subject:"Re\: \[VOTE\] Release Apache httpd 2.4.8 as GA"

RE: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

2014-03-13 Thread Plüm , Rüdiger , Vodafone Group



> -Original Message-
> From: Jim Jagielski > Sent: Donnerstag, 13. März 2014 13:59
> To: dev@httpd.apache.org
> Subject: Re: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]
> 
> This is done...
> 
> Want to reboot that conversation? We can fix in trunk and
> then backport for 2.4.10.

I guess this makes sense, as I guess we do have 2.4.x users with older pcre 
system libraries.

Regards

Rüdiger

Re: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

2014-03-13 Thread Jim Jagielski

This is done...

Want to reboot that conversation? We can fix in trunk and
then backport for 2.4.10.

On Mar 13, 2014, at 8:50 AM, Jim Jagielski  wrote:

> Ahh. This needs to be added to CHANGES.
> 
> On Mar 13, 2014, at 7:59 AM, Plüm, Rüdiger, Vodafone Group 
>  wrote:
> 
>> 
>> 
>>> -Original Message-
>>> From: Jim Jagielski 
>>> Sent: Donnerstag, 13. März 2014 12:21
>>> To: dev@httpd.apache.org
>>> Subject: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]
>>> 
>>> Due to the SSL issue, the vote for release has been revoked.
>>> 
>>> Instead, I will T&R 2.4.9 today once we get one more vote
>>> for http://svn.apache.org/r1576741 and I can fold that
>>> fix in.
>> 
>> Voted. Please note that 2.4.x currently does not compile on RHEL 5 with 
>> default pcre installed from RHEL 5.
>> On trunk this is fixed by r1564439 (http://svn.apache.org/r1564439), but 
>> there was an open discussion
>> whether this is the correct / sufficient fix and if it needs additional 
>> stuff in the docs. Hence it was not proposed
>> for backport, but somehow this discussion has died.
>> http://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3C52D592F0.1010503%40apache.org%3E
>> http://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3CFD95E1EB-705D-4B57-91E5-A7D8C05DF421%40sharp.fm%3E
>> 
>> 
>> Regards
>> 
>> Rüdiger
>> 
>

Re: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

2014-03-13 Thread Jim Jagielski

Ahh. This needs to be added to CHANGES.

On Mar 13, 2014, at 7:59 AM, Plüm, Rüdiger, Vodafone Group 
 wrote:

> 
> 
>> -Original Message-
>> From: Jim Jagielski 
>> Sent: Donnerstag, 13. März 2014 12:21
>> To: dev@httpd.apache.org
>> Subject: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]
>> 
>> Due to the SSL issue, the vote for release has been revoked.
>> 
>> Instead, I will T&R 2.4.9 today once we get one more vote
>> for http://svn.apache.org/r1576741 and I can fold that
>> fix in.
> 
> Voted. Please note that 2.4.x currently does not compile on RHEL 5 with 
> default pcre installed from RHEL 5.
> On trunk this is fixed by r1564439 (http://svn.apache.org/r1564439), but 
> there was an open discussion
> whether this is the correct / sufficient fix and if it needs additional stuff 
> in the docs. Hence it was not proposed
> for backport, but somehow this discussion has died.
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3C52D592F0.1010503%40apache.org%3E
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3CFD95E1EB-705D-4B57-91E5-A7D8C05DF421%40sharp.fm%3E
> 
> 
> Regards
> 
> Rüdiger
>

RE: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

2014-03-13 Thread Plüm , Rüdiger , Vodafone Group



> -Original Message-
> From: Jim Jagielski 
> Sent: Donnerstag, 13. März 2014 12:21
> To: dev@httpd.apache.org
> Subject: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]
> 
> Due to the SSL issue, the vote for release has been revoked.
> 
> Instead, I will T&R 2.4.9 today once we get one more vote
> for http://svn.apache.org/r1576741 and I can fold that
> fix in.

Voted. Please note that 2.4.x currently does not compile on RHEL 5 with default 
pcre installed from RHEL 5.
On trunk this is fixed by r1564439 (http://svn.apache.org/r1564439), but there 
was an open discussion
whether this is the correct / sufficient fix and if it needs additional stuff 
in the docs. Hence it was not proposed
for backport, but somehow this discussion has died.
http://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3C52D592F0.1010503%40apache.org%3E
http://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3CFD95E1EB-705D-4B57-91E5-A7D8C05DF421%40sharp.fm%3E


Regards

Rüdiger

REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

2014-03-13 Thread Jim Jagielski

Due to the SSL issue, the vote for release has been revoked.

Instead, I will T&R 2.4.9 today once we get one more vote
for http://svn.apache.org/r1576741 and I can fold that
fix in.

2.4.9 will be 2.4.8 with ONLY the following changes:

  * http://svn.apache.org/r1576741
  * STATUS typo fix
  * Will add an entry to CHANGES

On Mar 11, 2014, at 12:34 PM, Jim Jagielski  wrote:

> The pre-release test tarballs for Apache httpd 2.4.8 can be found
> at the usual place:
> 
>   http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience.
>

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Dr Stephen Henson

On 12/03/2014 17:39, William A. Rowe Jr. wrote:
>>
>> The fix was applied on Feb 11 2013. That would mean that official
>> releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later
>> official release should include the fix but we weren't planning to
>> make any more 0.9.8 official releases though a 0.9.8 snapshot should
>> include the fix.
> 
> Perhaps a typo above?  Or are we looking at several bugs?  Rainer had
> specifically mentioned 1.0.1e as faulting.
> 

