Re: Win32: Apache-1.1.3 + mod_ssl 2.1b8 + mod_jserv
On Fri, Nov 06, 1998, Trung Tran-Duc wrote: On Fri, 06 Nov 1998 15:59:30 GMT, Ralf S. Engelschall [EMAIL PROTECTED] wrote: [...] Also apache crashes on NT when I try to restart it (apache.exe -k restart). It's inside ssleay. I'm going to debug it... [...] It's run in the master process. I don't know how restart is done on UNIX, init_module is run in each restart. The master process is the same. We must be very careful to init everything, especially we cannot rely on global vars are init'ed to zero and such. On Windoze there is no fork(), no detach, etc. (We've run into this before, do you remember?) ssl_ModConfig-nInitCount can be million. We must init ssleay each time. Correct, because the DDL is _reloaded_. I've now recogmized that we have exactly the same problem under Unix/DSO situation. + #ifndef WIN32 if (ssl_ModConfig-nInitCount == 1) { ssl_init_SSLeay(s); ssl_pphrase_Handle(s, p); return; } if (ssl_ModConfig-nInitCount == 2) { ssl_init_SSLeay(s); } + #else /* WIN32 */ + ssl_init_SSLeay(s); + ssl_pphrase_Handle(s, p); + #endif /* !WIN32 */ Ok, but here the Pass Phrase handling is done on every restart on Win32. That's not intended this way. Because we have the same problem under Unix/DSO I've now replaced this piece of code with the following: | #ifdef SHARED_MODULE | ssl_init_SSLeay(s); | #else | if (mc-nInitCount = 2) { | ssl_init_SSLeay(s); | } | #endif | if (mc-nInitCount == 1) { | ssl_pphrase_Handle(s, p); | #ifndef WIN32 | return; | #endif | } This way we init SSLeay on every init under DSO/DLL situation but not under Unix/non-DSO. And the pass phrase handling is done only on the first init. Can you verify that this code variant works under Win32, too? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32: Apache-1.1.3 + mod_ssl 2.1b8 + mod_jserv
On Mon, 09 Nov 1998 10:03:23 GMT, Ralf S. Engelschall [EMAIL PROTECTED] wrote: [...] This way we init SSLeay on every init under DSO/DLL situation but not under Unix/non-DSO. And the pass phrase handling is done only on the first init. Rhetoric question: what would happen if I change the mod_ssl config, the new private key file is encrypted with _different_ pass phrase and I restart Apache? Of course Apache cannot regain the terminal to ask for the pass phrase. Is it correct? In this case will it fail or hang in reading from an invisible terminal? Can you verify that this code variant works under Win32, too? Yes. -trung __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32: Apache-1.1.3 + mod_ssl 2.1b8 + mod_jserv
On Mon, Nov 09, 1998, Trung Tran-Duc wrote: On Mon, 09 Nov 1998 10:03:23 GMT, Ralf S. Engelschall [EMAIL PROTECTED] wrote: [...] This way we init SSLeay on every init under DSO/DLL situation but not under Unix/non-DSO. And the pass phrase handling is done only on the first init. Rhetoric question: what would happen if I change the mod_ssl config, the new private key file is encrypted with _different_ pass phrase and I restart Apache? Of course Apache cannot regain the terminal to ask for the pass phrase. Is it correct? In this case will it fail or hang in reading from an invisible terminal? No, it'll not hang because we don't cache the pass phrase. We cache the private key itself. So on restarts the private key (and certificate file) is _NOT_ reloaded from disk. It's provided to SSLeay again, yes - but from the cache. Because as we discussed some time ago, caching the pass phrase is more a security problem than directly caching the private key (because SSLeay caches the private key itself, too). So we should not have any pass phrase handling problems here. Can you verify that this code variant works under Win32, too? Yes. Fine. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32: Apache-1.1.3 + mod_ssl 2.1b8 + mod_jserv
On Mon, Nov 09, 1998, Trung Tran-Duc wrote: On Mon, 09 Nov 1998 10:03:23 GMT, Ralf S. Engelschall [EMAIL PROTECTED] wrote: [...] This way we init SSLeay on every init under DSO/DLL situation but not under Unix/non-DSO. And the pass phrase handling is done only on the first init. Rhetoric question: what would happen if I change the mod_ssl config, the new private key file is encrypted with _different_ pass phrase and I restart Apache? Of course Apache cannot regain the terminal to ask for the pass phrase. Is it correct? In this case will it fail or hang in reading from an invisible terminal? No, it'll not hang because we don't cache the pass phrase. We cache the private key itself. So on restarts the private key (and certificate file) is _NOT_ reloaded from disk. It's provided to SSLeay again, yes - but from the cache. Because as we discussed some time ago, caching the pass phrase is more a security problem than directly caching the private key (because SSLeay caches the private key itself, too). So we should not have any pass phrase handling problems here. it means that if I want to change the private key, I have to shutdown the server and start it again; it does not suffice to send a restart signal. Right? Right, both on restarts and graceful restarts mod_ssl reinitializes SSLeay with the already known cert/key pairs. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32: Apache-1.1.3 + mod_ssl 2.1b8 + mod_jserv
