Re: Crazy slowloris mitigation patch
On Wed, 2009-10-21 at 09:43 +1100, Bojan Smojver wrote: Probably something to do with me closing wrong sockets - didn't have time to check in detail. Actually, calling close() is the wrong thing to do. Calling shutdown() is the go. -- Bojan
Feature Request for balancer-manager
I hope this is the right place to ask... Would it be possible to add the (real) hostname of the server serving a /balancer-manager URI? Reason being, if you have a pair of load-balancers in HA fail-over, it tells you which server you're looking at. Cheers, Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part
Re: Feature Request for balancer-manager
On Wed, 2009-10-21 at 09:49 +0100, Mark Watts wrote: I hope this is the right place to ask... Would it be possible to add the (real) hostname of the server serving a /balancer-manager URI? Reason being, if you have a pair of load-balancers in HA fail-over, it tells you which server you're looking at. Cheers, Mark. I should clarity - can the hostname be added to the /balancer-manager output page? -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part
Authentication Basic default format
Hi, I have a question about htpasswd when creating password hashes for Basic Authentication. Why there isn't any warning message regarding password truncate to 8 characters? As you can see at your own documentation (http://httpd.apache.org/docs/2.2/misc/password_encryptions.html), OpenSSL is already warning us about this issue. In my opinion htpasswd command must show a warning message like OpenSSL does. Do you agree? Thanks in advance. Regards -- José Miguel Holguín Security Technical Consultant Carnegie Mellon Certified (FIH) http://www.pentester.es
Re: Crazy slowloris mitigation patch
On Wed, 2009-10-21 at 19:17 +1100, Bojan Smojver wrote:
Actually, calling close() is the wrong thing to do. Calling shutdown()
is the go.
This is what I mean.
--
Bojan
--- httpd-2.2.14-v/server/mpm/prefork/prefork.c 2009-02-01 07:54:55.0 +1100
+++ httpd-2.2.14/server/mpm/prefork/prefork.c 2009-10-21 17:45:28.697322726 +1100
@@ -48,6 +48,7 @@
#include ap_listen.h
#include ap_mmn.h
#include apr_poll.h
+#include apr_md5.h
#ifdef HAVE_BSTRING_H
#include bstring.h/* for IRIX, FD_SET calls bzero() */
@@ -336,6 +337,29 @@
die_now = 1;
}
+static int volatile client_socket = -1;
+
+#ifndef NO_USE_SIGACTION
+static void shutdown_socket(int sig, siginfo_t *info, void *context)
+#else
+static void shutdown_socket(int sig)
+#endif
+{
+#ifndef NO_USE_SIGACTION
+if (info-si_pid == getppid()) {
+#endif
+if (client_socket != -1) {
+shutdown(client_socket, SHUT_RDWR);
+client_socket = -1;
+}
+#ifndef NO_USE_SIGACTION
+}
+else {
+clean_child_exit(0);
+}
+#endif
+}
+
/* volatile just in case */
static int volatile shutdown_pending;
static int volatile restart_pending;
@@ -659,8 +683,12 @@
current_conn = ap_run_create_connection(ptrans, ap_server_conf, csd, my_child_num, sbh, bucket_alloc);
if (current_conn) {
+apr_os_sock_get((apr_os_sock_t *)client_socket, csd);
+
ap_process_connection(current_conn, csd);
ap_lingering_close(current_conn);
+
+client_socket = -1;
}
/* Check the pod and the generation number after processing a
@@ -733,6 +761,10 @@
}
if (!pid) {
+#ifndef NO_USE_SIGACTION
+struct sigaction act;
+#endif
+
#ifdef HAVE_BINDPROCESSOR
/* by default AIX binds to a single processor
* this bit unbinds children which will then bind to another cpu
@@ -755,6 +787,19 @@
* The pod is used for signalling the graceful restart.
*/
apr_signal(AP_SIG_GRACEFUL, stop_listening);
+
+/* If the parent sends SIGINT to the child, we shutdown the
+ * client socket, as we suspect that we are under a DoS attack.