Yes sorry. It's all the same single bug. Checking through the versions:

For 0.9.8 branches: 0.9.8y affected, only fixed in 0.9.8 snapshots.
For 1.0.0 branches: 1.0.0k affected fixed in 1.0.0l
For 1.0.1 branches: 1.0.1d, 1.0.1e affected fixed in 1.0.0f

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Rainer Jung

On 12.03.2014 18:39, William A. Rowe Jr. wrote:
> On Wed, 12 Mar 2014 00:30:57 +
> Dr Stephen Henson  wrote:
> 
>> On 11/03/2014 21:46, Gregg Smith wrote:
>>> On 3/11/2014 1:29 PM, Rainer Jung wrote:
 On 11.03.2014 17:34, Jim Jagielski wrote:
> The pre-release test tarballs for Apache httpd 2.4.8 can be found
> at the usual place:
>
> http://httpd.apache.org/dev/dist/
>
> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
>
> Vote will last the normal 72 hrs.
>
> NOTE: The *-deps are only there for convenience.
 I get a segfault during startup init on www.apache.org when using
 SSL. This didn't happen for r1570851. Candidate is r1573360.
>>>
>>> I'm seeing this with OpenSSL 0.9.8y on Windows.
>>>
>>
>> Here are some more details of the bug in OpenSSL I *think* triggers
>> this.
>>
>> The function SSL_get_certificate was modified in some versions of
>> OpenSSL to return the certificate the server used instead of the
>> current certificate it had done previously. This was to make OCSP
>> stapling work with multiple configured certificates. Unfortunately a
>> bug in the change mean it would crash if it was called before the
>> server sent the certificate. Later versions of OpenSSL restored the
>> original behaviour unless SSL_get_certificate was called inside the
>> OCSP callback when it would return the certificate actually sent.
>>
>> The fix was applied on Feb 11 2013. That would mean that official
>> releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later
>> official release should include the fix but we weren't planning to
>> make any more 0.9.8 official releases though a 0.9.8 snapshot should
>> include the fix.
> 
> Perhaps a typo above?  Or are we looking at several bugs?  Rainer had
> specifically mentioned 1.0.1e as faulting.
> 
> I'm of the same mind as Jim - that a 2.4.9 with some workaround patch
> as described is probably a good idea, but now I'm not clear whether
> the proposed workaround fixes the case you mention with 1.0.1c or also
> the 1.0.1e fault?

I think the problematic code is in 0.9.8y, 1.0.0k, 1.0.1d and 1.0.1e. It
has been fixed in the latest 1.0.0 and 1.0.1 releases and the fix is in
HEAD for 0.9.8 but not released. The problem should not occur with
versions older than the cited ones.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread William A. Rowe Jr.

On Wed, 12 Mar 2014 00:30:57 +
Dr Stephen Henson  wrote:

> On 11/03/2014 21:46, Gregg Smith wrote:
> > On 3/11/2014 1:29 PM, Rainer Jung wrote:
> >> On 11.03.2014 17:34, Jim Jagielski wrote:
> >>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
> >>> at the usual place:
> >>>
> >>> http://httpd.apache.org/dev/dist/
> >>>
> >>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
> >>>
> >>> [ ] +1: Good to go
> >>> [ ] +0: meh
> >>> [ ] -1: Danger Will Robinson. And why.
> >>>
> >>> Vote will last the normal 72 hrs.
> >>>
> >>> NOTE: The *-deps are only there for convenience.
> >> I get a segfault during startup init on www.apache.org when using
> >> SSL. This didn't happen for r1570851. Candidate is r1573360.
> > 
> > I'm seeing this with OpenSSL 0.9.8y on Windows.
> > 
> 
> Here are some more details of the bug in OpenSSL I *think* triggers
> this.
> 
> The function SSL_get_certificate was modified in some versions of
> OpenSSL to return the certificate the server used instead of the
> current certificate it had done previously. This was to make OCSP
> stapling work with multiple configured certificates. Unfortunately a
> bug in the change mean it would crash if it was called before the
> server sent the certificate. Later versions of OpenSSL restored the
> original behaviour unless SSL_get_certificate was called inside the
> OCSP callback when it would return the certificate actually sent.
> 
> The fix was applied on Feb 11 2013. That would mean that official
> releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later
> official release should include the fix but we weren't planning to
> make any more 0.9.8 official releases though a 0.9.8 snapshot should
> include the fix.

Perhaps a typo above?  Or are we looking at several bugs?  Rainer had
specifically mentioned 1.0.1e as faulting.

I'm of the same mind as Jim - that a 2.4.9 with some workaround patch
as described is probably a good idea, but now I'm not clear whether
the proposed workaround fixes the case you mention with 1.0.1c or also
the 1.0.1e fault?--- Begin Message ---
On 11.03.2014 21:41, Dr Stephen Henson wrote:
> On 11/03/2014 20:29, Rainer Jung wrote:
>> On 11.03.2014 17:34, Jim Jagielski wrote:
>>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
>>> at the usual place:
>>>
>>> http://httpd.apache.org/dev/dist/
>>>
>>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>>>
>>> [ ] +1: Good to go
>>> [ ] +0: meh
>>> [ ] -1: Danger Will Robinson. And why.
>>>
>>> Vote will last the normal 72 hrs.
>>>
>>> NOTE: The *-deps are only there for convenience.
>>
>> I get a segfault during startup init on www.apache.org when using SSL.
>> This didn't happen for r1570851. Candidate is r1573360.
>>
>> That server currently uses OpenSSL 1.0.1e.
>>
>> GDB:
>>
>> Program terminated with signal 11, Segmentation fault.
>> #0  0x00010287a19a in ssl_set_cert_masks () from
>> /usr/local/lib/libssl.so.8
>> (gdb) bt full
>> #0  0x00010287a19a in ssl_set_cert_masks () from
>> /usr/local/lib/libssl.so.8
>> No symbol table info available.
>> #1  0x00010287a6f6 in ssl_get_server_send_pkey () from
>> /usr/local/lib/libssl.so.8
> 
> Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f.

