Bug#925150: libapache2-mod-xsendfile: large file trigger browser network errors when mod_http2 is enable

2019-03-20 Thread Philippe Metzger 
Package: libapache2-mod-xsendfile
Version: 0.12-2
Severity: normal

Dear Maintainer,

Using libapache2-mod-xsendfile while mod_http2 and mpm_event enabled leads to 
network errors in browsers (Firefox 65.0.1 and Chromium 73.0.3683.75) when 
larges files (> 50 Mb) are used for X-Sendfile header in a php file.

There is no logs at all server side (Apache2 or System) but browser failed 
(Chromium trigger a 'network error').
There is no exact size limit to trigger the issue. It's not even constant in 
time for a given browser, but I never achieved to make it work for files sizes 
> 100 Mb. 

The problem disappear as soon mod_http2 is disabled.

I know that mod_xsendfile is no more maintened since years and is not an 
official apache module, but it seems that it is unsafe to use it with HTTP/2 
enabled.

Best regards



-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libapache2-mod-xsendfile depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.25-3+deb9u6
ii  libc6   2.24-11+deb9u4

libapache2-mod-xsendfile recommends no packages.

libapache2-mod-xsendfile suggests no packages.

-- no debconf information

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2018-07-09 Thread Philippe Metzger 

On Thu, 26 Oct 2017 09:57:06 +0200 Raphael Hertzog wrote:
> Hello Kurt,
>
> On Fri, 22 Sep 2017, Kurt Roeckx wrote:
> > I have to admit that I didn't consider derivatives that take a
> > snapshot of testing, and we also seem to have a large amount of
> > people that do use testing. My intention was to target the more
> > advanced users, and having it in testing might be affecting more
> > people than I thought.
> >
> > So I am considering to only disable it in unstable and not in
> > testing.
>
> Any progress on this?
>
> Cheers,
> --
> R aphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: https://www.freexian.com/services/debian-lts.html
> Learn to master Debian: https://debian-handbook.info/get/
>

>

For now it seems that OpenSSL 1.1.0f-3+deb9u2 available in 
stretch/security force TLS 1.2 only in https when using Apache (whatever 
SSLProtocol Directive specify).


Is there any way to allow TLS 1 and TLS 1.1 with apache in stable ?

Thanks a lot

--

*Philippe Metzger*
+33 6 12 90 60 97 / +33 1 82 28 56 95