+ */
+#ifndef NO_USE_SIGACTION
+memset(act, 0, sizeof(act));
+act.sa_flags = SA_SIGINFO;
+act.sa_sigaction = shutdown_socket;
+sigaction(SIGINT, act, NULL);
+#else
+apr_signal(SIGINT, shutdown_socket);
+#endif
+
child_main(slot);
}
@@ -803,6 +848,8 @@
int free_slots[MAX_SPAWN_RATE];
int last_non_dead;
int total_non_dead;
+int status;
+static apr_time_t maxed_out = 0;
/* initialize the free_list */
free_length = 0;
@@ -813,8 +860,6 @@
total_non_dead = 0;
for (i = 0; i ap_daemons_limit; ++i) {
-int status;
-
if (i = ap_max_daemons_limit free_length == idle_spawn_rate)
break;
ws = ap_scoreboard_image-servers[i][0];
@@ -856,12 +901,17 @@
*/
ap_mpm_pod_signal(pod);
idle_spawn_rate = 1;
+maxed_out = 0;
}
else if (idle_count ap_daemons_min_free) {
/* terminate the free list */
if (free_length == 0) {
/* only report this condition once */
static int reported = 0;
+static unsigned char sb_digest[APR_MD5_DIGESTSIZE];
+apr_time_t now = apr_time_now();
+apr_md5_ctx_t ctx;
+pid_t pid;
if (!reported) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
@@ -870,6 +920,118 @@
reported = 1;
}
idle_spawn_rate = 1;
+
+/* If after one maintenace interval we still see the same
+ * situation on the scoreboard, shutdown all client sockets
+ * in read state and at least 10% of all client sockets.
+ * Crude, but seems to clear things out.
+ */
+if (maxed_out) {
+apr_time_t diff = now - maxed_out;
+
+if (diff = SCOREBOARD_MAINTENANCE_INTERVAL) {
+unsigned char cur_digest[APR_MD5_DIGESTSIZE];
+
+/* Current digest of the scoreboard.
+ */
+apr_md5_init(ctx);
+for (i = 0; i ap_daemons_limit; ++i) {
+status = ap_scoreboard_image-servers[i][0].status;
+apr_md5_update(ctx, status, sizeof(status));
+
+pid = ap_scoreboard_image-parent[i].pid;
+apr_md5_update(ctx, pid, sizeof(pid));
+}
+apr_md5_final(cur_digest, ctx);
+
+/* If we haven't had a change for one maintenance
+ * interval, we need to make room.
+ */
+if (memcmp(sb_digest, cur_digest, APR_MD5_DIGESTSIZE)) {
+maxed_out = 0;
+
Re: Feature Request for balancer-manager
I am not using the apache balancing, but using a network level load balancer, but this concept may apply. We append an HTTP header on output that tells you which machine you were on. As long as each machine has a separate config file of some sort (in our setup it is http.conf unique per machine, with a global config for all machines) you can do this. We use : Header always append ContentServer strategis1 Which gives an HTTP header value in your output saying where it has gone. Also, this works well with a reverse proxy setup if you balance front and back ends as you can use this on both ends, and the data will appear in one HTTP header (hence why we use append in the command). This allows us to properly trace back exactly what machine handled the request, which I assume is what you wish to do. On Wed, 2009-10-21 at 09:49 +0100, Mark Watts wrote: I hope this is the right place to ask... Would it be possible to add the (real) hostname of the server serving a /balancer-manager URI? Reason being, if you have a pair of load-balancers in HA fail-over, it tells you which server you're looking at. Cheers, Mark. I should clarity - can the hostname be added to the /balancer-manager output page? -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg -- Jeffrey Burgoyne Chief Technology Officer KCSI Keenuh Consulting Services Inc www.keenuh.com burgo...@keenuh.com
Re: Feature Request for balancer-manager