Thanks Steve. Will try, actually was on my way to update when I noticed
there was not yet a BSD port for 1.0.1f. Will try nevertheless.

Regards,

Rainer

--- End Message ---

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Jim Jagielski

I have added this is a SHOWSTOPPER patch for 2.4.x...

I will try to find a system where the bug exists to
test.

On Mar 12, 2014, at 11:17 AM, Rainer Jung  wrote:

> On 12.03.2014 14:55, Dr Stephen Henson wrote:
>> On 12/03/2014 12:29, Rainer Jung wrote:
>>> On 12.03.2014 11:37, Jim Jagielski wrote:
 At the very least, upgrading from 2.4.7 to 2.4.8 should not
 cause this much pain. I will let the vote run a bit more to
 gauge additional feedback, but my sense says that 2.4.8
 will likely be revoked/dropped and 2.4.9 will be proposed
 which either (1) removes r1573360 or (2) fixes this bug.
>>> 
>>> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
>>> an issue but since all Major versions seem to show the behavior and
>>> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
>>> should implement the workaround suggested by Steve.
>>> 
>> 
>> Applied to trunk as r1576741. I've tried to keep the changes to the absolute
>> minimum.
>> 
>> I've tested OpenSSL 0.9.8y without this change and can reproduce the crash. 
>> It
>> doesn't crash with this fix.
> 
> OK, saw that message to late, functionaly equivalent with what I tried
> (and you proposed). So agreed, this fixes it.
> 
> Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Rainer Jung

On 12.03.2014 14:55, Dr Stephen Henson wrote:
> On 12/03/2014 12:29, Rainer Jung wrote:
>> On 12.03.2014 11:37, Jim Jagielski wrote:
>>> At the very least, upgrading from 2.4.7 to 2.4.8 should not
>>> cause this much pain. I will let the vote run a bit more to
>>> gauge additional feedback, but my sense says that 2.4.8
>>> will likely be revoked/dropped and 2.4.9 will be proposed
>>> which either (1) removes r1573360 or (2) fixes this bug.
>>
>> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
>> an issue but since all Major versions seem to show the behavior and
>> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
>> should implement the workaround suggested by Steve.
>>
> 
> Applied to trunk as r1576741. I've tried to keep the changes to the absolute
> minimum.
> 
> I've tested OpenSSL 0.9.8y without this change and can reproduce the crash. It
> doesn't crash with this fix.

OK, saw that message to late, functionaly equivalent with what I tried
(and you proposed). So agreed, this fixes it.

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Rainer Jung

On 12.03.2014 01:59, Dr Stephen Henson wrote:
> On 12/03/2014 00:30, Dr Stephen Henson wrote:
>>
>> The fix was applied on Feb 11 2013. That would mean that official releases
>> affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release 
>> should
>> include the fix but we weren't planning to make any more 0.9.8 official 
>> releases
>> though a 0.9.8 snapshot should include the fix.
>>
>> OS specific versions of OpenSSL might not have included the fix. This is the
>> actual diff:
>>
>> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10
>>
> 
> It looks like the only case this can happen is ssl_init_server_certs where an
> SSL structure is created, SSL_get_certificate called and then it is freed.
> 
> If so then calling SSL_set_connect_state before the SSL_get_certificate
> call is a potential workaround. This works because the faulty code isn't used 
> by
> SSL structures where ssl->server == 0 and SSL_set_connect_state does that,
> among other things.
> 
> This is a bit of a hack because it's called on a server SSL structure. This
> would probably fail horribly if an attempt was made to use the SSL structure 
> but
> in this case we're freeing it up immediately so this should hopefully not 
> matter.

Following your advice I added the following patch:

http://people.apache.org/~rjung/patches/ssl-init-crash.patch

and switched back to using OpenSSL 1.0.1e. Indeed the crash during
startup didn't occur with that patch in place.

I will wait a bit and if I hear no complains apply to trunk (if noone
beats me to it).

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Dr Stephen Henson

On 12/03/2014 12:29, Rainer Jung wrote:
> On 12.03.2014 11:37, Jim Jagielski wrote:
>> At the very least, upgrading from 2.4.7 to 2.4.8 should not
>> cause this much pain. I will let the vote run a bit more to
>> gauge additional feedback, but my sense says that 2.4.8
>> will likely be revoked/dropped and 2.4.9 will be proposed
>> which either (1) removes r1573360 or (2) fixes this bug.
> 
> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
> an issue but since all Major versions seem to show the behavior and
> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
> should implement the workaround suggested by Steve.
> 

Applied to trunk as r1576741. I've tried to keep the changes to the absolute
minimum.

