nghttp2 1.3.0 Build failure on GNUC macro now fixed

2015-09-10 Thread NormW 

FYI,
nghttp2 1.3.0 build failure on a GNUC-specific macro has been replaced 
by more generic C in nghttp2 source and should be available in the next 
release.

Cheers,
N.

Re: PR 54626 - ldaps not working with microsoft ldapsdk

2015-09-10 Thread Andy Wang 



On 09/10/2015 02:51 PM, Eric Covener wrote:

On Thu, Sep 10, 2015 at 3:44 PM, Andy Wang  wrote:

yup, 2.2.31 works perfectly fine for me as well without any additional
patches.  I posted a comment on the bugzilla report as well as an updated
patch against 2.4.16.  I don't have trunk sucked down in svn yet, so I
didn't generate a patch directly against the trunk version.

Best I can tell, having it fail and setting ssl_supported doesn't seem to
actually cause a problem.



net effect of updated patch is to block attempts at the cert config
and suppress the INFO level message?



Correct.
Basically all I did was move the #ifdef #else #endif chunks from the 
wrong functions to the right functions.


I think the issue is, alot of these functions have basically identical 
signatures and identical setup/teardown routines at the beginning and 
end of the functions so when patch was run against the 2.2.25 diff, the 
line numbers were off and it matched to the wrong chunks just right :).


Andy

Re: PR 54626 - ldaps not working with microsoft ldapsdk

2015-09-10 Thread Eric Covener 
On Thu, Sep 10, 2015 at 3:44 PM, Andy Wang  wrote:
> yup, 2.2.31 works perfectly fine for me as well without any additional
> patches.  I posted a comment on the bugzilla report as well as an updated
> patch against 2.4.16.  I don't have trunk sucked down in svn yet, so I
> didn't generate a patch directly against the trunk version.
>
> Best I can tell, having it fail and setting ssl_supported doesn't seem to
> actually cause a problem.


net effect of updated patch is to block attempts at the cert config
and suppress the INFO level message?

-- 
Eric Covener
cove...@gmail.com

Re: PR 54626 - ldaps not working with microsoft ldapsdk

2015-09-10 Thread Andy Wang 



On 09/10/2015 01:50 PM, Andy Wang wrote:


I'm going to try 2.2.31 now to see if I see different behavior.  But
other than to correct the incorrect message about SSL being unavailable,
in 2.4.x the fixed version of the patch doesn't appear to functionally
change anything.


yup, 2.2.31 works perfectly fine for me as well without any additional 
patches.  I posted a comment on the bugzilla report as well as an 
updated patch against 2.4.16.  I don't have trunk sucked down in svn 
yet, so I didn't generate a patch directly against the trunk version.


Best I can tell, having it fail and setting ssl_supported doesn't seem 
to actually cause a problem.


Andy

Re: PR 54626 - ldaps not working with microsoft ldapsdk

2015-09-10 Thread Andy Wang 

The patch in trunk is broken.
It looks like it was applied with the 2.2.25 generated diff and patch 
heuristically applied


On 09/08/2015 09:38 PM, Eric Covener wrote:


No reason at all as far as I can tell, just overlooked.  I always
build with an alternate SDK on Windows -- a confirmation that the
trunk patch works would help. I am surprised that ldaps:// has
apparently just never worked but it's only been reported by three
people.



That's what I assume, and we have customers complaining that they cannot 
get it to work, but in my case, I simply add the ldap cert (i have a 
self signed ldaps server) to the trusted root certificates and it works 
with or without the patch.


Without the patch I do see this:
[Thu Sep 10 12:02:18.858401 2015] [ldap:info] [pid 4204:tid 128] 
AH01320: LDAP: SSL support unavailable: LDAP: CA certificates cannot be 
set using this method, as they are stored in the registry instead.


But that doesn't seem to negatively affect this.  As I look more closely 
through the apache source (grepping for the ssl_supported usage), I 
don't actually see that ssl_supported is used by anything meaningful.


There is a problem with the patch as it is in trunk though.  It looks 
like jfclere probably just applied the 2.2.25 diff, and patch 
heuristically screwed it up:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ldap/util_ldap.c?view=markup&pathrev=1526436

The #if APR_HAS_MICROSOFT_LDAPSDK on line 2511 belongs on line 2433 and 
the #endif @ 2561 belongs at the end of  this function:

static const char *util_ldap_set_trusted_client_cert(cmd_parms *cmd,

As it is now, the patch won't even build on Windows as it ifdef's out
static const char *util_ldap_set_verify_srv_cert(cmd_parms *cmd,

I'm going to try 2.2.31 now to see if I see different behavior.  But 
other than to correct the incorrect message about SSL being unavailable, 
in 2.4.x the fixed version of the patch doesn't appear to functionally 
change anything.