On Wed, 2009-10-21 at 06:32 -0400, Jeffrey E Burgoyne wrote: I am not using the apache balancing, but using a network level load balancer, but this concept may apply. We append an HTTP header on output that tells you which machine you were on. As long as each machine has a separate config file of some sort (in our setup it is http.conf unique per machine, with a global config for all machines) you can do this. We use : Header always append ContentServer strategis1 Which gives an HTTP header value in your output saying where it has gone. Also, this works well with a reverse proxy setup if you balance front and back ends as you can use this on both ends, and the data will appear in one HTTP header (hence why we use append in the command). This allows us to properly trace back exactly what machine handled the request, which I assume is what you wish to do. Nothing quite so compilicated: Eg: (** is my addition) Load Balancer Manager for 192.168.1.100 Server Version: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 Apache ** Server Hostname: lb01.example.com ** Server Built: Sep 17 2009 15:37:59 __ LoadBalancer Status for balancer://static-web StickySession Timeout FailoverAttempts Method - 0 1byrequests Worker URLRoute RouteRedir Factor Set Status Elected To From http://web01 1 0 Ok 29 15K 669K http://web02 1 0 Ok 28 14K 258K Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part
mod_fcgid creates 1 more process then allowed
I have configure with a limit of 16 processes but have 17 running and logs claiming 16 running. Barry httpd.conf fcgid config lines: FcgidCmdOptions /usr/local/onelan/html/dsmauthorizer.fcgi MaxProcesses 16 IOTimeout 200 FcgidCmdOptions /usr/local/onelan/html/dsm.fcgi MaxProcesses 16 IOTimeout 200 FcgidCmdOptions /usr/local/onelan/html/dsmxml.fcgi MaxProcesses 16 IOTimeout 200 error_log has these messages repeating: [Wed Oct 21 11:50:28 2009] [notice] mod_fcgid: too many /usr/local/onelan/html/dsmxml.fcgi processes (current:16, max:16), skip the spawn request [Wed Oct 21 11:50:28 2009] [notice] mod_fcgid: too many /usr/local/onelan/html/dsmxml.fcgi processes (current:16, max:16), skip the spawn request ps afx show that there are 17 dsmxml.fcgi processes: 17935 ?Ss 0:00 /usr/sbin/httpd.worker 17937 ?S 0:00 \_ /usr/local/onelan/dsm/bin/vpn_lookup_ip_address 17938 ?S 0:00 \_ /usr/local/onelan/dsm/bin/vpn_lookup_ip_address 17939 ?S 0:01 \_ /usr/sbin/httpd.worker 18043 ?Sl 1:55 | \_ /usr/local/onelan/html/dsmxml.fcgi 18052 ?Sl 0:03 | \_ /usr/local/onelan/html/dsmxml.fcgi 18053 ?Sl 0:37 | \_ /usr/local/onelan/html/dsm.fcgi 18054 ?Sl 2:02 | \_ /usr/local/onelan/html/dsmxml.fcgi 18062 ?Sl 0:34 | \_ /usr/local/onelan/html/dsm.fcgi 18075 ?S 0:00 | \_ /usr/local/onelan/html/dsmauthorizer.fcgi 18076 ?S 0:00 | \_ /usr/local/onelan/html/dsmauthorizer.fcgi 18077 ?S 0:00 | \_ /usr/local/onelan/html/dsmauthorizer.fcgi 18084 ?Sl 1:00 | \_ /usr/local/onelan/html/dsmxml.fcgi 18085 ?Sl 0:53 | \_ /usr/local/onelan/html/dsmxml.fcgi 18090 ?Sl 1:04 | \_ /usr/local/onelan/html/dsmxml.fcgi 18091 ?Sl 1:07 | \_ /usr/local/onelan/html/dsmxml.fcgi 18096 ?Sl 1:07 | \_ /usr/local/onelan/html/dsmxml.fcgi 18098 ?Sl 0:57 | \_ /usr/local/onelan/html/dsmxml.fcgi 18099 ?Sl 1:05 | \_ /usr/local/onelan/html/dsmxml.fcgi 18153 ?Sl 0:31 | \_ /usr/local/onelan/html/dsmxml.fcgi 18156 ?Sl 0:32 | \_ /usr/local/onelan/html/dsmxml.fcgi 18170 ?Sl 0:25 | \_ /usr/local/onelan/html/dsmxml.fcgi 18178 ?Sl 0:22 | \_ /usr/local/onelan/html/dsmxml.fcgi 18186 ?Sl 0:19 | \_ /usr/local/onelan/html/dsmxml.fcgi 18187 ?Sl 0:20 | \_ /usr/local/onelan/html/dsmxml.fcgi 18192 ?Sl 0:18 | \_ /usr/local/onelan/html/dsmxml.fcgi 17940 ?Sl 0:20 \_ /usr/sbin/httpd.worker
Re: fixing an httpd test which is confused about which modules are loaded in the test conf
On Fri, Oct 16, 2009 at 03:32:04PM -0400, Jeff Trawick wrote:
..