I've tested OpenSSL 0.9.8y without this change and can reproduce the crash. It
doesn't crash with this fix.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Jim Jagielski


On Mar 12, 2014, at 8:29 AM, Rainer Jung  wrote:

> On 12.03.2014 11:37, Jim Jagielski wrote:
>> At the very least, upgrading from 2.4.7 to 2.4.8 should not
>> cause this much pain. I will let the vote run a bit more to
>> gauge additional feedback, but my sense says that 2.4.8
>> will likely be revoked/dropped and 2.4.9 will be proposed
>> which either (1) removes r1573360 or (2) fixes this bug.
> 
> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
> an issue but since all Major versions seem to show the behavior and
> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
> should implement the workaround suggested by Steve.
> 

We'll need to put that into trunk, check that it works w/o
causing a regression, first.

My personal opinion is to pull out the commit in 2.4.x to give it
more time in trunk to ferment and to release 2.4.9 w/o r1573360.

RE: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Plüm , Rüdiger , Vodafone Group



> -Original Message-
> From: Rainer Jung [mailto:rainer.j...@kippdata.de]
> Sent: Mittwoch, 12. März 2014 13:30
> To: dev@httpd.apache.org
> Subject: Re: [VOTE] Release Apache httpd 2.4.8 as GA
> 
> On 12.03.2014 11:37, Jim Jagielski wrote:
> > At the very least, upgrading from 2.4.7 to 2.4.8 should not
> > cause this much pain. I will let the vote run a bit more to
> > gauge additional feedback, but my sense says that 2.4.8
> > will likely be revoked/dropped and 2.4.9 will be proposed
> > which either (1) removes r1573360 or (2) fixes this bug.
> 
> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
> an issue but since all Major versions seem to show the behavior and
> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
> should implement the workaround suggested by Steve.

+1

Regards

Rüdiger

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Rainer Jung

On 12.03.2014 11:37, Jim Jagielski wrote:
> At the very least, upgrading from 2.4.7 to 2.4.8 should not
> cause this much pain. I will let the vote run a bit more to
> gauge additional feedback, but my sense says that 2.4.8
> will likely be revoked/dropped and 2.4.9 will be proposed
> which either (1) removes r1573360 or (2) fixes this bug.

Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
an issue but since all Major versions seem to show the behavior and
there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
should implement the workaround suggested by Steve.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Graham Leggett

On 12 Mar 2014, at 12:37 PM, Jim Jagielski  wrote:

> At the very least, upgrading from 2.4.7 to 2.4.8 should not
> cause this much pain. I will let the vote run a bit more to
> gauge additional feedback, but my sense says that 2.4.8
> will likely be revoked/dropped and 2.4.9 will be proposed
> which either (1) removes r1573360 or (2) fixes this bug.

+1.

Regards,
Graham
--

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-12 Thread Jim Jagielski

At the very least, upgrading from 2.4.7 to 2.4.8 should not
cause this much pain. I will let the vote run a bit more to
gauge additional feedback, but my sense says that 2.4.8
will likely be revoked/dropped and 2.4.9 will be proposed
which either (1) removes r1573360 or (2) fixes this bug.

On Mar 11, 2014, at 8:59 PM, Dr Stephen Henson  
wrote:

> On 12/03/2014 00:30, Dr Stephen Henson wrote:
>> 
>> The fix was applied on Feb 11 2013. That would mean that official releases
>> affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release 
>> should
>> include the fix but we weren't planning to make any more 0.9.8 official 
>> releases
>> though a 0.9.8 snapshot should include the fix.
>> 
>> OS specific versions of OpenSSL might not have included the fix. This is the
>> actual diff:
>> 
>> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10
>> 
> 
> It looks like the only case this can happen is ssl_init_server_certs where an
> SSL structure is created, SSL_get_certificate called and then it is freed.
> 
> If so then calling SSL_set_connect_state before the SSL_get_certificate
> call is a potential workaround. This works because the faulty code isn't used 
> by
> SSL structures where ssl->server == 0 and SSL_set_connect_state does that,
> among other things.
> 
> This is a bit of a hack because it's called on a server SSL structure. This
> would probably fail horribly if an attempt was made to use the SSL structure 
> but
> in this case we're freeing it up immediately so this should hopefully not 
> matter.
> 
> Steve.
> -- 
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shen...@opensslfoundation.com
>

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Dr Stephen Henson

On 11/03/2014 21:46, Gregg Smith wrote:
> On 3/11/2014 1:29 PM, Rainer Jung wrote:
>> On 11.03.2014 17:34, Jim Jagielski wrote:
>>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
>>> at the usual place:
>>>
>>> http://httpd.apache.org/dev/dist/
>>>
>>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>>>
>>> [ ] +1: Good to go
>>> [ ] +0: meh
>>> [ ] -1: Danger Will Robinson. And why.
>>>
>>> Vote will last the normal 72 hrs.
>>>
>>> NOTE: The *-deps are only there for convenience.
>> I get a segfault during startup init on www.apache.org when using SSL.
>> This didn't happen for r1570851. Candidate is r1573360.
> 
> I'm seeing this with OpenSSL 0.9.8y on Windows.
> 

Here are some more details of the bug in OpenSSL I *think* triggers this.

The function SSL_get_certificate was modified in some versions of OpenSSL to
return the certificate the server used instead of the current certificate it had
done previously. This was to make OCSP stapling work with multiple configured
certificates. Unfortunately a bug in the change mean it would crash if it was
called before the server sent the certificate. Later versions of OpenSSL
restored the original behaviour unless SSL_get_certificate was called inside the
OCSP callback when it would return the certificate actually sent.

The fix was applied on Feb 11 2013. That would mean that official releases
affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release should
include the fix but we weren't planning to make any more 0.9.8 official releases
though a 0.9.8 snapshot should include the fix.