Andy

Re: patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds

2015-09-10 Thread Stuart Henderson 
On 2015/09/10 13:40, Stefan Sperling wrote:
> On Thu, Sep 10, 2015 at 10:37:44AM +, Stuart Henderson wrote:
> > I've opened a ticket for this already (bz 58349) but it was suggested
> > that I send mail here as well.
> > 
> > Currently httpd builds fail with libressl as SSLv3 has been disabled
> > (OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method()
> > functions.
> > 
> > ab.c fails at build time, mod_ssl is slightly nastier as this isn't
> > picked up until trying to start a server with ssl enabled.
> > 
> > Thanks,
> > Stuart
> 
> Does OpenSSL use the name OPENSSL_NO_SSL3 too?
> Or is this macro defined by LibreSSL only?

With OpenSSL this is defined when it's built with the no-ssl3 option, it
works the same as building with no-rc5, no-ssl2, etc. This patch is
similar to previous patches which were added to various projects when
various OS (e.g. Debian, OpenBSD) disabled ssl2 in their standard builds
of OpenSSL.

For LibreSSL the functions have just been removed completely, it's no
longer a build option, but the effect is exactly the same as an OpenSSL
build with no-ssl3.

Re: patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds

2015-09-10 Thread Stefan Sperling 
On Thu, Sep 10, 2015 at 10:37:44AM +, Stuart Henderson wrote:
> I've opened a ticket for this already (bz 58349) but it was suggested
> that I send mail here as well.
> 
> Currently httpd builds fail with libressl as SSLv3 has been disabled
> (OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method()
> functions.
> 
> ab.c fails at build time, mod_ssl is slightly nastier as this isn't
> picked up until trying to start a server with ssl enabled.
> 
> Thanks,
> Stuart

Does OpenSSL use the name OPENSSL_NO_SSL3 too?
Or is this macro defined by LibreSSL only?

> --- support/ab.c.orig Fri Jul 17 22:55:57 2015
> +++ support/ab.c  Fri Jul 17 22:56:13 2015
> @@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[])
>  } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
>  meth = SSLv2_client_method();
>  #endif
> +#ifndef OPENSSL_NO_SSL3
>  } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
>  meth = SSLv3_client_method();
> +#endif
>  #ifdef HAVE_TLSV1_X
>  } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
>  meth = TLSv1_1_client_method();
> 
> --- modules/ssl/ssl_engine_init.c.origSun Sep  6 15:23:52 2015
> +++ modules/ssl/ssl_engine_init.c Sun Sep  6 15:57:35 2015
> @@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
>   "Creating new SSL context (protocols: %s)", cp);
>  
>  if (protocol == SSL_PROTOCOL_SSLV3) {
> +#ifndef OPENSSL_NO_SSL3
>  method = mctx->pkp ?
>  SSLv3_client_method() : /* proxy */
>  SSLv3_server_method();  /* server */
> +#else
> +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
> +"SSLv3 protocol not available");
> +return ssl_die(s);
> +#endif
>  }
>  else if (protocol == SSL_PROTOCOL_TLSV1) {
>  method = mctx->pkp ?
>

patch (mod_ssl/ab) to support OPENSSL_NO_SSL3 builds

2015-09-10 Thread Stuart Henderson 
I've opened a ticket for this already (bz 58349) but it was suggested
that I send mail here as well.

Currently httpd builds fail with libressl as SSLv3 has been disabled
(OPENSSL_NO_SSL3); ab.c and mod_ssl unconditionally use SSLv3_method()
functions.

ab.c fails at build time, mod_ssl is slightly nastier as this isn't
picked up until trying to start a server with ssl enabled.

Thanks,
Stuart

--- support/ab.c.orig   Fri Jul 17 22:55:57 2015
+++ support/ab.cFri Jul 17 22:56:13 2015
@@ -2314,8 +2314,10 @@ int main(int argc, const char * const argv[])
 } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
 meth = SSLv2_client_method();
 #endif
+#ifndef OPENSSL_NO_SSL3
 } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
 meth = SSLv3_client_method();
+#endif
 #ifdef HAVE_TLSV1_X
 } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
 meth = TLSv1_1_client_method();

--- modules/ssl/ssl_engine_init.c.orig  Sun Sep  6 15:23:52 2015
+++ modules/ssl/ssl_engine_init.c   Sun Sep  6 15:57:35 2015
@@ -484,9 +484,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *
  "Creating new SSL context (protocols: %s)", cp);
 
 if (protocol == SSL_PROTOCOL_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
 method = mctx->pkp ?
 SSLv3_client_method() : /* proxy */
 SSLv3_server_method();  /* server */
+#else
+ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+"SSLv3 protocol not available");
+return ssl_die(s);
+#endif
 }
 else if (protocol == SSL_PROTOCOL_TLSV1) {
 method = mctx->pkp ?