:reader-] > Warning: nsopenssl (MYSERVER): SSL interrupted\ > , perhaps by client >" > 12261 nsd RET write 132/0x84 > 12261 nsd CALL sendto(0xd,0x925d8,0x1,0,0,0) > 12261 nsd GIO fd 13 wrote 1 byte >"\0" > 12261 nsd RET sendto 1 > 12261 nsd RET select 2 > 12261 nsd CALL recvfrom(0xc,0xf0282950,0x400,0,0,0) > 12261 nsd GIO fd 12 wrote 1 byte >"\0" > 12261 nsd RET recvfrom 1 > 12261 nsd CALL shutdown(0x11,0x1) > 12261 nsd RET shutdown -1 errno 22 Invalid argument > 12261 nsd CALL close(0x11) > > Isn't it possible that the "shutdown -1 errno 22 Invalid argument" is > the problem? Unlikely. The shutdown() requests a graceful close, and if that fails (i.e., because the remote peer has already disconnected), then we just close() the socket and move on. One thing that I'm noticing now is that we execute shutdown() with SHUT_WR, and not SHUT_RDWR. Wonder why ... > I can't see any other calls in the ktrace dump that would seem to > indicate syscalls going insane ... maybe some loop somewhere ... I > don't know so much about C or the core of AOLServer to go any further > really :( How large is the ktrace output? Can you put it up on a web site somewhere so I can download it and look at it? If the process is eating 100% CPU, that ktrace ought to be HUGE with whatever is happening that's eating all that CPU. If not, perhaps you're missing some cmdline args to ktrace to tell it to trace all child threads ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On 2004.08.22, Bruno Mattarollo <[EMAIL PROTECTED]> wrote: > > I finally got AOLServer, nsopenssl both from cvs HEAD, applied your > patch and tried to reproduce the error mentioned before and this time I > get this: > > [22/Aug/2004:19:15:15][11703.25202688][-conn:3-] Warning: nsopenssl > (MYSERVER): SSL interrupted, perhaps by client > > instead of nsopenssl looping like crazy... will work on this instance > and report if I find other errors. This is GREAT news! Yes, this is exactly what I was expecting to hear: the "SSL interrupted" is what nsopenssl logs when the socket has disconnected before the request is finished processing. If you can confirm that AOLserver/nsopenssl "behaves correctly" with the patch, then I will commit it to CVS. Thanks! I appreciate you testing it out for me, since I wasn't really able to reproduce the issue here ... -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Uh ... no, small correction ... the errors that I saw previously on the error log don't show up but the "nsd" process takes 100% of the cpu (according to "top") ... :-( Is there a way that I could check what's happening with nsd? I will try starting it with "ktrace" and will report if I can find out something really noteworthy. Cheers /B On Aug 22, 2004, at 19:19, Bruno Mattarollo wrote: Hello Dossy, I finally got AOLServer, nsopenssl both from cvs HEAD, applied your patch and tried to reproduce the error mentioned before and this time I get this: [22/Aug/2004:19:15:15][11703.25202688][-conn:3-] Warning: nsopenssl (MYSERVER): SSL interrupted, perhaps by client instead of nsopenssl looping like crazy... will work on this instance and report if I find other errors. Thanks a lot! /B -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Hello Dossy, I finally got AOLServer, nsopenssl both from cvs HEAD, applied your patch and tried to reproduce the error mentioned before and this time I get this: [22/Aug/2004:19:15:15][11703.25202688][-conn:3-] Warning: nsopenssl (MYSERVER): SSL interrupted, perhaps by client instead of nsopenssl looping like crazy... will work on this instance and report if I find other errors. Thanks a lot! /B -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Hello again, I just changed the values of SSLv2 on my configuration yesterday but haven't yet used the newest AOLServer (with your patch) and I got the error again (as detailed in my previous messages). What I did, that triggered the error was click on a link and immediately click on another link without giving the server time to actually return the page, so I guess what's happening is that there is no socket for nsopenssl to send the results to ... right? (I am no expert in these matters, so it's just a conjecture). It should just ignore that and cleanup, if I understand this correctly. Is this related to the bug you found? I will try now to get the latest HEAD version for AOLServer, nsopenssl and apply your patch to AOLServer and we will see... Cheers /B On Aug 21, 2004, at 07:38, Dossy Shiobara wrote: Bruno and Janine, Have you had a chance to test nsopenssl again? Are you still seeing the same problems you were before? I believe I've identified an issue in AOLserver that may be causing some problems with nsopenssl. See SourceForge bug #1012892: http://aolserver.com/sf/bug/1012892 I haven't commited the fixes yet because I'd like folks who have experienced problems to test them first. There are patches against both HEAD and the current tip of the aolserver_v40_bp branch aka 4.0.8a. If you need help checking out the code and applying the patches, let me know. I'd really like to get these fixes tested and commited, and hopefully resolve everyone's nsopenssl-related issues so folks can start migrating to AOLserver 4.0.x and nsopenssl 3.0. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Hello Dossy, That's great news ... I haven't seen the problem again since I added the "SSLv2" but I will remove it and also remove the "+SSLv2" from the CipherSuite param. The server I am working with is not very much used (it's a development server at the moment) but I will get the latest AOLServer and apply the patch early next week and let you know if I can see errors again or not. Cheers and thanks! /B On Aug 21, 2004, at 07:38, Dossy Shiobara wrote: Bruno and Janine, Have you had a chance to test nsopenssl again? Are you still seeing the same problems you were before? I believe I've identified an issue in AOLserver that may be causing some problems with nsopenssl. See SourceForge bug #1012892: http://aolserver.com/sf/bug/1012892 I haven't commited the fixes yet because I'd like folks who have experienced problems to test them first. There are patches against both HEAD and the current tip of the aolserver_v40_bp branch aka 4.0.8a. If you need help checking out the code and applying the patches, let me know. I'd really like to get these fixes tested and commited, and hopefully resolve everyone's nsopenssl-related issues so folks can start migrating to AOLserver 4.0.x and nsopenssl 3.0. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Great news, Dossy! I've been working on figuring out our hang problems with 3.3, but I'll see about getting one of the problem sites moved back to nsd 4 early next week. It has to be done when I'm able to keep a close eye on it just in case it goes haywire on us again. Thanks! janine On Aug 20, 2004, at 5:38 PM, Dossy Shiobara wrote: Bruno and Janine, Have you had a chance to test nsopenssl again? Are you still seeing the same problems you were before? I believe I've identified an issue in AOLserver that may be causing some problems with nsopenssl. See SourceForge bug #1012892: http://aolserver.com/sf/bug/1012892 I haven't commited the fixes yet because I'd like folks who have experienced problems to test them first. There are patches against both HEAD and the current tip of the aolserver_v40_bp branch aka 4.0.8a. If you need help checking out the code and applying the patches, let me know. I'd really like to get these fixes tested and commited, and hopefully resolve everyone's nsopenssl-related issues so folks can start migrating to AOLserver 4.0.x and nsopenssl 3.0. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Bruno and Janine, Have you had a chance to test nsopenssl again? Are you still seeing the same problems you were before? I believe I've identified an issue in AOLserver that may be causing some problems with nsopenssl. See SourceForge bug #1012892: http://aolserver.com/sf/bug/1012892 I haven't commited the fixes yet because I'd like folks who have experienced problems to test them first. There are patches against both HEAD and the current tip of the aolserver_v40_bp branch aka 4.0.8a. If you need help checking out the code and applying the patches, let me know. I'd really like to get these fixes tested and commited, and hopefully resolve everyone's nsopenssl-related issues so folks can start migrating to AOLserver 4.0.x and nsopenssl 3.0. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On 2004.08.19, Rob Crittenden <[EMAIL PROTECTED]> wrote: > If you don't need AOLserver to act as a client then simply don't > register a client context. As far as I recall it isn't required. > > As for SSL2, I wouldn't trust it for e-commerce myself. I do agree that > if only for clarity that SSL2 should be enabled/disabled in both places. > It is very possible that openSSL isn't doing the "right" thing here. I also confirmed that you can safely remove "SSLv2" from the "protocols" param if you also remove "+SSLv2" from the "ciphersuite" param. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
If you don't need AOLserver to act as a client then simply don't register a client context. As far as I recall it isn't required. As for SSL2, I wouldn't trust it for e-commerce myself. I do agree that if only for clarity that SSL2 should be enabled/disabled in both places. It is very possible that openSSL isn't doing the "right" thing here. rob Dossy Shiobara wrote: On 2004.08.18, Janine Sisk <[EMAIL PROTECTED]> wrote: To add a bit more data to the fire, here is the config section I was using for nsopenssl with AOLserver 4. it is basically straight out of the latest version of the OpenACS suggested config file. The *.pem files do exist; I believe I changed the client cert section to point to the same files as the server cert because it got rid of some errors. I vaguely recall some issues where you cannot use the same certificate as both the server and client cert, but I can't find it in the archives so maybe I'm just making this up. This config has SSLv2 in the Protocols for the client but not for the server. I don't really understand how this all works, so I don't know if that's ok or not? The client config is used when you initiate outbound SSL connections frmo AOLserver. The server cert is used for serving inbound connections from web browsers/SSL clients. You definitely need to add "SSLv2" to the "protocols" list for the "server" config! Ahh ... ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users" ns_param Role server ns_param ModuleDir ${homedir}/${server}/etc/certs ns_param CertFile certfile.pem ns_param KeyFile keyfile.pem ns_param CADir /usr/share/ssl ns_param CAFile/usr/share/ssl/cert.pem ns_param Protocols "SSLv3, TLSv1" Yes, this is the problem, for sure. Need to add "SSLv2" there. ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" ns_param PeerVerifyfalse ns_param PeerVerifyDepth 3 ns_param Trace false I wonder if the reason we're seeing this problem is the default setting for "ciphersuite" includes "+SSLv2" but "protocols" doesn't. If you want to refuse to use SSLv2, maybe "+SSLv2" should come out of the "ciphersuite" param. I don't see any good reason to refuse SSLv2 connections, so I'd rather just add it into the "protocols" param. If you can, make the change and give it a test ... let us know if that solves the mystery for you. :-) -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On 2004.08.18, Janine Sisk <[EMAIL PROTECTED]> wrote: > To add a bit more data to the fire, here is the config section I was > using for nsopenssl with AOLserver 4. it is basically straight out of > the latest version of the OpenACS suggested config file. > > The *.pem files do exist; I believe I changed the client cert section > to point to the same files as the server cert because it got rid of > some errors. I vaguely recall some issues where you cannot use the same certificate as both the server and client cert, but I can't find it in the archives so maybe I'm just making this up. > This config has SSLv2 in the Protocols for the client but not for the > server. I don't really understand how this all works, so I don't know > if that's ok or not? The client config is used when you initiate outbound SSL connections frmo AOLserver. The server cert is used for serving inbound connections from web browsers/SSL clients. You definitely need to add "SSLv2" to the "protocols" list for the "server" config! Ahh ... > ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users" > ns_param Role server > ns_param ModuleDir ${homedir}/${server}/etc/certs > ns_param CertFile certfile.pem > ns_param KeyFile keyfile.pem > ns_param CADir /usr/share/ssl > ns_param CAFile/usr/share/ssl/cert.pem > ns_param Protocols "SSLv3, TLSv1" Yes, this is the problem, for sure. Need to add "SSLv2" there. > ns_param CipherSuite > "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" > ns_param PeerVerifyfalse > ns_param PeerVerifyDepth 3 > ns_param Trace false I wonder if the reason we're seeing this problem is the default setting for "ciphersuite" includes "+SSLv2" but "protocols" doesn't. If you want to refuse to use SSLv2, maybe "+SSLv2" should come out of the "ciphersuite" param. I don't see any good reason to refuse SSLv2 connections, so I'd rather just add it into the "protocols" param. If you can, make the change and give it a test ... let us know if that solves the mystery for you. :-) -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