OS specific versions of OpenSSL might not have included the fix. This is the
actual diff:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Noel Butler

 

On 12/03/2014 02:34, Jim Jagielski wrote: 

> The pre-release test tarballs for Apache httpd 2.4.8 can be found
> at the usual place:
> 
> http://httpd.apache.org/dev/dist/ [1]
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience.

-1 

slackware 13.1 w/apr-1.50, apr-util-1.5.3, SSL 0.9.8y - segfaults 

a third party on IRC reports likewise on RHEL 5.5 

So it seems more than just openssl 1.0.1e affected 

 

Links:
--
[1] http://httpd.apache.org/dev/dist/

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Noel Butler

 

On 12/03/2014 09:17, Noel Butler wrote: 

> On 12/03/2014 02:34, Jim Jagielski wrote: 
> 
>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
>> at the usual place:
>> 
>> http://httpd.apache.org/dev/dist/ [1]
>> 
>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>> 
>> [ ] +1: Good to go
>> [ ] +0: meh
>> [ ] -1: Danger Will Robinson. And why.
>> 
>> Vote will last the normal 72 hrs.
>> 
>> NOTE: The *-deps are only there for convenience.
> 
> -1 
> 
> slackware 13.1 w/apr-1.50, apr-util-1.5.3, SSL 0.9.8y - segfaults 
> 
> a third party on IRC reports likewise on RHEL 5.5 
> 
> So it seems more than just openssl 1.0.1e affected

Too early in morning, forgot to add slackware 14.0, 14.1 builds and
execution succeeds, but both use openssl 1.0.1f 

 

Links:
--
[1] http://httpd.apache.org/dev/dist/

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Dr Stephen Henson

On 12/03/2014 00:30, Dr Stephen Henson wrote:
> 
> The fix was applied on Feb 11 2013. That would mean that official releases
> affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release should
> include the fix but we weren't planning to make any more 0.9.8 official 
> releases
> though a 0.9.8 snapshot should include the fix.
> 
> OS specific versions of OpenSSL might not have included the fix. This is the
> actual diff:
> 
> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10
> 

It looks like the only case this can happen is ssl_init_server_certs where an
SSL structure is created, SSL_get_certificate called and then it is freed.

If so then calling SSL_set_connect_state before the SSL_get_certificate
call is a potential workaround. This works because the faulty code isn't used by
SSL structures where ssl->server == 0 and SSL_set_connect_state does that,
among other things.

This is a bit of a hack because it's called on a server SSL structure. This
would probably fail horribly if an attempt was made to use the SSL structure but
in this case we're freeing it up immediately so this should hopefully not 
matter.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Steffen



SLCertificateFile points already the certificate:

SSLCertificateFile conf/ssl.crt
SSLCertificateKeyFile conf/ssl.key

The doc says the directive can be used multiple times.
So I added :  SSLCertificateFile conf/sub.class2.server.ca.cer

But then Apache does not start:

[Tue Mar 11 23:03:56.812199 2014] [ssl:emerg] [pid 4356:tid 468] 
AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 
(key file D:/servers/apacheS/conf/sub.class2.server.ca.cer)
[Tue Mar 11 23:03:56.812199 2014] [ssl:emerg] [pid 4356:tid 468] 
AH02312: Fatal error initialising mod_ssl, exiting.
[Tue Mar 11 23:03:56.812199 2014] [ssl:emerg] [pid 4356:tid 468] 
AH02564: Failed to configure encrypted (?) private key 
www.land10web.com:443:1, check 
D:/servers/apacheS/conf/sub.class2.server.ca.cer
[Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL 
Library Error: error:0D0680A8:asn1 encoding 
routines:ASN1_CHECK_TLEN:wrong tag
[Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL 
Library Error: error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL 
Library Error: error:0D0680A8:asn1 encoding 
routines:ASN1_CHECK_TLEN:wrong tag
[Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL 
Library Error: error:0D07803A:asn1 encoding 
routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL 
Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib

...

So I leave it now with SSLCACertificateFile 
conf/sub.class2.server.ca.cer , which looks working fine.




On Tuesday 11/03/2014 at 22:53, Falco Schwarz  wrote:




On 11 Mar 2014, at 22:43, Steffen  wrote:




Builds  fine on  VC11 Win32, other flavors I try tomorrow

Till now it runs fine, but get the following (run OpenSSL 1.0.1f):

AH02559: The SSLCertificateChainFile directive 
(D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated, 
SSLCertificateFile should be used instead


In the change log it is mentioned.  By instruction of my certificate 
Certification Authority in conf:


SSLCertificateChainFile conf/sub.class2.server.ca.cer
SSLCACertificateFile conf/ca.cer

Changed to:
SSLCACertificateFile conf/sub.class2.server.ca.cer

and as expected the warning is gone.

Not sure if it has any consequences ?


