Re: [Modules] mod_gnutls
That would be nice (If needed I could help with gnutls-related issues). best regards, Nikos On 12/05/2010 05:19 PM, Paul Querna wrote: > I was the original author, and am somewhat interested in taking up the > task again. If someone else has more time, that would be better, but > otherwise I'm willing to take a few stabs at things to keep the module > alive. > > On Sun, Dec 5, 2010 at 7:57 AM, Nikos Mavrogiannopoulos > wrote: >> It seems I have no longer the time to keep up working with mod_gnutls. >> Unless someone else steps up as maintainer please consider this module >> as unmaintained. >> >> regards, >> Nikos >> ___ >> Modules mailing list >> Modules@lists.outoforder.cc >> http://lists.outoforder.cc/mailman/listinfo/modules >> > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod_gnutls
It seems I have no longer the time to keep up working with mod_gnutls. Unless someone else steps up as maintainer please consider this module as unmaintained. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Fwd: mod_gnutls
On Mon, Nov 22, 2010 at 8:35 PM, Max13 wrote: > 34) Base64 decoding error.this Certificatefile is ok under normal mod_ssl.can > you give me some advices that i can resolve this problem?part of my apache > conf:72 LoadModule gnutls_module modules/mod_gnutls.so 73 #GnuTLSCache None > "cbg.163.com xyq.cbg.163.com" 74 #GnuTLSCacheTimeout 500 75 76 > NameVirtualHost > Hello ! > Did you find a solution ? > I have a similar problem: > GnuTLS: Failed to Import Certificate '/etc/apache2/ssl/ispcp.crt': (-207) > Base64 > unexpected header error. Use the latest gnutls 2.10.x or remove the stray spaces from the PEM headers. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: does gnutls_allocate_* the counterpart gnutls_free_*
On Sun, Nov 21, 2010 at 5:24 PM, Hardy Griech wrote: > Hi Nikos, > > I've added code to mod_gnutls where gnutls_init() and gnutls_deinit() > are called. Result is, that gnutls_deinit() is called only in some rare > cases. [...] > I'm wondering which hook is actually called on termination of a connection? I'll try to check it as soon. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: does gnutls_allocate_* the counterpart gnutls_free_*
On Fri, Nov 19, 2010 at 12:41 AM, George J. Walsh wrote: > After resolving the permissions problem experienced with gnutls_cache, I > started testing more thoroughly this morning. All was quiet until the > first time the browser was addressed to https. The correct page was > displayed but cpu utilization climbed to 100%. Surprisingly, at least to > me, when the httpd service was stopped, cpu usage fell, but only to 50%. Which process was having 50% load? > This test failed in the same way across 4 different users. Normal usage What do you mean by that? > Kind of more a flood than a leak??? > Anything I can do to help you resolve this? It looks unrelated to the other issue. Try to find out which configuration options causes this problem (and if it is apache the one that has the high load). Is it the cache option that caused the CPU load to climb? Just try to make it reproducible and just tell me how to reproduce it. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: does gnutls_allocate_* the counterpart gnutls_free_*
On 11/18/2010 10:20 PM, Hardy Griech wrote: > On 18.11.2010 10:45, Nikos Mavrogiannopoulos wrote: > : >> Can you use valgrind to trace the leak? > valgrind shows as the main leak: > > ==23601== 19,733,881 (2,399,856 direct, 17,334,025 indirect) bytes in > 692 blocks are definitely lost in loss record 1,743 of 1,743 > ==23601==at 0x482328F: calloc (vg_replace_malloc.c:467) > ==23601==by 0x4F1D13D: gnutls_init (in /usr/lib/libgnutls.so.26.16.10) > ==23601==by 0x4ED44A0: mgs_hook_pre_connection (gnutls_hooks.c:711) > ==23601==by 0x148E3F: ap_run_pre_connection (in > /usr/lib/apache2/mpm-prefork/apache2) > ==23601==by 0x148E93: ap_process_connection (in > /usr/lib/apache2/mpm-prefork/apache2) > ==23601==by 0x159189: ??? (in /usr/lib/apache2/mpm-prefork/apache2) > ==23601==by 0x1594C0: ??? (in /usr/lib/apache2/mpm-prefork/apache2) > ==23601==by 0x159C4E: ap_mpm_run (in > /usr/lib/apache2/mpm-prefork/apache2) > ==23601==by 0x12AFA1: main (in /usr/lib/apache2/mpm-prefork/apache2) > Does that help? Pretty strage... It does mean that gnutls_deinit isn't called. Are you sure it is the reason for the leak... I mean here do you really see it being leaked as many times as the connections you have? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: does gnutls_allocate_* the counterpart gnutls_free_*
On Wed, Nov 17, 2010 at 8:47 PM, Hardy Griech wrote: > Hi (Nikos), > after extending mod_gnutls to allow TLS-PSK and some testing, I'm > wondering if all the gnutls_allocate_* need a gnutls_free_* to avoid > memory leaks. They need but I think that the _allocate_ functions are in a global state, and thus requiring free when apache exits. > Actually there must be a leak in mod_gnutls, because my test client > which continuously connects / transfers / disconnects makes my server > (with mod_gnutls) consume more and more memory. Can you use valgrind to trace the leak? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: any chance for TLS-PSK (previous msg was wrong!)