Hello Dossy, On Aug 18, 2004, at 20:56, Dossy Shiobara wrote: ns_param CertFile server/server.crt ns_param KeyFile server/server.pem Do these two certificate files exist? In the server log at start-up, does it say it was able to load these okay? If it can't load them, the server will still start-up, so just because it started doesn't necessarily mean it's okay. Yes, they indeed exist. This is from my error log at startup time: [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so' [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): loading SSL context 'vs1_users_ctx' [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): 'vs1_users_ctx' ciphers loaded successfully [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): 'vs1_users_ctx' using SSLv3 protocol [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): 'vs1_users_ctx' using TLSv1 protocol [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): 'vs1_users_ctx' key loaded successfully [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): 'vs1_users_ctx' certificate loaded successfully [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): 'vs1_users_ctx' CA file loaded successfully [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): default SSL context for server is vs1_users_ctx [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: default server SSL context: vs1_users_ctx [18/Aug/2004:17:08:50][892.2684396012][-main-] Notice: nsopenssl (greenpeace-fund): loading 'vs1_users_drv' SSL driver So I assume that it has loaded the certificates successfully and there are no errors on that side. Yes, definitely add "SSLv2" to the "protocols" list. I wonder if the "All" keyword is still supported for that parameter ... I have added that now. If after adding the "SSLv2" and checking the server log to ensure your server.crt and server.pem files are being loaded okay by the server, you're still able to reproduce the problem ... then I suggest you upgrade to the nsopenssl CVS HEAD and AOLserver 4.0.7, and see if it's still reproducible. If it is, please let me know. I'll want to gather more information to see if I can reproduce it -- what browser/version are you using to connect and test with? OK, I will see what happens in the next few days and will upgrade if needed. I am using Firefox 0.9.3 and Safari 1.2.3 (v125.9). I have a suspicion of a scenario where I can probably reproduce this but I will try it first before jumping to conclusions. Thanks again for the reply, /B -- Bruno Mattarollo <[EMAIL PROTECTED]> Currently in: Sydney, Australia [ http://pokies.typepad.com/virtual_possum/ ] -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
To add a bit more data to the fire, here is the config section I was using for nsopenssl with AOLserver 4. it is basically straight out of the latest version of the OpenACS suggested config file. The *.pem files do exist; I believe I changed the client cert section to point to the same files as the server cert because it got rid of some errors. This config has SSLv2 in the Protocols for the client but not for the server. I don't really understand how this all works, so I don't know if that's ok or not? With this config section I saw no errors in the log on startup, but of course I did have other, more serious problems. janine # - # this is used by acs-tcl/tcl/security-procs.tcl to get the # https port. # - ns_param ServerPort$httpsport ns_section "ns/server/${server}/module/nsopenssl/sslcontexts" ns_param users"SSL context used for regular user access" #ns_param admins "SSL context used for administrator access" ns_param client "SSL context used for outgoing script socket connections" ns_section "ns/server/${server}/module/nsopenssl/defaults" ns_param server users ns_param client client ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users" ns_param Role server ns_param ModuleDir ${homedir}/${server}/etc/certs ns_param CertFile certfile.pem ns_param KeyFile keyfile.pem ns_param CADir /usr/share/ssl ns_param CAFile/usr/share/ssl/cert.pem ns_param Protocols "SSLv3, TLSv1" ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" ns_param PeerVerifyfalse ns_param PeerVerifyDepth 3 ns_param Trace false #ns_section "ns/server/${server}/module/nsopenssl/sslcontext/admins" #ns_param Role server #ns_param ModuleDir /path/to/dir #ns_param CertFile server/server.crt #ns_param KeyFile server/server.key #ns_param CADir ca-client/dir #ns_param CAFileca-client/ca-client.crt #ns_param Protocols "All"#ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" #ns_param PeerVerifyfalse #ns_param PeerVerifyDepth 3 #ns_param Trace false ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client" ns_param Role client ns_param ModuleDir ${homedir}/${server}/etc/certs ns_param CertFile certfile.pem ns_param KeyFile keyfile.pem ns_param CADir /usr/share/ssl ns_param CAFile/usr/share/ssl/cert.pem ns_param Protocols "SSLv2, SSLv3, TLSv1" ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" ns_param PeerVerifyfalse ns_param PeerVerifyDepth 3 ns_param Trace false # SSL drivers. Each driver defines a port to listen on and an explitictly named # SSL context to associate with it. Note that you can now have multiple driver # connections within a single virtual server, which can be tied to different # SSL contexts. Isn't that cool? ns_section "ns/server/${server}/module/nsopenssl/ssldrivers" ns_param users "Driver for regular user access" #ns_param admins"Driver for administrator access" ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users" ns_param sslcontextusers # ns_param port $httpsport_users ns_param port $httpsport ns_param hostname $hostname ns_param address $address ns_section "ns/server/${server}/module/nsopenssl/ssldriver/admins" ns_param sslcontextadmins # ns_param port $httpsport_admins ns_param port $httpsport ns_param hostname $hostname ns_param address $address -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl errors
On 2004.08.18, Bruno Mattarollo <[EMAIL PROTECTED]> wrote: > > I have been following quite closely the discussion about nsopenssl 3.0 > beta and AOLServer 4 and after several weeks of working with nsopenssl > 3.0 beta 18, AOLServer 4.0.5, OpenSSL 0.9.7d I saw this in the error > logs (when I put debug to "true" in my nsd.tcl) > > [18/Aug/2004:16:57:38][805.25187328][-conn:myserver::2] Debug: > Send(15): SSL_ERROR_SYSCALL (towrite = 0; total = 3607; rc = > -1) ... > > I am running Mac OS X 10.3.5. > > My nsd.tcl section for nsopenssl looks like: ... > ns_param CertFile server/server.crt > ns_param KeyFile server/server.pem Do these two certificate files exist? In the server log at start-up, does it say it was able to load these okay? If it can't load them, the server will still start-up, so just because it started doesn't necessarily mean it's okay. I found this out the hard way: my certificate files were named "certificate.pem" and "key.pem" and not the names used in the config -- server started fine, but I'd get errors in the log when actually connecting a client. After some head-scratching, I discovered that the server wasn't loading my cert files due to naming difference, but it would happily start up. > ns_param CADir ca-client/dir > ns_param CAFileca-client/ca-client.crt > ns_param Protocols "SSLv3, TLSv1" > ns_param CipherSuite > "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" > ns_param PeerVerifyfalse > ns_param PeerVerifyDepth 3 > ns_param Trace false Yes, definitely add "SSLv2" to the "protocols" list. I wonder if the "All" keyword is still supported for that parameter ... > I will add the "SSLv2" as directed by Dossy in one of his previous > emails and will report back. Has anyone seen these particular errors > before? Is this possibly what needs to be looked into? Or should I just > shut up, upgrade to the latest nsopenssl beta and keep on working? If after adding the "SSLv2" and checking the server log to ensure your server.crt and server.pem files are being loaded okay by the server, you're still able to reproduce the problem ... then I suggest you upgrade to the nsopenssl CVS HEAD and AOLserver 4.0.7, and see if it's still reproducible. If it is, please let me know. I'll want to gather more information to see if I can reproduce it -- what browser/version are you using to connect and test with? -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