Instead of using SSLCACertificateFile, try using only
SSLCertificateFile, as described here:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Reindl Harald



Am 11.03.2014 22:52, schrieb Falco Schwarz:
> On 11 Mar 2014, at 22:43, Steffen  > wrote:
>> Builds  fine on  VC11 Win32, other flavors I try tomorrow
>>
>> Till now it runs fine, but get the following (run OpenSSL 1.0.1f):
>>
>> AH02559: The SSLCertificateChainFile directive 
>> (D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated,
>> SSLCertificateFile should be used instead
>>
>> In the change log it is mentioned.  By instruction of my certificate 
>> Certification Authority in conf:
>>
>> SSLCertificateChainFile conf/sub.class2.server.ca.cer
>> SSLCACertificateFile conf/ca.cer
>>
>> Changed to:
>> SSLCACertificateFile conf/sub.class2.server.ca.cer
>>
>> and as expected the warning is gone.
>>
>> Not sure if it has any consequences ?
> 
> Instead of using SSLCACertificateFile, try using only
> SSLCertificateFile, as described here:
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

caution in context of "SSLUseStapling On"

maybe that works with 2.4.8 too, with 2.4.7 it does not in case
having cert/key/ca-chain combined in SSLCertificateFile

however, i build http://httpd.apache.org/dev/dist/httpd-2.4.8.tar.bz2
in a short on Fedora 20 x86_64 with openssl-1.0.1e and likely give
a vote tomorrow



signature.asc
Description: OpenPGP digital signature

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Rainer Jung

On 11.03.2014 21:53, Rainer Jung wrote:
> On 11.03.2014 21:41, Dr Stephen Henson wrote:
>> On 11/03/2014 20:29, Rainer Jung wrote:
>>> On 11.03.2014 17:34, Jim Jagielski wrote:
 The pre-release test tarballs for Apache httpd 2.4.8 can be found
 at the usual place:

http://httpd.apache.org/dev/dist/

 I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.

 [ ] +1: Good to go
 [ ] +0: meh
 [ ] -1: Danger Will Robinson. And why.

 Vote will last the normal 72 hrs.

 NOTE: The *-deps are only there for convenience.
>>>
>>> I get a segfault during startup init on www.apache.org when using SSL.
>>> This didn't happen for r1570851. Candidate is r1573360.
>>>
>>> That server currently uses OpenSSL 1.0.1e.
>>>
>>> GDB:
>>>
>>> Program terminated with signal 11, Segmentation fault.
>>> #0  0x00010287a19a in ssl_set_cert_masks () from
>>> /usr/local/lib/libssl.so.8
>>> (gdb) bt full
>>> #0  0x00010287a19a in ssl_set_cert_masks () from
>>> /usr/local/lib/libssl.so.8
>>> No symbol table info available.
>>> #1  0x00010287a6f6 in ssl_get_server_send_pkey () from
>>> /usr/local/lib/libssl.so.8
>>
>> Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f.
> 
> Thanks Steve. Will try, actually was on my way to update when I noticed
> there was not yet a BSD port for 1.0.1f. Will try nevertheless.

Updating to OpenSSL 1.0.1f fixed it.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Falco Schwarz


> On 11 Mar 2014, at 22:43, Steffen  wrote:
> 
> Builds  fine on  VC11 Win32, other flavors I try tomorrow
> 
> Till now it runs fine, but get the following (run OpenSSL 1.0.1f):
> 
> AH02559: The SSLCertificateChainFile directive 
> (D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated, 
> SSLCertificateFile should be used instead
> 
> In the change log it is mentioned.  By instruction of my certificate 
> Certification Authority in conf:
> 
> SSLCertificateChainFile conf/sub.class2.server.ca.cer
> SSLCACertificateFile conf/ca.cer
> 
> Changed to:
> SSLCACertificateFile conf/sub.class2.server.ca.cer
> 
> and as expected the warning is gone.
> 
> Not sure if it has any consequences ?

Instead of using SSLCACertificateFile, try using only
SSLCertificateFile, as described here:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Gregg Smith


On 3/11/2014 1:29 PM, Rainer Jung wrote:

On 11.03.2014 17:34, Jim Jagielski wrote:

The pre-release test tarballs for Apache httpd 2.4.8 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.

[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.

Vote will last the normal 72 hrs.

NOTE: The *-deps are only there for convenience.

I get a segfault during startup init on www.apache.org when using SSL.
This didn't happen for r1570851. Candidate is r1573360.


I'm seeing this with OpenSSL 0.9.8y on Windows.


That server currently uses OpenSSL 1.0.1e.

GDB:

Program terminated with signal 11, Segmentation fault.
#0  0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
(gdb) bt full
#0  0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#1  0x00010287a6f6 in ssl_get_server_send_pkey () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#2  0x00010287a7a9 in ssl_get_server_send_cert () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#3  0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=, p=, s=) at ssl_engine_init.c:959
No locals.
#4  ssl_init_server_ctx (pphrases=, sc=,
ptemp=, p=, s=) at
ssl_engine_init.c:1287
No locals.
#5  ssl_init_ConfigureServer (s=0x102277350, p=0x102023028,
ptemp=0x102051028, sc=0x10227d7d8, pphrases=) at
ssl_engine_init.c:1378
 rv =
#6  0x000102617cfc in ssl_init_Module (p=0x102023028,
plog=, ptemp=0x102051028, base_server=0x10204dbe8) at
ssl_engine_init.c:228
 mc =
 sc =
 s = 0x102277350
 rv = 0
 pphrases = 0x10226ab58
#7  0x0044965c in ap_run_post_config (pconf=0x102023028,
plog=0x10204f028, ptemp=0x102051028, s=0x10204dbe8) at config.c:103
 n = 4
 rv =
#8  0x0042afd7 in main (argc=9, argv=0x7fffd8c0) at main.c:696
 c = 68 'D'
 showcompile = 0
 showdirectives = 0
 confname = 0x7fffdbb7 "/.../conf/httpd.conf"
 def_server_root = 0x4655c0 "/..."
 temp_error_log = 0x0
 error =
 process = 0x102021118
 pconf = 0x102023028
 plog = 0x10204f028
 ptemp = 0x102051028
 pcommands = 0x102045028
 opt = 0x102045118
 rv =
 opt_arg = 0x7fffdbfa "SSL"

...