On Fri, Nov 06, 1998, [EMAIL PROTECTED] wrote: A short and sweet message: It works ;-) grin Fine. I'll try later to upload my binary archive to the contrib area. I've moved it to the mod_ssl Contrib area now. BTW: the default build (perl configure.bat make) gives me the following server String: Apache/1.3.3 (Win32) mod_ssl/mod_ssl/2.1b8 SSLeay/0.9.0b mod_jserv/1.0b BTW, just as a hint: you don't have to use "perl configure.bat". That's why we call it configure.bat: it's a DOS batch script which automatically re-runs itself with the Perl interpreter. So you can directly run "configure.bat" from the shell, of course. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32: Apache-1.1.3 + mod_ssl 2.1b8 + mod_jserv
On Fri, Nov 06, 1998, Trung Tran-Duc wrote: [...] server String: Apache/1.3.3 (Win32) mod_ssl/mod_ssl/2.1b8 SSLeay/0.9.0b mod_jserv/1.0b what? mod_ssl twice? This is an minor error in configure.bat. Ops, correct. I've recently added the mod_ssl/ prefix (for consistency with the product string which can be added under Unix) and totally forgot the NT side. Thanks for discovering and fixing this, Trung. Also apache crashes on NT when I try to restart it (apache.exe -k restart). It's inside ssleay. I'm going to debug it... Perhaps we have to actually shutdown SSLeay in some way (at the restart) before we can re-init it (at the new startup)? Perhaps Tim Hudson has some hints for us. Tim? From the Apache side it's easy: We can do this inside Apache with a callback function configured via ap_register_cleanup(). Or inside the new remove_module hook of the Extended API. We just have to know what SSLeay functions we have to call on server restart time. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32: Apache-1.1.3 + mod_ssl 2.1b8 + mod_jserv
On Fri, 06 Nov 1998 15:59:30 GMT, Ralf S. Engelschall [EMAIL PROTECTED] wrote: [...] Also apache crashes on NT when I try to restart it (apache.exe -k restart). It's inside ssleay. I'm going to debug it... Perhaps we have to actually shutdown SSLeay in some way (at the restart) before we can re-init it (at the new startup)? Perhaps Tim Hudson has some hints for us. Tim? From the Apache side it's easy: We can do this inside Apache with a callback function configured via ap_register_cleanup(). Or inside the new remove_module hook of the Extended API. We just have to know what SSLeay functions we have to call on server restart time. No, it's something else. I've solved it. From src/main/http_main.c --8-- 5568:do { /* restart-pending */ [cut] ap_init_modules(pconf, server_conf); [cut] ++generation; 5693:} while (restart_pending); --8-- It's run in the master process. I don't know how restart is done on UNIX, init_module is run in each restart. The master process is the same. We must be very careful to init everything, especially we cannot rely on global vars are init'ed to zero and such. On Windoze there is no fork(), no detach, etc. (We've run into this before, do you remember?) ssl_ModConfig-nInitCount can be million. We must init ssleay each time. -trung P.S. I'm going to print Apache source to have some reading over the weekend :-( Here is the diff *** ssl_engine_init.c~ Wed Nov 04 13:03:10 1998 --- ssl_engine_init.c Fri Nov 06 17:21:53 1998 *** *** 137,152 * Ok, now try to solve this totally ugly situation... */ if (ssl_ModConfig-nInitCount == 1) { ssl_init_SSLeay(s); ssl_pphrase_Handle(s, p); - #ifndef WIN32 return; - #endif } if (ssl_ModConfig-nInitCount == 2) { ssl_init_SSLeay(s); } /* * Warn the user that he should use the session cache. --- 137,155 * Ok, now try to solve this totally ugly situation... */ + #ifndef WIN32 if (ssl_ModConfig-nInitCount == 1) { ssl_init_SSLeay(s); ssl_pphrase_Handle(s, p); return; } if (ssl_ModConfig-nInitCount == 2) { ssl_init_SSLeay(s); } + #else /* WIN32 */ + ssl_init_SSLeay(s); + ssl_pphrase_Handle(s, p); + #endif /* !WIN32 */ /* * Warn the user that he should use the session cache. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]