Re: Failed uploading file to Appache HTTP Server after using SSL
FYI. I have tried to test upload with Firefox. But it turns out that it fails too. Then, it might not be only a MSIE issue. On 4/22/06, Ken Chen <[EMAIL PROTECTED]> wrote: > Hi, > > My colleague has helped to deploy the patch and the ssl vhost has been > configured as follow: > > DocumentRoot "/home/server/webpage" > ServerName 192.168.2.130:443 > LogLevel debug > ErrorLog logs/ssl-error_log > CustomLog logs/ssl-access_log common > > BrowserMatch ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > ProxyPass /eservices http://localhost:8855/eservices > ProxyPassReverse /eservices http://localhost:8855/eservices > > Alias /eservices-webpage/ /home/server/webpage/ > > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile someCrt.crt > SSLCertificateKeyFile someKey.key > > > But seems the problem remains: Page can't be displayed. I found no > error in log (maybe I was not able to found). Here attached the log > when I press upload to upload file. > > > Ken > > > On 4/21/06, Ken Chen <[EMAIL PROTECTED]> wrote: > > Joe, > > > > Do you mind telling me how to apply the patch? Type command as follow? > > patch -s < .patch > > > > Do I need to stop the httpd server? or recompile or anything else? > > > > Thanks. > > > > > > On 4/21/06, Ken Chen <[EMAIL PROTECTED]> wrote: > > > ic. Thanks so much. I will apply that patch and see what is going on > > > later. > > > > > > > > > On 4/21/06, Joe Orton <[EMAIL PROTECTED]> wrote: > > > > On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: > > > > > Hi Joe, > > > > > > > > > > We are using 2.0.55 already. Is it already include that patch? > > > > > > > > No, it will be in 2.0.56 and later. But note this only applies if you > > > > are using a reverse proxy, and it only affects the application of the > > > > BrowserMatch statement - if you don't have the BrowserMatch, it has no > > > > effect. > > > > > > > > joe > > > > __ > > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > > User Support Mailing List modssl-users@modssl.org > > > > Automated List Manager[EMAIL PROTECTED] > > > > > > > > > > > > > -- > > > -- > > > Ken Chen > > > > > > > > > -- > > -- > > Ken Chen > > > > > -- > -- > Ken Chen > > > -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: CRL Checking Uses Excessive Memory
Hi Rob, I also work for the DoD and am using the same CRLs as you (downloaded and converted on a daily basis). We're running a Linux webserver with a single 1.8Ghz Celeron, 512MB of RAM, and 1GB of swap. I haven't noticed any memory issues when checking CRLs. My Apache server starts multiple child servers. It looks like the child servers hit around 60MB of memory usage (max) when processing CRL checks; 500KB to 1MB seems to be the average child server's memory usage when idle. top says my current load average is about 0.03, 0.01, 0.00. When checking CRLs, top says my load average zooms up to around 0.20, 0.05, 0.01. Of course, my userbase is very small and we aren't doing a ton of CRL checks. OCSP should resolve your issue with plowing through the CRLs, however, I have yet to find a viable OCSP solution. There was a patch for mod_ssl, but I haven't heard anything about it since it was last released in 2004. Maybe someone else on this list knows? Rob, why don't you email me offline. I'm in the DISA GAL, if you can get to that. Dwight... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Walls Rob W Contr 75 CS/SCBS Sent: Friday, April 21, 2006 10:47 AM To: 'modssl-users@modssl.org' Subject: CRL Checking Uses Excessive Memory I work for the DoD. We have about a dozen CA's with their own CRL files. Some of these are over 20M in size. When CRL checking is enabled in Apache (for Linux or Windows), memory use is excessive and httpd processes are killed by the OS (Linux) due to out of memory conditions and all the memory swapping activity sends the proc utilization way up there and makes the server unresponsive. On Windows the CPU use just pegs at 100% (I have no idea what else is going on in there). CRL's are downloaded every day and openssl is used to make hash'd file names (ssl.conf is using SSLCARevocationPath). I don't currently restart apache after retrieving the new CRL files. The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works great, but as soon as CRLs are checked, apache starts to go south! I have a 2Gb swap partition and have added another 2Gb swap file to at least keep things running, but it becomes so slow it might as well crash. Each httpd process goes from using about 14Mb of memory when not CRL checking to 250Mb when CRL checking is enabled! BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that machine. Any ideas on how to use large CRL's in Apache? Do I just need more memory? If Apache can't use many large CRL files, would an OSCP solution side-step these problems? Any good ones out there? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: CRL Checking Uses Excessive Memory