#3  0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=, p=, s=) at ssl_engine_init.c:959
959 if (!(ssl = SSL_new(mctx->ssl_ctx)) ||

(gdb) print *pphrases
$1 = {pool = 0x102051028, elt_size = 8, nelts = 0, nalloc = 2, elts =
0x10226ab78 ""}

(gdb) print *mctx
$2 = {sc = 0x10227d7d8, ssl_ctx = 0x102185600, pks = 0x10227da20, pkp =
0x0, ticket_key = 0x10227dab0, protocol = 6, pphrase_dialog_type =
SSL_PPTYPE_BUILTIN,
   pphrase_dialog_path = 0x0, cert_chain = 0x1022784c0 "/crt",
crl_path = 0x0, crl_file = 0x0,
   crl_check_mode = SSL_CRLCHECK_UNSET, stapling_enabled = 0,
stapling_resptime_skew = -1, stapling_resp_maxage = -1,
stapling_cache_timeout = -1,
   stapling_return_errors = 4294967295, stapling_fake_trylater =
4294967295, stapling_errcache_timeout = -1, stapling_responder_timeout =
-1, stapling_force_url = 0x0,
   srp_vfile = 0x0, srp_unknown_user_seed = 0x0, srp_vbase = 0x0, auth =
{ca_cert_path = 0x0, ca_cert_file = 0x0,
 cipher_suite = 0x102108d18 "...", verify_depth = 1, verify_mode =
SSL_CVERIFY_NONE},
   ocsp_enabled = 0, ocsp_force_default = 0, ocsp_responder = 0x0,
ocsp_resptime_skew = -1, ocsp_resp_maxage = -1, ocsp_responder_timeout = -1}

Config structure is roughly:


 ServerName ...
 DocumentRoot ...
 SSLEngine on
 SSLCACertificateFile pem
 SSLCertificateFile crt
 SSLCertificateKeyFile key
 SSLCertificateChainFile pem



SSLEngine on
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile crt

DocumentRoot ...
ServerName ...
ServerAlias ...
UseCanonicalName On

non-ssl config items



ServerName ...
UseCanonicalName Off
VirtualDocumentRoot ...
VirtualScriptAlias ...
ServerAlias ...

SSLEngine on
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile crt

non-ssl config items


The certificates etc. in the three blocks are three different ones.

I'll have a look what I can find out, just an early heads-up.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Steffen


Builds  fine on  VC11 Win32, other flavors I try tomorrow

Till now it runs fine, but get the following (run OpenSSL 1.0.1f):

AH02559: The SSLCertificateChainFile directive 
(D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated, 
SSLCertificateFile should be used instead


In the change log it is mentioned.  By instruction of my certificate 
Certification Authority in conf:


SSLCertificateChainFile conf/sub.class2.server.ca.cer
SSLCACertificateFile conf/ca.cer

Changed to:
SSLCACertificateFile conf/sub.class2.server.ca.cer

and as expected the warning is gone.

Not sure if it has any consequences ?


Steffen



-Original Message- 
From: Jim Jagielski

Sent: Tuesday, March 11, 2014 5:34 PM Newsgroups: gmane.comp.apache.devel
To: httpd
Subject: [VOTE] Release Apache httpd 2.4.8 as GA

The pre-release test tarballs for Apache httpd 2.4.8 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.

[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.

Vote will last the normal 72 hrs.

NOTE: The *-deps are only there for convenience.

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Rainer Jung

On 11.03.2014 21:41, Dr Stephen Henson wrote:
> On 11/03/2014 20:29, Rainer Jung wrote:
>> On 11.03.2014 17:34, Jim Jagielski wrote:
>>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
>>> at the usual place:
>>>
>>> http://httpd.apache.org/dev/dist/
>>>
>>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>>>
>>> [ ] +1: Good to go
>>> [ ] +0: meh
>>> [ ] -1: Danger Will Robinson. And why.
>>>
>>> Vote will last the normal 72 hrs.
>>>
>>> NOTE: The *-deps are only there for convenience.
>>
>> I get a segfault during startup init on www.apache.org when using SSL.
>> This didn't happen for r1570851. Candidate is r1573360.
>>
>> That server currently uses OpenSSL 1.0.1e.
>>
>> GDB:
>>
>> Program terminated with signal 11, Segmentation fault.
>> #0  0x00010287a19a in ssl_set_cert_masks () from
>> /usr/local/lib/libssl.so.8
>> (gdb) bt full
>> #0  0x00010287a19a in ssl_set_cert_masks () from
>> /usr/local/lib/libssl.so.8
>> No symbol table info available.
>> #1  0x00010287a6f6 in ssl_get_server_send_pkey () from
>> /usr/local/lib/libssl.so.8
> 
> Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f.