On Wed, Nov 17, 2010 at 11:12 AM, Hardy Griech wrote: > I admit, I'm confused... > I've tested two mod_gnutls setups: one with RSA key exchange, the other > with PSK. Test client for both cases is gnutls-cli. Command lines are > gnutls-cli --x509cafile ~/ssl/demoCA/cacert.pem --x509keyfile > ~/ssl/client_key.pem --x509certfile ~/ssl/client_cert.pem --port 443 > --insecure qnap110.fritz.box --debug 11 [...] > Both connections return the expected http, and _both_ end with a fatal > error: > *** Fatal error: A TLS packet with unexpected length was received. > *** Server has terminated the connection abnormally. Ah ok, the fatal error you see it's because apache terminates the connection without exchanging the TLS closure alerts. I don't think this is possible to fix. It's not that serious. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls
On 11/16/2010 01:39 AM, George J. Walsh wrote: > We are in the process of adding gnutls functions to our apache httpd > server. > > The server is running Mandriva cooker (2011.0) with kernel > 2.6.36-server. > > Apache is at rev 2.2.17 > mod_gnutls is at rev 0.5.9 > > We have encountered a problem with the config file for mod_gnutls. > It includes the statement: > 'GnuTLSCache dbm conf/mod_gnutls/gnutls_cache'. > When httpd service is started, it fails with the following logged error: > [Mon Nov 08 15:52:17 2010] [error] (20019)DSO load failed: GnuTLS: > Cannot > create DBM Cache at `/etc/httpd/conf/mod_gnutls/gnutls_cache' > (20019)DSO load failed: GnuTLS: Post Config for GnuTLSCache Failed. > Shutting That's pretty strange is /etc/httpd/conf/mod_gnutls/ a writable by apache directory? > I gave some thought to changing dbm to memcached in the interim, but > GnuTLSCache still wants a path. Then I attempted to turn things off (ie: > none) but again it wants a second argument??? I'll see to fix the issue with "none", but to disable it you can just comment it out. Why memchached doesn't work for you? (it requires mod_gnutls to be build with memcached support) If caching is an issue, due to space, you can also disable server-side caching and enable GnuTLSSessionTickets to use the client as a "caching" place. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: any chance for TLS-PSK
On 11/13/2010 10:00 PM, Hardy Griech wrote: > Hi (Nikos), > > any chance that TLS-PSK will be implemented? If not, what is the > estimated effort for implementing it? It's not in my plans, but it's pretty easy to add. If you want password authentication, mod_gnutls has the SRP ciphersuites as well. Or is there another use-case that requires PSK? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls incorrect cert issued by server
On 10/25/2010 08:40 PM, Wayne Connolly wrote: > Hi Nico, > > Thanks for the reply. > I am using the version in the 9.10 apt-repository which is > libapache2-mod-gnutls 0.5.5-1 install ok installed > I cant compile the latest no matter what i try. > (checking for apxs... /usr/local/apache2/bin/apxs > checking for Apache 2.0 version >= 2.0.40... *** Could not run Apache test > program, checking why... > *** The test program failed to compile or link. Check config.log > no > configure: error: *** Apache version 2.0.40 not found! > ) > > ### That is wrong as I have told it where apsx is via > ./configure --prefix=/usr --with-apxs=/usr/local/apache2/bin/apxs > --with-libgnutls=/usr Try: ./configure --with-apxs=/usr/bin/apxs2 regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls incorrect cert issued by server
On Mon, Oct 25, 2010 at 9:22 AM, Wayne Connolly wrote: > I just tried out mod-gnutls in apache 2.2.12 ubuntu 9.10 because mod-ssl is > not a option (no TLS compiled into our version and no way to get it...) > All went perfect with the exception that one of the https sites always shows > up the wrong cert. > Each 443 vhost is in its very own vhost file because having 'ServerAlias' in > the 443 section failed to recognise the ServerAlias correctly. This is good > practice anyway. [...] > Before you ask - all cert/docroots/domains have been triple checked by > others and are correct. Why would the order change do this? Any tips? I suppose you use the latest mod_gnutls. Could you try enabling debugging in mod_gnutls? (modify mod_gnutls.h to have MOD_GNUTLS_DEBUG to 1 before compilation). The output will be placed in your /tmp. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls serving only 1 certificate?
