Re: shmcb access violation with openssl 0.9.6i
() The error in log_error_core is: [Mon Mar 03 12:43:04 2003] [warn] (OS 6)The handle is invalid. : Failed to acquire global mutex lock. Is this a known issue? Is there something that I'm missing? Other than changing from DBM to SHMCB, I have stock conf files. Thanks in Advance, Edward Wong Connectivity Software Engineer Hewlett-Packard Company __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
shm support for Itanium
Hello All, While trying to run apache in Windows on an Itanium (in compatibility mode no less), I ran into the following error: === SSLSessionCache: Invalid argument: size has to be = 8192 bytes === However, the directives in question are: === SSLSessionCacheshmcb:logs/ssl_scache(512000) SSLSessionCacheTimeout 300 === Is there something that I'm missing? Is shm suppored on Itanium? I get the same results when using any other shared memory scheme (shm, shmht). I've combed the web and mailing lists for details, but have turned up very little. For Unix/Linux, loading MM libraries seems to fix the issue. Is there a similar solution for windows? Or should I just use dbm for the Windows/Itanium case? Thanks in Advance, Edward Wong _ Get a speedy connection with MSN Broadband. Join now! http://resourcecenter.msn.com/access/plans/freeactivation.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Corrupt Jar and Cab files
is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers.
Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable nokeepalive for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables downgrade-1.0 and
# force-response-1.0 for this.
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/VirtualHost
Any and all help is greatly appreciated.
--Edward Wong
_
Send and receive Hotmail on your mobile device: http://mobile.msn.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Corrupt Jar and Cab files
Thanks Cliff. It looks like that's the answer! --Ed From: Cliff Woolley [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Edward Wong [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Corrupt Jar and Cab files Date: Tue, 20 Aug 2002 21:07:07 -0400 (EDT) MIME-Version: 1.0 Received: from mc2-f23.law16.hotmail.com ([65.54.237.30]) by mc2-s11.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Tue, 20 Aug 2002 18:28:20 -0700 Received: from mmx.engelschall.com ([195.27.130.252]) by mc2-f23.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Tue, 20 Aug 2002 18:12:51 -0700 Received: by mmx.engelschall.com (Postfix)id 631D3195A4; Wed, 21 Aug 2002 03:12:12 +0200 (CEST) Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153])by mmx.engelschall.com (Postfix) with ESMTP id 2DF11194DEfor [EMAIL PROTECTED]; Wed, 21 Aug 2002 03:12:12 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) for modssl-users-Lid DAA27428; Wed, 21 Aug 2002 03:11:09 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED]from deepthought.cs.virginia.edu id DAA27424; Wed, 21 Aug 2002 03:10:41 +0200 (MET DST) Received: from localhost (root@localhost)by deepthought.cs.virginia.edu (8.12.4/8.11.4) with ESMTP id g7L177VL005848;Tue, 20 Aug 2002 21:07:08 -0400 X-X-Sender: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Precedence: bulk X-Sender: Cliff Woolley [EMAIL PROTECTED] X-List-Manager: Majordomo [version 1.94.4] X-List-Name: modssl-users Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 21 Aug 2002 01:12:54.0126 (UTC) FILETIME=[E06928E0:01C248AF] On Tue, 20 Aug 2002, Edward Wong wrote: I'm seeing strange behavior when running apache 2.0.39 on Windows XP, where First of all, it is critical that you upgrade to 2.0.40, as you are currently wide open to attack with the Win32-related vulnerabilities in 2.0.39. jar and cab files are truncated after after only 16K or so (my jar/cab files are actually around 100K). This seems to happen with just about any browser, regardless of the JVM. Also, this issue only occurs on Windows XP. Win2k, WinNT, and Linux all work properly. I'm guessing you have not looked at the following: http://www.apache.org/dist/httpd/binaries/win32/#xpbug This is a bug in XP for which a hotfix exists. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL cache issue
This is related, and might be work noting: With modSSL 3.x in apache 2.x land, I have found that it cannot renegotiate during a POST. However, hitting the refresh button seems to do the handshake and then to the POST correctly. --Ed From: Shiraz Esat [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: SSL cache issue Date: Tue, 2 Apr 2002 10:10:15 +0100 Terry, If anyone passes you a solution, can you please pass it on to me as well, as I have the same problem :( [Only difference, though, is that I'm using PHP generated pages] Thanks in advance Shiraz -Original Message- From: Terry Ziemniak [SMTP:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 9:31 PM To:'[EMAIL PROTECTED]' Subject: SSL cache issue I am getting 'page not found errors' the first time I access certain JSP pages (though there are others that always work). If I refresh the page displays correctly. Notes: 1. This only happens over HTTPS, never over HTTP 2. Netscape (v 4.2) displayed the error Data Missing. This document resulted from a POST operation and has expired from the cache. If you wish you can repost the form data to create the document by pressing the reload button. 3. Apache's access.log seems to validate point 2. The last line before an error is a POST. The retry shows a POST followed shortly by anther GET and POST of the same JSP. 4. I have not yet been able to exactly describe 'First time'. General rule of them, if I repeat the process within 15 minutes it seems OK. If I wait an hour it should fail. Though quantifying that has not been my highest priority. 5. I am running Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32 and Resin 1.2.8. Any help would be appreciated. Terry Ziemniak File: ATT2.htm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Changing Certificates Dynamically