--- Apache-Test/lib/Apache/TestConfigParse.pm (revision 822728)
+++ Apache-Test/lib/Apache/TestConfigParse.pm (working copy)
@@ -224,15 +224,15 @@
$name = $modname_alias{$name} if $modname_alias{$name};
-# remember all found modules
-$self-{modules}-{$name} = $file;
-debug Found: $modname = $name;
-
...
So is either of these a reasonable fix? (It doesn't seem right that
info.t has to worry about modules which were found in the
configuration but not loaded, but I don't know what is expected of the
configuration object.)
Either seems reasonable to me, though the use of the word all in the
original comment above might imply the placement of that code is
deliberate, so I'd probably go for the info.t patch.
Regards, Joe
Re: svn commit: r823703 - in /httpd/mod_fcgid/trunk/modules/fcgid/fcgid_proc_unix.c
--- httpd/mod_fcgid/trunk/modules/fcgid/fcgid_proc_unix.c 2009/10/08
14:32:38 823190
+++ httpd/mod_fcgid/trunk/modules/fcgid/fcgid_proc_unix.c 2009/10/08
14:35:13 823191
@@ -259,6 +259,17 @@
return errno;
}
+/* IPC directory permissions are safe, but avoid confusion */
+/* Not all flavors of unix use the current umask for AF_UNIX perms */
+
+rv = apr_file_perms_set(unix_addr.sun_path,
APR_FPROT_UREAD|APR_FPROT_UWRITE|APR_FPROT_UEXECUTE);
+if (rv != APR_SUCCESS) {
+ap_log_error(APLOG_MARK, APLOG_CRIT, rv, main_server,
+ mod_fcgid: Couldn't set permissions on unix domain socket
%s,
+ unix_addr.sun_path);
+return rv;
+}
+
/* Listen the socket */
if (listen(unix_socket, DEFAULT_FCGID_LISTENBACKLOG) 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, errno, main_server,
This change breaks compatibility with old APR versions. Attached patch
seems to fix it for me.
Paul.