Hi Phil, As far as I know, nothing that Rob mentioned is classified...especially since he is not naming systems by name or address. The fact that the DoD uses certificates is no secret...there's been many writeups in the various trade magazines regarding the DoD's push to PKI. Dwight... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Phil Ehrens Sent: Friday, April 21, 2006 11:11 AM To: modssl-users@modssl.org Subject: Re: CRL Checking Uses Excessive Memory I think the first thing you need to do is connect to this URL from someplace that doesn't have any certs related to you installed, like your local library: https://www.hill.af.mil/main/index.html I am not trying to be funny, I am just worried that either you are going to get yourself into trouble by exposing configuration info about .mil computers, or somebody else is going to get into trouble while trying to help you. Phil Walls Rob W Contr 75 CS/SCBS wrote: > I work for the DoD. We have about a dozen CA's with their own CRL files. > Some of these are over 20M in size. When CRL checking is enabled in Apache > (for Linux or Windows), memory use is excessive and httpd processes are > killed by the OS (Linux) due to out of memory conditions and all the memory > swapping activity sends the proc utilization way up there and makes the > server unresponsive. On Windows the CPU use just pegs at 100% (I have no > idea what else is going on in there). > CRL's are downloaded every day and openssl is used to make hash'd file names > (ssl.conf is using SSLCARevocationPath). I don't currently restart apache > after retrieving the new CRL files. > The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works > great, but as soon as CRLs are checked, apache starts to go south! I have a > 2Gb swap partition and have added another 2Gb swap file to at least keep > things running, but it becomes so slow it might as well crash. > Each httpd process goes from using about 14Mb of memory when not CRL > checking to 250Mb when CRL checking is enabled! > BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that > machine. > > Any ideas on how to use large CRL's in Apache? > > Do I just need more memory? > > If Apache can't use many large CRL files, would an OSCP solution side-step > these problems? Any good ones out there? > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] -- Phil Ehrens <[EMAIL PROTECTED]>| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.yellow5.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: CRL Checking Uses Excessive Memory
I think the first thing you need to do is connect to this URL from someplace that doesn't have any certs related to you installed, like your local library: https://www.hill.af.mil/main/index.html I am not trying to be funny, I am just worried that either you are going to get yourself into trouble by exposing configuration info about .mil computers, or somebody else is going to get into trouble while trying to help you. Phil Walls Rob W Contr 75 CS/SCBS wrote: > I work for the DoD. We have about a dozen CA's with their own CRL files. > Some of these are over 20M in size. When CRL checking is enabled in Apache > (for Linux or Windows), memory use is excessive and httpd processes are > killed by the OS (Linux) due to out of memory conditions and all the memory > swapping activity sends the proc utilization way up there and makes the > server unresponsive. On Windows the CPU use just pegs at 100% (I have no > idea what else is going on in there). > CRL's are downloaded every day and openssl is used to make hash'd file names > (ssl.conf is using SSLCARevocationPath). I don't currently restart apache > after retrieving the new CRL files. > The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works > great, but as soon as CRLs are checked, apache starts to go south! I have a > 2Gb swap partition and have added another 2Gb swap file to at least keep > things running, but it becomes so slow it might as well crash. > Each httpd process goes from using about 14Mb of memory when not CRL > checking to 250Mb when CRL checking is enabled! > BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that > machine. > > Any ideas on how to use large CRL's in Apache? > > Do I just need more memory? > > If Apache can't use many large CRL files, would an OSCP solution side-step > these problems? Any good ones out there? > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] -- Phil Ehrens <[EMAIL PROTECTED]>| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.yellow5.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