Thanks Steve. Will try, actually was on my way to update when I noticed
there was not yet a BSD port for 1.0.1f. Will try nevertheless.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Dr Stephen Henson

On 11/03/2014 20:29, Rainer Jung wrote:
> On 11.03.2014 17:34, Jim Jagielski wrote:
>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
>> at the usual place:
>>
>>  http://httpd.apache.org/dev/dist/
>>
>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>>
>> [ ] +1: Good to go
>> [ ] +0: meh
>> [ ] -1: Danger Will Robinson. And why.
>>
>> Vote will last the normal 72 hrs.
>>
>> NOTE: The *-deps are only there for convenience.
> 
> I get a segfault during startup init on www.apache.org when using SSL.
> This didn't happen for r1570851. Candidate is r1573360.
> 
> That server currently uses OpenSSL 1.0.1e.
> 
> GDB:
> 
> Program terminated with signal 11, Segmentation fault.
> #0  0x00010287a19a in ssl_set_cert_masks () from
> /usr/local/lib/libssl.so.8
> (gdb) bt full
> #0  0x00010287a19a in ssl_set_cert_masks () from
> /usr/local/lib/libssl.so.8
> No symbol table info available.
> #1  0x00010287a6f6 in ssl_get_server_send_pkey () from
> /usr/local/lib/libssl.so.8

Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: [VOTE] Release Apache httpd 2.4.8 as GA

2014-03-11 Thread Rainer Jung

On 11.03.2014 17:34, Jim Jagielski wrote:
> The pre-release test tarballs for Apache httpd 2.4.8 can be found
> at the usual place:
> 
>   http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience.

I get a segfault during startup init on www.apache.org when using SSL.
This didn't happen for r1570851. Candidate is r1573360.

That server currently uses OpenSSL 1.0.1e.

GDB:

Program terminated with signal 11, Segmentation fault.
#0  0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
(gdb) bt full
#0  0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#1  0x00010287a6f6 in ssl_get_server_send_pkey () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#2  0x00010287a7a9 in ssl_get_server_send_cert () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#3  0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=, p=, s=) at ssl_engine_init.c:959
No locals.
#4  ssl_init_server_ctx (pphrases=, sc=,
ptemp=, p=, s=) at
ssl_engine_init.c:1287
No locals.
#5  ssl_init_ConfigureServer (s=0x102277350, p=0x102023028,
ptemp=0x102051028, sc=0x10227d7d8, pphrases=) at
ssl_engine_init.c:1378
rv = 
#6  0x000102617cfc in ssl_init_Module (p=0x102023028,
plog=, ptemp=0x102051028, base_server=0x10204dbe8) at
ssl_engine_init.c:228
mc = 
sc = 
s = 0x102277350
rv = 0
pphrases = 0x10226ab58
#7  0x0044965c in ap_run_post_config (pconf=0x102023028,
plog=0x10204f028, ptemp=0x102051028, s=0x10204dbe8) at config.c:103
n = 4
rv = 
#8  0x0042afd7 in main (argc=9, argv=0x7fffd8c0) at main.c:696
c = 68 'D'
showcompile = 0
showdirectives = 0
confname = 0x7fffdbb7 "/.../conf/httpd.conf"
def_server_root = 0x4655c0 "/..."
temp_error_log = 0x0
error = 
process = 0x102021118
pconf = 0x102023028
plog = 0x10204f028
ptemp = 0x102051028
pcommands = 0x102045028
opt = 0x102045118
rv = 
opt_arg = 0x7fffdbfa "SSL"

...

#3  0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=, p=, s=) at ssl_engine_init.c:959
959 if (!(ssl = SSL_new(mctx->ssl_ctx)) ||

(gdb) print *pphrases
$1 = {pool = 0x102051028, elt_size = 8, nelts = 0, nalloc = 2, elts =
0x10226ab78 ""}

(gdb) print *mctx
$2 = {sc = 0x10227d7d8, ssl_ctx = 0x102185600, pks = 0x10227da20, pkp =
0x0, ticket_key = 0x10227dab0, protocol = 6, pphrase_dialog_type =
SSL_PPTYPE_BUILTIN,
  pphrase_dialog_path = 0x0, cert_chain = 0x1022784c0 "/crt",
crl_path = 0x0, crl_file = 0x0,
  crl_check_mode = SSL_CRLCHECK_UNSET, stapling_enabled = 0,
stapling_resptime_skew = -1, stapling_resp_maxage = -1,
stapling_cache_timeout = -1,
  stapling_return_errors = 4294967295, stapling_fake_trylater =
4294967295, stapling_errcache_timeout = -1, stapling_responder_timeout =
-1, stapling_force_url = 0x0,
  srp_vfile = 0x0, srp_unknown_user_seed = 0x0, srp_vbase = 0x0, auth =
{ca_cert_path = 0x0, ca_cert_file = 0x0,
cipher_suite = 0x102108d18 "...", verify_depth = 1, verify_mode =
SSL_CVERIFY_NONE},
  ocsp_enabled = 0, ocsp_force_default = 0, ocsp_responder = 0x0,
ocsp_resptime_skew = -1, ocsp_resp_maxage = -1, ocsp_responder_timeout = -1}

Config structure is roughly:


ServerName ...
DocumentRoot ...
SSLEngine on
SSLCACertificateFile pem
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile pem



   SSLEngine on
   SSLCertificateFile crt
   SSLCertificateKeyFile key
   SSLCertificateChainFile crt

   DocumentRoot ...
   ServerName ...
   ServerAlias ...
   UseCanonicalName On

   non-ssl config items



   ServerName ...
   UseCanonicalName Off
   VirtualDocumentRoot ...
   VirtualScriptAlias ...
   ServerAlias ...

   SSLEngine on
   SSLCertificateFile crt
   SSLCertificateKeyFile key
   SSLCertificateChainFile crt

   non-ssl config items


The certificates etc. in the three blocks are three different ones.

I'll have a look what I can find out, just an early heads-up.

Regards,

Rainer

RE: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

Re: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

Re: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

RE: REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

REVOKED [Re: [VOTE] Release Apache httpd 2.4.8 as GA]

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

RE: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

Re: [VOTE] Release Apache httpd 2.4.8 as GA

30 matches

Site Navigation

Mail list logo

Footer information