Index: modules/fcgid/fcgid_proc_unix.c
===
--- modules/fcgid/fcgid_proc_unix.c (revision 827986)
+++ modules/fcgid/fcgid_proc_unix.c (working copy)
@@ -43,6 +43,17 @@
#include fcgid_pm.h
#include fcgid_spawn_ctl.h
+/* apr forward compatibility */
+#ifndef APR_FPROT_UWRITE
+#define APR_FPROT_UWRITEAPR_UWRITE
+#endif
+#ifndef APR_FPROT_UREAD
+#define APR_FPROT_UREAD APR_UREAD
+#endif
+#ifndef APR_FPROT_UEXECUTE
+#define APR_FPROT_UEXECUTE APR_UEXECUTE
+#endif
+
#if MODULE_MAGIC_NUMBER_MAJOR 20081201
#define ap_unixd_config unixd_config
// #define ap_unixd_setup_child unixd_setup_child
Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Hi All, We observe one strange error since exhibited in combination with SVN(with bulk import having more than 20k files). Original posting is at http://subversion.tigris.org/ds/viewMessage.do?dsMessageId=2379671dsForumId=462 The problem exists even in httpd-2.2.13 and httpd-2.2.14. We get errors like the following svn: PUT of '/svn/svntest/!svn/wrk/fca6bd35-b260-7942-8f52-bcf3dcdfd734/abc/trunk/publish/q/xyz.gz': SSL negotiation failed: SSL error: parse tlsext (https://hostname https://cu097.cubit.maa.collab.net) It happens only with windows client, server can be linux or win32. I could manage to get the stack trace of apache child(in apache-2.2.13) when this error occurs. ** stack trace of apache 2.2.13 when we get this tlsext parse error #0 ssl_filter_io_shutdown (filter_ctx=0xa07b910, c=0xa07b350, abortive=1) at /home/kamesh/Download/httpd-2.2.13/modules/ssl/ssl_engine_io.c:976 #1 0x0038d5eb in ssl_io_filter_connect (filter_ctx=0xa07b910) at /home/kamesh/Download/httpd-2.2.13/modules/ssl/ssl_engine_io.c:1146 #2 0x0038dc1d in ssl_io_filter_input (f=0xa08c898, bb=0xa0d2ac8, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at /home/kamesh/Download/httpd-2.2.13/modules/ssl/ssl_engine_io.c:1336 #3 0x08086af9 in ap_get_brigade (next=0xa08c898, bb=0xa0d2ac8, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at /home/kamesh/Download/httpd-2.2.13/server/util_filter.c:489 #4 0x0806b274 in ap_rgetline_core (s=0xa0d1c78, n=8192, read=0xbf837c14, r=0xa0d1c60, fold=0, bb=0xa0d2ac8) at /home/kamesh/Download/httpd-2.2.13/server/protocol.c:231 #5 0x0806b943 in read_request_line (r=0xa0d1c60, bb=0xa0d2ac8) at /home/kamesh/Download/httpd-2.2.13/server/protocol.c:596 #6 0x0806c299 in ap_read_request (conn=0xa07b350) at /home/kamesh/Download/httpd-2.2.13/server/protocol.c:891 #7 0x0808726e in ap_process_http_connection (c=0xa07b350) at /home/kamesh/Download/httpd-2.2.13/modules/http/http_core.c:183 #8 0x08082c73 in ap_run_process_connection (c=0xa07b350) at /home/kamesh/Download/httpd-2.2.13/server/connection.c:43 #9 0x08083053 in ap_process_connection (c=0xa07b350, csd=0xa07b1b8) at /home/kamesh/Download/httpd-2.2.13/server/connection.c:178 #10 0x080901df in child_main (child_num_arg=0) at /home/kamesh/Download/httpd-2.2.13/server/mpm/prefork/prefork.c:662 #11 0x080903ca in make_child (s=0x9f70fa0, slot=0) at /home/kamesh/Download/httpd-2.2.13/server/mpm/prefork/prefork.c:758 #12 0x08090424 in startup_children (number_to_start=1) at /home/kamesh/Download/httpd-2.2.13/server/mpm/prefork/prefork.c:776 #13 0x080908c8 in ap_mpm_run (_pconf=0x9f6f0a8, plog=0x9f9d160, s=0x9f70fa0) at /home/kamesh/Download/httpd-2.2.13/server/mpm/prefork/prefork.c:997 #14 0x08064bb8 in main (argc=3, argv=0xbf837fe4) at /home/kamesh/Download/httpd-2.2.13/server/main.c:740 /snip ** snip from error log while this error happened last week [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#8494dd0 [mem: 835bb00] (BIO dump follows) [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1791): +-+ [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1830): | : 15 03 01 00 02 .