After reordering the ns_sections in nsd.tcl to jive with http://aolserver.com/docs/admin/config-detailed.html as Torben recommends the new order goes like this: ns_section "ns/parameters" ns_section "ns/threads" ns_section "ns/mimetypes" ns_section "ns/encodings" ns_section "ns/servers" ns_section "ns/server/${servername}" ns_section "ns/server/${servername}/tcl" ns_section "ns/server/${servername}/adp" ns_section "ns/server/${servername}/module/nssock" ns_section "ns/server/module/nsopenssl" ns_section "ns/server/${servername}/module/nsopenssl/sslcontexts" ns_section "ns/server/${servername}/module/nsopenssl/defaults" ns_section "ns/server/${servername}/module/nsopenssl/sslcontext/users" ns_section "ns/server/${servername}/module/nsopenssl/ssldrivers" ns_section "ns/server/${servername}/module/nsopenssl/ssldriver/users_drv" ns_section "ns/server/${servername}/module/nscp" ns_section "ns/server/${servername}/module/nscp/users" ns_section "ns/server/${servername}/module/nslog" ns_section "ns/server/${servername}/module/nscgi" ns_section "ns/server/${servername}/modules/nsperm" ns_section "ns/module/nsjk2" ns_section "ns/server/${servername}/module/nsjk2" ns_section "ns/db/drivers" ns_section "ns/db/pools" ns_section "ns/db/pool/mypool" ns_section "ns/server/server1/db" ns_section "ns/server/${servername}/modules" Is this voodoo or does the order really matter? The server still crashes every minute or less. I have yet to reproduce this error in a non-production environment. Any suggestions? Nate On Tue, 10 Aug 2004 21:20:37 -0400, Scott Goodwin <[EMAIL PROTECTED]> wrote: > I appreciate you and others pointing these issues out so I can track > them down and fix them. Hopefully my "low-end" boxes will help in > identifying these problems sooner. One box will be running Gentoo > Linux, the other might be some form of *BSD. > > /s. > > > > On Aug 10, 2004, at 7:05 PM, Janine Sisk wrote: > > > No problem, Scott, glad to hear you're still at it. I hope I didn't > > sound like I was complaining; I was just wanting to figure out who, if > > anyone, was maintaining the module. > > > > If I can help you sort this out, just let me know. > > > > janine > > > > On Aug 10, 2004, at 5:28 PM, Scott Goodwin wrote: > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with > the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field > of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
I appreciate you and others pointing these issues out so I can track them down and fix them. Hopefully my "low-end" boxes will help in identifying these problems sooner. One box will be running Gentoo Linux, the other might be some form of *BSD. /s. On Aug 10, 2004, at 7:05 PM, Janine Sisk wrote: No problem, Scott, glad to hear you're still at it. I hope I didn't sound like I was complaining; I was just wanting to figure out who, if anyone, was maintaining the module. If I can help you sort this out, just let me know. janine On Aug 10, 2004, at 5:28 PM, Scott Goodwin wrote: -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
I guess low-end does sound a bit odd in the same sentence with 200 GB disk drives, but they're going into 500MHz and 800MHz Dell OptiPlexes, which can only fit one drive. I can certainly give you the 5GB and 10GB excess disks I'm pulling out of them if you pay postage :) /s. On Aug 10, 2004, at 5:40 PM, Cathy Sarisky wrote: On Tue, 10 Aug 2004, Scott Goodwin wrote: purchased two low-end intel boxes to set up a test network and run load tests across ethernet; just waiting for two 200GB drives to arrive so I... LOL. I like your definition of low-end. Should you find yourself with an excess of low-end boxen, you can send 'em my way. ;) Cathy p.s. Yeah, sorry, OT, but I couldn't resist... -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. thanks, /s. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
No problem, Scott, glad to hear you're still at it. I hope I didn't sound like I was complaining; I was just wanting to figure out who, if anyone, was maintaining the module. If I can help you sort this out, just let me know. janine On Aug 10, 2004, at 5:28 PM, Scott Goodwin wrote: My apologies for not being more reponsive; I've been very busy at NASA these past six months. I'm getting ready to use nsopenssl for the sites we're building here so I'll be fixing any problems you're seeing in the next few weeks. I suspect I'm not seeing many of the errors when my tests are being run on the same machine as the web server, so I've purchased two low-end intel boxes to set up a test network and run load tests across ethernet; just waiting for two 200GB drives to arrive so I can install OSs. I did get the SSL error pointed out in this thread and had an image or two not load when I tested last night on my powerbook; under a much heavier load I should be able to track down the problem. thanks, /s. On Aug 10, 2004, at 2:59 PM, Janine Sisk wrote: That's really interesting... all I can think of is a permissions problem, but then it wouldn't work at all. FWIW, I've had this running since about 1 pm on Friday, so four days now. In that time we've had 8 unexplained crashes, or an average of 2 per day. Although four of them were yesterday so you might expect it to be load related, but there have been none so far today. During that same time there have been 67 SSL_ERRORs reported. Although it's obviously too many, it's not the level of spewing I was getting with the beta17 version nor what Nate is experiencing. Anyone have any ideas? I guess Scott isn't working on the module anymore? I'm not really qualified to try to fix this, unfortunately, or I would have tried already. janine On Aug 10, 2004, at 11:56 AM, Nathaniel Haggard wrote: Binding to port 8443 using the same setup that I mentioned in my first email fixes the problems I was having with too many log entries of this nature: 07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 Why would port number matter? Nate On Mon, 9 Aug 2004 16:56:06 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: nsopenssl is using openssl 0.9.6b, is that a problem? openssl3.0beta21 with aolserver4.0.7 gives similar results. The server actually crashed even more frequently but that might be due to traffic. Nate On Mon, 9 Aug 2004 10:21:01 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: aolserver is binding to the ssl port. It is prebinding to port 443 (-b 0.0.0.0:80,0.0.0.0:443) [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' certificate and key loaded successfully [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' failed to load CA certificate file '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca- client.crt' [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): 'users' CA certificate file is not readable or does not exist The server crashed (and restarted because it's running from inittab) 4 times in the 20 minutes I had it running. Like Janine reported there was no explanation for the crash in the error.log; it just crasehd. Nate On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten <[EMAIL PROTECTED]> wrote: Nate, Is aolserver binding to the ssl port? I get an identical error when something is prebound to the ssl port and so aolserver fails to bind to it. A "failed to listen on.. address already in use" error shows up in the logfile just after server reports "listening on" same port, ie. during server startup. Torben ps. this is my 3rd attempt at posting this message. Hopefully this time there are no glitches. Sorry if this is a duplicate message. Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://w