CRL Checking Uses Excessive Memory
I work for the DoD. We have about a dozen CA's with their own CRL files. Some of these are over 20M in size. When CRL checking is enabled in Apache (for Linux or Windows), memory use is excessive and httpd processes are killed by the OS (Linux) due to out of memory conditions and all the memory swapping activity sends the proc utilization way up there and makes the server unresponsive. On Windows the CPU use just pegs at 100% (I have no idea what else is going on in there). CRL's are downloaded every day and openssl is used to make hash'd file names (ssl.conf is using SSLCARevocationPath). I don't currently restart apache after retrieving the new CRL files. The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works great, but as soon as CRLs are checked, apache starts to go south! I have a 2Gb swap partition and have added another 2Gb swap file to at least keep things running, but it becomes so slow it might as well crash. Each httpd process goes from using about 14Mb of memory when not CRL checking to 250Mb when CRL checking is enabled! BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that machine. Any ideas on how to use large CRL's in Apache? Do I just need more memory? If Apache can't use many large CRL files, would an OSCP solution side-step these problems? Any good ones out there? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
Joe, Do you mind telling me how to apply the patch? Type command as follow? patch -s < .patch Do I need to stop the httpd server? or recompile or anything else? Thanks. On 4/21/06, Ken Chen <[EMAIL PROTECTED]> wrote: > ic. Thanks so much. I will apply that patch and see what is going on later. > > > On 4/21/06, Joe Orton <[EMAIL PROTECTED]> wrote: > > On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: > > > Hi Joe, > > > > > > We are using 2.0.55 already. Is it already include that patch? > > > > No, it will be in 2.0.56 and later. But note this only applies if you > > are using a reverse proxy, and it only affects the application of the > > BrowserMatch statement - if you don't have the BrowserMatch, it has no > > effect. > > > > joe > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List modssl-users@modssl.org > > Automated List Manager[EMAIL PROTECTED] > > > > > -- > -- > Ken Chen > -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
ic. Thanks so much. I will apply that patch and see what is going on later. On 4/21/06, Joe Orton <[EMAIL PROTECTED]> wrote: > On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: > > Hi Joe, > > > > We are using 2.0.55 already. Is it already include that patch? > > No, it will be in 2.0.56 and later. But note this only applies if you > are using a reverse proxy, and it only affects the application of the > BrowserMatch statement - if you don't have the BrowserMatch, it has no > effect. > > joe > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: > Hi Joe, > > We are using 2.0.55 already. Is it already include that patch? No, it will be in 2.0.56 and later. But note this only applies if you are using a reverse proxy, and it only affects the application of the BrowserMatch statement - if you don't have the BrowserMatch, it has no effect. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Failed uploading file to Appache HTTP Server after using SSL
Hi Joe, We are using 2.0.55 already. Is it already include that patch? Ken On 4/21/06, Joe Orton <[EMAIL PROTECTED]> wrote: > On Fri, Apr 21, 2006 at 10:23:24AM +0800, Ken Chen wrote: > > Cliff, > > > > I have reset the timeout to 600, but the problem remains. I wonder > > whether it's the timeout problem because the problem appears > > immediately after presssing Upload! > > > > Sometimes the problem is "Page can't be displayed; sometimes it is > > what I mentioned at the very beginning that file can't been uploaded. > > There are a few things you need to check if you're having problems with > MSIE: > > 1) make sure you are using the shmcb session cache > > 2) make sure you have prevented use of persistent connections, with a > statement like: > > BrowserMatch ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > in the SSL vhost. > > 3) if you are using an SSL->HTTP reverse proxy, then (2) will not be > taking effect properly, and you'll need to apply this patch: > > http://people.apache.org/~jorton/httpd-2.0.54-ssltrans.patch > > joe > -- -- Ken Chen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]