| [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1836): +-+ [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 2/2 bytes from BIO#8494dd0 [mem: 835bb05] (BIO dump follows) [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1791): +-+ [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1830): | : 02 32 .2 | [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_io.c(1836): +-+ [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_kernel.c(1888): OpenSSL: Read: SSLv3 read client certificate A [Sat Oct 10 20:41:18 2009] [debug] ssl_engine_kernel.c(1907): OpenSSL: Exit: failed in SSLv3 read client certificate A [Sat Oct 10 20:41:18 2009] [info] [client IP] SSL library error 1 in handshake (server hostname:443) [Sat Oct 10 20:41:18 2009] [info] SSL Library Error: 336151578 error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode error [Sat Oct 10 20:41:18 2009] [info] [client IP] Connection closed to child 5 with abortive shutdown (server hostname:443) /snip I could not isolate this issue to openssl versions as it happens with openssl-0.9.8k, openssl-0.9.8g, openssl-0.9.8-b When I built the server against openssl-1.0.0-beta3, I could *not* access svn at all using svn client while I could access the same via browser. Any clues? With regards Kamesh Jayachandran
Re: Feature Request for balancer-manager
On Oct 21, 2009, at 4:51 AM, Mark Watts wrote: On Wed, 2009-10-21 at 09:49 +0100, Mark Watts wrote: I hope this is the right place to ask... Would it be possible to add the (real) hostname of the server serving a /balancer-manager URI? Reason being, if you have a pair of load-balancers in HA fail-over, it tells you which server you're looking at. Cheers, Mark. I should clarity - can the hostname be added to the /balancer-manager output page? Should be trivially easy... will look when back from SpringOne and hopefully before ACUS09
Re: svn commit: r826805 - in /httpd/httpd/trunk: CHANGES docs/manual/programs/htpasswd.xml support/htpasswd.c
Wouldn't this be Bad Majo for anyone upgrading from 2.2 to 2.4? On Oct 19, 2009, at 4:53 PM, s...@apache.org wrote: Author: sf Date: Mon Oct 19 20:53:04 2009 New Revision: 826805 URL: http://svn.apache.org/viewvc?rev=826805view=rev Log: Change the default algorithm for htpasswd to MD5 on all platforms. Crypt with its 8 character limit is not useful anymore.
Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Hi Kamesh, nice to meet you here again! Kamesh Jayachandran schrieb: I could not isolate this issue to openssl versions as it happens with openssl-0.9.8k, openssl-0.9.8g, openssl-0.9.8-b When I built the server against openssl-1.0.0-beta3, I could *not* access svn at all using svn client while I could access the same via browser. Any clues? sounds all strange. I would say since we have SNI support since 2.2.12 that there is the problem, and from the bug report it seems that the OP used already 2 SSL virtual hosts with same IP before 2.2.12 which was neither supported feature nor it was working properly at all; so probably his configuration is the problem? On the other side the needed support in OpenSSL started with 0.9.8j IIRC, and with 0.9.8k it started to be enabled by default. So I would assume that builds with 0.9.8g and 0.9.8b are not affected ... Also since you post that the problem is with the client - did you also rebuild the client with newer OpenSSL 0.8.8k, or even with 1.0.0.b3? Günter.
Re: svn commit: r826805 - in /httpd/httpd/trunk: CHANGES docs/manual/programs/htpasswd.xml support/htpasswd.c
Why? 2.2 and 2.4 (and 1.3) all support MD5/SHA1/(local implementation of)crypt except win32 which had no crypt. The only advantage to MD5 (SHA1) is that pw's are never 8 chars truncated, and they don't depend on the local crypt implementation, so they don't vary between boxes. Jim Jagielski wrote: Wouldn't this be Bad Majo for anyone upgrading from 2.2 to 2.4? On Oct 19, 2009, at 4:53 PM, s...@apache.org wrote: Author: sf Date: Mon Oct 19 20:53:04 2009 New Revision: 826805 URL: http://svn.apache.org/viewvc?rev=826805view=rev Log: Change the default algorithm for htpasswd to MD5 on all platforms. Crypt with its 8 character limit is not useful anymore.
Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Kamesh Jayachandran wrote: When I built the server against openssl-1.0.0-beta3, I could *not* access svn at all using svn client while I could access the same via browser. Any clues? The TLS session ticket extension might be the culprit here (or more precisely, OpenSSL's implementation of that extension). Can you try the attached patch and see whether it makes a difference? Kaspar --- httpd-2.2.14/modules/ssl/ssl_engine_init.c.orig 2009-08-16 17:53:12.0 +0200 +++ httpd-2.2.14/modules/ssl/ssl_engine_init.c 2009-10-21 18:49:05.0 +0200 @@ -382,6 +382,8 @@ static void ssl_init_ctx_tls_extensions( ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ssl_die(); } + +SSL_CTX_set_options(mctx-ssl_ctx, SSL_OP_NO_TICKET); } #endif
RE: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Hi Gunter, Nice to meet you after a long time. sounds all strange. I would say since we have SNI support since 2.2.12 that there is the problem, and from the bug report it seems that the OP used already 2 SSL virtual hosts with same IP before 2.2.12 which was neither supported feature nor it was working properly at all; so probably his configuration is the problem? In my setup where this fails has only *one* SSL virtual host(_default_). On the other side the needed support in OpenSSL started with 0.9.8j IIRC, and with 0.9.8k it started to be enabled by default. So I would assume that builds with 0.9.8g and 0.9.8b are not affected ... I need to double check it by myself(One of the internal tester was saying that this happens with openssl-0.9.8b). I vaguely remember this happening with openssl-0.9.8g. Also since you post that the problem is with the client - did you also rebuild the client with newer OpenSSL 0.8.8k, or even with 1.0.0.b3? Will experiment and get back. With regards Kamesh Jayachandran
RE: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Thanks Kaspar, will try that tomorrow(Right now away from my dev box) and let you know. With regards Kamesh Jayachandran -Original Message- From: Kaspar Brand [mailto:httpd-dev.2...@velox.ch] Sent: Wed 10/21/2009 10:29 PM To: dev@httpd.apache.org Subject: Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12 Kamesh Jayachandran wrote: When I built the server against openssl-1.0.0-beta3, I could *not* access svn at all using svn client while I could access the same via browser. Any clues? The TLS session ticket extension might be the culprit here (or more precisely, OpenSSL's implementation of that extension). Can you try the attached patch and see whether it makes a difference? Kaspar
Re: svn commit: r823703 - in /httpd/mod_fcgid/trunk/modules/fcgid/fcgid_proc_unix.c
On Wed, Oct 21, 2009 at 8:54 AM, Paul Howarth p...@city-fan.org wrote:
--- httpd/mod_fcgid/trunk/modules/fcgid/fcgid_proc_unix.c 2009/10/08
14:32:38 823190
+++ httpd/mod_fcgid/trunk/modules/fcgid/fcgid_proc_unix.c 2009/10/08
14:35:13 823191
@@ -259,6 +259,17 @@
return errno;
}
+ /* IPC directory permissions are safe, but avoid confusion */
+ /* Not all flavors of unix use the current umask for AF_UNIX perms */
+
+ rv = apr_file_perms_set(unix_addr.sun_path,
APR_FPROT_UREAD|APR_FPROT_UWRITE|APR_FPROT_UEXECUTE);
+ if (rv != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, main_server,
+ mod_fcgid: Couldn't set permissions on unix domain
socket %s,
+ unix_addr.sun_path);
+ return rv;
+ }
+
/* Listen the socket */
if (listen(unix_socket, DEFAULT_FCGID_LISTENBACKLOG) 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, errno, main_server,
This change breaks compatibility with old APR versions. Attached patch seems
to fix it for me.
Thanks.
I think I'll put the #defines inside #if (APR_MAJOR_VERSION 1)
instead of using ifndef APR_FPROT_foo so that readers know instantly
what that is about.