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
On Tue, 10 Aug 2004, Scott Goodwin wrote: > purchased two low-end intel boxes to set up a test network and run load tests across ethernet; just waiting for two 200GB drives to arrive so I... LOL. I like your definition of low-end. Should you find yourself with an excess of low-end boxen, you can send 'em my way. ;) Cathy p.s. Yeah, sorry, OT, but I couldn't resist... -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
My apologies for not being more reponsive; I've been very busy at NASA these past six months. I'm getting ready to use nsopenssl for the sites we're building here so I'll be fixing any problems you're seeing in the next few weeks. I suspect I'm not seeing many of the errors when my tests are being run on the same machine as the web server, so I've purchased two low-end intel boxes to set up a test network and run load tests across ethernet; just waiting for two 200GB drives to arrive so I can install OSs. I did get the SSL error pointed out in this thread and had an image or two not load when I tested last night on my powerbook; under a much heavier load I should be able to track down the problem. thanks, /s. On Aug 10, 2004, at 2:59 PM, Janine Sisk wrote: That's really interesting... all I can think of is a permissions problem, but then it wouldn't work at all. FWIW, I've had this running since about 1 pm on Friday, so four days now. In that time we've had 8 unexplained crashes, or an average of 2 per day. Although four of them were yesterday so you might expect it to be load related, but there have been none so far today. During that same time there have been 67 SSL_ERRORs reported. Although it's obviously too many, it's not the level of spewing I was getting with the beta17 version nor what Nate is experiencing. Anyone have any ideas? I guess Scott isn't working on the module anymore? I'm not really qualified to try to fix this, unfortunately, or I would have tried already. janine On Aug 10, 2004, at 11:56 AM, Nathaniel Haggard wrote: Binding to port 8443 using the same setup that I mentioned in my first email fixes the problems I was having with too many log entries of this nature: 07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 Why would port number matter? Nate On Mon, 9 Aug 2004 16:56:06 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: nsopenssl is using openssl 0.9.6b, is that a problem? openssl3.0beta21 with aolserver4.0.7 gives similar results. The server actually crashed even more frequently but that might be due to traffic. Nate On Mon, 9 Aug 2004 10:21:01 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: aolserver is binding to the ssl port. It is prebinding to port 443 (-b 0.0.0.0:80,0.0.0.0:443) [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' certificate and key loaded successfully [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' failed to load CA certificate file '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca- client.crt' [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): 'users' CA certificate file is not readable or does not exist The server crashed (and restarted because it's running from inittab) 4 times in the 20 minutes I had it running. Like Janine reported there was no explanation for the crash in the error.log; it just crasehd. Nate On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten <[EMAIL PROTECTED]> wrote: Nate, Is aolserver binding to the ssl port? I get an identical error when something is prebound to the ssl port and so aolserver fails to bind to it. A "failed to listen on.. address already in use" error shows up in the logfile just after server reports "listening on" same port, ie. during server startup. Torben ps. this is my 3rd attempt at posting this message. Hopefully this time there are no glitches. Sorry if this is a duplicate message. Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this lis
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
On Tue, Aug 10, 2004 at 04:23:25PM -0400, Janine Sisk wrote: > There haven't been any core files, and, well, I've never learned how to > use gdb so I wouldn't know what to look at anyway Using gdb to show the stack trace of a core file is easy. I generally do it from inside Emacs: In Emacs, do "M-x gdb-with-core", tell it the program and core file, then once gdb starts up, do something like this: dir /web/aol4-src/aolserver dir /web/aol4-src/aolserver/nsd dir /web/aol4-src/nsopenssl set height 0 bt The "bt" command is what displays the backtrace, the rest is just stuff to (hopefully) make the backtrace more informative, tell you the actual line of code, etc. More gdb info: http://sources.redhat.com/gdb/onlinedocs/gdb.html However, you probably have Linux configured to turn off core file generation, which makes debugging this sort of thing MUCH harder. You need to first enable core files, but offhand I don't remember how. Googling will probably find it. Ah, I do have these old notes though, for Solaris: Getting core files from /etc/inittab: At least on Solaris, when you run AOLserver from /etc/inittab with the -u and -g switches to change the unix user and group, when AOLserver segfaults it will not leave a core file. This is because, according to 'man core': A process with an effective user ID different from the real user ID will not produce a core image. This is also true for a process with an effective group ID different from the real group ID. You can't just drop the -u option and leave AOLserver running as root, because it refuses to run as root. But as long as you want to listen on a non-privileged port (like 8000, rather than 80), you can run AOLserver as a non-root user from the very beginning. So e.g., in /etc/inittab instead of: foo:234:respawn:/web/aol3/bin/nsd-oracle -i -t /web/mysite/nsbbapi/nsd.tcl -u nsadmin -g web to get a core file use: foo:234:respawn:/bin/su nsadmin -c "/web/aol3/bin/nsd-oracle -i -t /web/mysite/nsd.tcl" -- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