Hey All, This subject has probably already been broached, but is it possible to change certificates dynamically? I'm having problems getting apache to present the new certificate during renegotiation. For example, I start apache with a pre-existing self-signed certificate. Then I upload a new certificate to the server, and want to swtich to that certificate dynamically without restarting the server. Is this possible? When I do a full renegotiation as in ssl_engine_kernel.c, it doesn't actually DO anything with the new certificate--although it will change ciphers on subsequent connections (with old certificate). Any and all help is appreciated, Edward Wong _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Changing Certificates Dynamically
I believe you are correct on this matter. However, I've noticed something interesting: when I reload the certificate and private key files dynamically (the new ones), subsequent connections use the new certificate. I suppose I could go through and update ALL other existing server records in the same matter, but that idea seems to reek of insecure handling. Do you think this idea will work, or if it's just a nice-but-kludge idea? Ed From: Mads Toftum [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Changing Certificates Dynamically Date: Thu, 21 Mar 2002 23:28:37 +0100 On Thu, Mar 21, 2002 at 02:10:33PM -0800, Edward Wong wrote: Hey All, This subject has probably already been broached, but is it possible to change certificates dynamically? I'm having problems getting apache to present the new certificate during renegotiation. For example, I start apache with a pre-existing self-signed certificate. Then I upload a new certificate to the server, and want to swtich to that certificate dynamically without restarting the server. Is this possible? No. You need a restart (I'm not even sure that a graceful restart is enough - I think you need the full stop/start) vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl/apache2 compile problems
Could you be a little more specific as to how I would skip the lex/flex portion in your workaround? Is it something I need to do in MSVC++, or somewhere else? --Ed From: Leo Baschy [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: modssl/apache2 compile problems Date: Sat, 02 Feb 2002 04:57:42 -0800 Sounds similar to my problem building that under Windows. Using cygwin. Using the Visual C++ dsw/dsp projects. Rest of Apache 2.0.28 builds fine. Have put in openssl etc. (Previously on same machine have successfully built 1.3.20 with mod_ssl, still do.) The problem is specific to lex, specifically flex, processing lex.ssl_expr_yy.c(1753) : error C2143: syntax error : missing ')' before 'constant' That seems to indicate there is a file ssl_expr_scan.l which is being used to generate ssl_expr_scan.c and that generation doesn't work right. The .c file fails to compile. A temporary workaround seems to be to skip lex/flex use the ssl_expr_scan.c file that comes with 2.0.28, but I have no idea whether that might actually be an (older) incorrect version then. Anyone willing to tinker with (or knowledgable about) versions of lex? Can ssl_expr_scan.l be fine tuned to make this work again? - Leo Baschy [EMAIL PROTECTED] At 06:02 PM 1/31/02 -0500, Ed Wong wrote: Generating Code... link.exe @C:\DOCUME~1\edwon\LOCALS~1\Temp\nmb02172. Creating library .\Debug\mod_ssl.lib and object .\Debug\mod_ssl.exp ssl_expr.obj : error LNK2001: unresolved external symbol _ssl_expr_yyparse ssl_expr_scan.obj : error LNK2001: unresolved external symbol _ssl_expr_yylval __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl/apache2 compile problems
I fixed this problem. I wasn't linking the dll to libhttpd properly. everything compiles now, but when I run apache with ssl enables ( -DSSL ), apache no longer responds to requests. . . . Any suggestions? Ed From: Edward Wong [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: modssl/apache2 compile problems Date: Thu, 07 Feb 2002 14:17:45 -0800 I've managed to get apache to compile and install seperately from mod_ssl. If I compile mod_ssl seperately, it builds mod_ssl.so fine. However, when I try to load mod_ssl into apache(under win2k), it keeps on saying that it can't find the module /path_to_module/mod_ssl.so. What am I doing wrong? The error is: Cannot load C:/Apache2/modules/mod_ssl.so into the server. The specified module could not be found. Pertinent sectino of httpd.conf is: LoadModule ssl_module modules/mod_ssl.so Please help . . . . . --Ed From: Leo Baschy [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: modssl/apache2 compile problems Date: Sat, 02 Feb 2002 04:57:42 -0800 Sounds similar to my problem building that under Windows. Using cygwin. Using the Visual C++ dsw/dsp projects. Rest of Apache 2.0.28 builds fine. Have put in openssl etc. (Previously on same machine have successfully built 1.3.20 with mod_ssl, still do.) The problem is specific to lex, specifically flex, processing lex.ssl_expr_yy.c(1753) : error C2143: syntax error : missing ')' before 'constant' That seems to indicate there is a file ssl_expr_scan.l which is being used to generate ssl_expr_scan.c and that generation doesn't work right. The .c file fails to compile. A temporary workaround seems to be to skip lex/flex use the ssl_expr_scan.c file that comes with 2.0.28, but I have no idea whether that might actually be an (older) incorrect version then. Anyone willing to tinker with (or knowledgable about) versions of lex? Can ssl_expr_scan.l be fine tuned to make this work again? - Leo Baschy [EMAIL PROTECTED] At 06:02 PM 1/31/02 -0500, Ed Wong wrote: Generating Code... link.exe @C:\DOCUME~1\edwon\LOCALS~1\Temp\nmb02172. Creating library .\Debug\mod_ssl.lib and object .\Debug\mod_ssl.exp ssl_expr.obj : error LNK2001: unresolved external symbol _ssl_expr_yyparse ssl_expr_scan.obj : error LNK2001: unresolved external symbol _ssl_expr_yylval __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