There haven't been any core files, and, well, I've never learned how to use gdb so I wouldn't know what to look at anyway janine On Aug 10, 2004, at 3:52 PM, Andrew Piskorski wrote: On Tue, Aug 10, 2004 at 02:59:31PM -0400, Janine Sisk wrote: FWIW, I've had this running since about 1 pm on Friday, so four days now. In that time we've had 8 unexplained crashes, or an average of 2 per day. Although four of them were yesterday so you might expect it Did you look at the core files with gdb? What did the backtrace say AOLserver was doing at the time of the crash? -- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
On Tue, Aug 10, 2004 at 02:59:31PM -0400, Janine Sisk wrote: > FWIW, I've had this running since about 1 pm on Friday, so four days > now. In that time we've had 8 unexplained crashes, or an average of 2 > per day. Although four of them were yesterday so you might expect it Did you look at the core files with gdb? What did the backtrace say AOLserver was doing at the time of the crash? -- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
I don't know, Nate, but I made these errors go away by changing the order of the ns_section definitions to the order described at: http://aolserver.com/docs/admin/config-detailed.html hth Torben Nathaniel Haggard wrote: Binding to port 8443 using the same setup that I mentioned in my first email fixes the problems I was having with too many log entries of this nature: 07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 Why would port number matter? Nate On Mon, 9 Aug 2004 16:56:06 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: nsopenssl is using openssl 0.9.6b, is that a problem? openssl3.0beta21 with aolserver4.0.7 gives similar results. The server actually crashed even more frequently but that might be due to traffic. Nate On Mon, 9 Aug 2004 10:21:01 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: aolserver is binding to the ssl port. It is prebinding to port 443 (-b 0.0.0.0:80,0.0.0.0:443) [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' certificate and key loaded successfully [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' failed to load CA certificate file '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca-client.crt' [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): 'users' CA certificate file is not readable or does not exist The server crashed (and restarted because it's running from inittab) 4 times in the 20 minutes I had it running. Like Janine reported there was no explanation for the crash in the error.log; it just crasehd. Nate On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten <[EMAIL PROTECTED]> wrote: Nate, Is aolserver binding to the ssl port? I get an identical error when something is prebound to the ssl port and so aolserver fails to bind to it. A "failed to listen on.. address already in use" error shows up in the logfile just after server reports "listening on" same port, ie. during server startup. Torben ps. this is my 3rd attempt at posting this message. Hopefully this time there are no glitches. Sorry if this is a duplicate message. Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
That's really interesting... all I can think of is a permissions problem, but then it wouldn't work at all. FWIW, I've had this running since about 1 pm on Friday, so four days now. In that time we've had 8 unexplained crashes, or an average of 2 per day. Although four of them were yesterday so you might expect it to be load related, but there have been none so far today. During that same time there have been 67 SSL_ERRORs reported. Although it's obviously too many, it's not the level of spewing I was getting with the beta17 version nor what Nate is experiencing. Anyone have any ideas? I guess Scott isn't working on the module anymore? I'm not really qualified to try to fix this, unfortunately, or I would have tried already. janine On Aug 10, 2004, at 11:56 AM, Nathaniel Haggard wrote: Binding to port 8443 using the same setup that I mentioned in my first email fixes the problems I was having with too many log entries of this nature: 07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 Why would port number matter? Nate On Mon, 9 Aug 2004 16:56:06 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: nsopenssl is using openssl 0.9.6b, is that a problem? openssl3.0beta21 with aolserver4.0.7 gives similar results. The server actually crashed even more frequently but that might be due to traffic. Nate On Mon, 9 Aug 2004 10:21:01 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: aolserver is binding to the ssl port. It is prebinding to port 443 (-b 0.0.0.0:80,0.0.0.0:443) [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' certificate and key loaded successfully [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' failed to load CA certificate file '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca- client.crt' [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): 'users' CA certificate file is not readable or does not exist The server crashed (and restarted because it's running from inittab) 4 times in the 20 minutes I had it running. Like Janine reported there was no explanation for the crash in the error.log; it just crasehd. Nate On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten <[EMAIL PROTECTED]> wrote: Nate, Is aolserver binding to the ssl port? I get an identical error when something is prebound to the ssl port and so aolserver fails to bind to it. A "failed to listen on.. address already in use" error shows up in the logfile just after server reports "listening on" same port, ie. during server startup. Torben ps. this is my 3rd attempt at posting this message. Hopefully this time there are no glitches. Sorry if this is a duplicate message. Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
Binding to port 8443 using the same setup that I mentioned in my first email fixes the problems I was having with too many log entries of this nature: > > > > 07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: > > > > SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 Why would port number matter? Nate On Mon, 9 Aug 2004 16:56:06 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: > nsopenssl is using openssl 0.9.6b, is that a problem? > > openssl3.0beta21 with aolserver4.0.7 gives similar results. The > server actually crashed even more frequently but that might be due to > traffic. > > Nate > > > > On Mon, 9 Aug 2004 10:21:01 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: > > aolserver is binding to the ssl port. It is prebinding to port 443 > > (-b 0.0.0.0:80,0.0.0.0:443) > > > > [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl > > (server1): 'users' certificate and key loaded successfully > > [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl > > (server1): 'users' failed > > to load CA certificate file > > '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca-client.crt' > > [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): > > 'users' CA certificate file is not readable or does not exist > > > > The server crashed (and restarted because it's running from inittab) 4 > > times in the 20 minutes I had it running. Like Janine reported there > > was no explanation for the crash in the error.log; it just crasehd. > > > > Nate > > > > > > > > > > On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten <[EMAIL PROTECTED]> wrote: > > > Nate, > > > > > > Is aolserver binding to the ssl port? > > > > > > I get an identical error when something is prebound to the ssl port and > > > so aolserver fails to bind to it. > > > > > > A "failed to listen on.. address already in use" error shows up in the > > > logfile just after server reports "listening on" same port, ie. during > > > server startup. > > > > > > Torben > > > ps. this is my 3rd attempt at posting this message. Hopefully this time > > > there are no glitches. Sorry if this is a duplicate message. > > > > > > > > > > > > Nathaniel Haggard wrote: > > > > > > > AOLserver 4.0.7 with nsopenssl from cvs has problems. The following > > > > messages are from the server.log while we tested the site. We didn't > > > > have any problems on the client side and all the pages come up as > > > > usual. > > > > > > > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: > > > > SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl > > > > (server1): SSL error on reading data > > > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: > > > > SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl > > > > (server1): SSL error on reading data > > > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: > > > > SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl > > > > (server1): SSL error on reading data > > > > > > > > The server crashes every few minutes as well. Most of the entries in > > > > the server.log, which is growing at a rapid rate, are errors or > > > > warning related to nsopenssl. > > > > > > > > This looks like the problem you guys discussed earlier with nsopenssl3.0beta. > > > > > > > > Nate > > > > > > > > > > > > -- > > > > AOLserver - http://www.aolserver.com/ > > > > > > > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> > > > > with the > > > > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: > > > > field of your email blank. > > > > > > > > > > > > > > -- > > > AOLserver - http://www.aolserver.com/ > > > > > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> > > > with the > > > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: > > > field of your email blank. > > > > > > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
nsopenssl is using openssl 0.9.6b, is that a problem? openssl3.0beta21 with aolserver4.0.7 gives similar results. The server actually crashed even more frequently but that might be due to traffic. Nate On Mon, 9 Aug 2004 10:21:01 -0600, Nathaniel Haggard <[EMAIL PROTECTED]> wrote: > aolserver is binding to the ssl port. It is prebinding to port 443 > (-b 0.0.0.0:80,0.0.0.0:443) > > [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl > (server1): 'users' certificate and key loaded successfully > [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl > (server1): 'users' failed > to load CA certificate file > '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca-client.crt' > [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): > 'users' CA certificate file is not readable or does not exist > > The server crashed (and restarted because it's running from inittab) 4 > times in the 20 minutes I had it running. Like Janine reported there > was no explanation for the crash in the error.log; it just crasehd. > > Nate > > > > > On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten <[EMAIL PROTECTED]> wrote: > > Nate, > > > > Is aolserver binding to the ssl port? > > > > I get an identical error when something is prebound to the ssl port and > > so aolserver fails to bind to it. > > > > A "failed to listen on.. address already in use" error shows up in the > > logfile just after server reports "listening on" same port, ie. during > > server startup. > > > > Torben > > ps. this is my 3rd attempt at posting this message. Hopefully this time > > there are no glitches. Sorry if this is a duplicate message. > > > > > > > > Nathaniel Haggard wrote: > > > > > AOLserver 4.0.7 with nsopenssl from cvs has problems. The following > > > messages are from the server.log while we tested the site. We didn't > > > have any problems on the client side and all the pages come up as > > > usual. > > > > > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: > > > SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl > > > (server1): SSL error on reading data > > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: > > > SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl > > > (server1): SSL error on reading data > > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: > > > SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl > > > (server1): SSL error on reading data > > > > > > The server crashes every few minutes as well. Most of the entries in > > > the server.log, which is growing at a rapid rate, are errors or > > > warning related to nsopenssl. > > > > > > This looks like the problem you guys discussed earlier with nsopenssl3.0beta. > > > > > > Nate > > > > > > > > > -- > > > AOLserver - http://www.aolserver.com/ > > > > > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> > > > with the > > > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: > > > field of your email blank. > > > > > > > > > > -- > > AOLserver - http://www.aolserver.com/ > > > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> > > with the > > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field > > of your email blank. > > > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
aolserver is binding to the ssl port. It is prebinding to port 443 (-b 0.0.0.0:80,0.0.0.0:443) [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' certificate and key loaded successfully [07/Aug/2004:13:28:37][28040.1024][-main-] Notice: nsopenssl (server1): 'users' failed to load CA certificate file '/sm/aolserver/servers/server1/modules/nsopenssl/ca-client/ca-client.crt' [07/Aug/2004:13:28:37][28040.1024][-main-] Error: nsopenssl (server1): 'users' CA certificate file is not readable or does not exist The server crashed (and restarted because it's running from inittab) 4 times in the 20 minutes I had it running. Like Janine reported there was no explanation for the crash in the error.log; it just crasehd. Nate On Sat, 7 Aug 2004 21:56:27 -0700, Torben Brosten <[EMAIL PROTECTED]> wrote: > Nate, > > Is aolserver binding to the ssl port? > > I get an identical error when something is prebound to the ssl port and > so aolserver fails to bind to it. > > A "failed to listen on.. address already in use" error shows up in the > logfile just after server reports "listening on" same port, ie. during > server startup. > > Torben > ps. this is my 3rd attempt at posting this message. Hopefully this time > there are no glitches. Sorry if this is a duplicate message. > > > > Nathaniel Haggard wrote: > > > AOLserver 4.0.7 with nsopenssl from cvs has problems. The following > > messages are from the server.log while we tested the site. We didn't > > have any problems on the client side and all the pages come up as > > usual. > > > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: > > SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl > > (server1): SSL error on reading data > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: > > SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl > > (server1): SSL error on reading data > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: > > SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl > > (server1): SSL error on reading data > > > > The server crashes every few minutes as well. Most of the entries in > > the server.log, which is growing at a rapid rate, are errors or > > warning related to nsopenssl. > > > > This looks like the problem you guys discussed earlier with nsopenssl3.0beta. > > > > Nate > > > > > > -- > > AOLserver - http://www.aolserver.com/ > > > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> > > with the > > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field > > of your email blank. > > > > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with > the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field > of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
Nate, Is aolserver binding to the ssl port? I get an identical error when something is prebound to the ssl port and so aolserver fails to bind to it. A "failed to listen on.. address already in use" error shows up in the logfile just after server reports "listening on" same port, ie. during server startup. Torben ps. this is my 3rd attempt at posting this message. Hopefully this time there are no glitches. Sorry if this is a duplicate message. Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
An update - the site did crash tonight, but there was no sign of it being SSL related in the error logs. It appears to have just *stopped*. No errors whatsoever. Hmph. janine On Aug 7, 2004, at 3:07 PM, Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
Nate, Is aolserver binding to the ssl port? I get a similar error when something is prebound to the port and so cannot bind to the port. A "failed to listen on.. address already in use" error shows up in the logfile just after server reports "listening on" same port, ie. during server startup. Torben Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
Not a huge amount; there have been 28 orders placed in the last 24 hours, with each order going through somewhere in the neighborhood of 4 secure pages, plus all the admin pages but there probably hasn't been much of that going on today. But I was the one who had all the trouble with beta17, so we had enough traffic for it to wreak havoc and this one seems to be doing better. Not perfect, but better. It obviously still needs to be fixed. janine On Aug 7, 2004, at 5:14 PM, Nathaniel Haggard wrote: How much SSL traffic do you have in a 24 hour period? Nate On Sat, 7 Aug 2004 15:26:27 -0400, Janine Sisk <[EMAIL PROTECTED]> wrote: As it happens, I switched to using nsd 4.0.7 with the latest nsopenssl from CVS about 24 hours ago. I am seeing a similar error: [07/Aug/2004:14:56:39][30511.5126][-conn:live-nybooks::2] Warning: nsopenssl (live-nybooks): SSL interrupted, perhaps by client [07/Aug/2004:14:56:39][30511.5126][-conn:live-nybooks::2] Debug: SSLOp(170-1): SSL_ERROR_SSL: bytes = 2103; total = 0; rc = -1 [07/Aug/2004:14:56:39][30511.5126][-conn:live-nybooks::2] Error: nsopenssl (live-nybooks): SSL error on writing data But it has only happened 6 times in the last 24 hours, and no crashes. No users have reported problems, so as far as I can tell whatever is going on is not affecting them. Dossy, if you plan to look into this let me know; I'll help as much as possible. I do plan to leave this in production unless users start having trouble. janine On Aug 7, 2004, at 3:07 PM, Nathaniel Haggard wrote: AOLserver 4.0.7 with nsopenssl from cvs has problems. The following messages are from the server.log while we tested the site. We didn't have any problems on the client side and all the pages come up as usual. [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl (server1): SSL error on reading data [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl (server1): SSL error on reading data The server crashes every few minutes as well. Most of the entries in the server.log, which is growing at a rapid rate, are errors or warning related to nsopenssl. This looks like the problem you guys discussed earlier with nsopenssl3.0beta. Nate -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] nsopenssl latest from CVS SSL error on reading data
How much SSL traffic do you have in a 24 hour period? Nate On Sat, 7 Aug 2004 15:26:27 -0400, Janine Sisk <[EMAIL PROTECTED]> wrote: > As it happens, I switched to using nsd 4.0.7 with the latest nsopenssl > from CVS about 24 hours ago. I am seeing a similar error: > > [07/Aug/2004:14:56:39][30511.5126][-conn:live-nybooks::2] Warning: > nsopenssl (live-nybooks): SSL interrupted, perhaps by client > [07/Aug/2004:14:56:39][30511.5126][-conn:live-nybooks::2] Debug: > SSLOp(170-1): SSL_ERROR_SSL: bytes = 2103; total = 0; rc = -1 > [07/Aug/2004:14:56:39][30511.5126][-conn:live-nybooks::2] Error: > nsopenssl (live-nybooks): SSL error on writing data > > But it has only happened 6 times in the last 24 hours, and no crashes. > No users have reported problems, so as far as I can tell whatever is > going on is not affecting them. > > Dossy, if you plan to look into this let me know; I'll help as much as > possible. I do plan to leave this in production unless users start > having trouble. > > janine > > > > On Aug 7, 2004, at 3:07 PM, Nathaniel Haggard wrote: > > > AOLserver 4.0.7 with nsopenssl from cvs has problems. The following > > messages are from the server.log while we tested the site. We didn't > > have any problems on the client side and all the pages come up as > > usual. > > > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Debug: > > SSLOp(27-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > [07/Aug/2004:12:56:00][27466.7176][-conn:server1::2] Error: nsopenssl > > (server1): SSL error on reading data > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Debug: > > SSLOp(55-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > [07/Aug/2004:12:56:08][27466.7176][-conn:server1::2] Error: nsopenssl > > (server1): SSL error on reading data > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Debug: > > SSLOp(19-0): SSL_ERROR_SSL: bytes = 16000; total = 0; rc = -1 > > [07/Aug/2004:13:00:29][27627.5126][-conn:server1::0] Error: nsopenssl > > (server1): SSL error on reading data > > > > The server crashes every few minutes as well. Most of the entries in > > the server.log, which is growing at a rapid rate, are errors or > > warning related to nsopenssl. > > > > This looks like the problem you guys discussed earlier with > > nsopenssl3.0beta. > > > > Nate > > > > > > -- > > AOLserver - http://www.aolserver.com/ > > > > To Remove yourself from this list, simply send an email to > > <[EMAIL PROTECTED]> with the > > body of "SIGNOFF AOLSERVER" in the email message. You can leave the > > Subject: field of your email blank. > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with > the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field > of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.