On 10/05/2010 06:00 PM, Jonathan Richard wrote: > Hi > > I am trying to configure apache2 with gnutls so I can have 2 SSL secured > virtual hosts (domains) using only 1 IP address. [...] > Everything seems to works fine, the domain maps to the proper web sites but > for some reasons, the only one certificate is used. i.e. if I hit > test1.dyndns.org in firefox and display certificate information, the > provided certificate is the one configured in test2.dnsdns.info. In short, > it seems like apache2 serves only 1 certificate not mater which domain name > is served. In order for multiple domain names to work you need to have a browser that supports SNI. If you verified that this is the case, then check the configuration examples in the site. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls 0.5.9
On Mon, Sep 27, 2010 at 6:18 AM, Hardy Griech wrote: >> Many thanks to Hardy Griech for his investigation on the issues. > many thanks to Nikos Mavrogiannopoulos for his responsiveness and > mod_gnutls at all. > BTW: what is missing for mod_gnutls 1.0.0? Hi, I want first to close all open issues with the current releases (I'm quite close to that). Another reason is that I'm expecting the release of gnutls 2.12.0 which will have quite some performance difference comparing to 2.10.x due to the move to libnettle as a crypto-backend. You can sneak preview it using the development releases such 2.11.3, although I wouldn't recommend it on production servers. best regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod_gnutls 0.5.9
Hello, I've just released version 0.5.9 of mod_gnutls. It is a bugfix release and is available from http://www.outoforder.cc/projects/apache/mod_gnutls/ Many thanks to Hardy Griech for his investigation on the issues. regards, Nikos ** Version 0.5.9 (2010-09-24) - Corrected behavior in Keep-Alive connections (do not terminate the connection prematurely) - The GnuTLSCache variable now can be given the specific option "gdbm" instead of "dbm". "dbm" will use the berkeley db type of libapr while gdbm will force gdbm to be used. sdbm is no longer being used due to serious limitations. ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On Thu, Sep 23, 2010 at 1:42 PM, Hardy Griech wrote: >> "too long" is in this case 1008 (for the sake of perl apr_sdbm_t >> compatibility). In my case len(key+val) is 1116... > Setup of PAIRMAX to 1008 is appr. 9 years old. So I guess, You have a > custom built apr-util, a very old apr-util or your certificate > information stored in the DB is short (I'm using RSA1024/SHA1/AES128). Probably I was just lucky and my data fitted there. Indeed 1008 (why 1008?) is too short, and inappropriate for mod_gnutls. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/23/2010 11:22 AM, Hardy Griech wrote: > On 22.09.2010 22:48, Nikos Mavrogiannopoulos wrote: >> On 09/22/2010 10:13 PM, Hardy Griech wrote: > : >>> Both "DB" and "DEFAULT" generate a file with '/tmp-ram/gnutls: Berkeley >>> DB (Hash, version 9, native byte-order)' >> >> Does the DB have problems with many connections (e.g. when using siege >> on the webserver)?. I had issues with that and that's why I made sdbm >> the default. > : > > Autsch, it seems that - even without GnuTLSCache configured - siege has > or generates errors: > [Thu Sep 23 11:07:56 2010] [error] [client 127.0.0.1] GnuTLS: Handshake > Failed (-9) 'A TLS packet with unexpected length was received.' > And thats with '-c1'! With '-c2' it is looking worse: Don't worry about those errors. Siege interrupts the handshake abnormally and that's why mod_gnutls is complaining. I should lower the level of those errors. The errors I were seeing was about the (berkeley) DB not being able to store more session. Anyway I've made it configurable to select either the default (with dbm option) or sdbm if sdbm is specified instead on the gnutlscache directive. > Do you know about any other https stresser? Not really. >> I have libapr 1.3.8 and this could be the issue. Maybe something was >> introduced in libapr that causes that issue in apr_dbm. It seems I >> should allow flexibility on using the various DBs. > The apr_dbm is in apr-util. My libaprutil1 is at 1.3.9, so not so far > away from yours. I have the same version of aprutil... regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/22/2010 10:13 PM, Hardy Griech wrote: >> error you get is quite strange since the database is created and can be >> opened but apr_dbm it cannot write at it. I cannot reproduce this >> problem so any help from you is welcome. Do other database types such as >> "db", "gdbm" or "default" work better in your system? (just replace SDBM >> with those in the ODB define). > > - "DB" works > - "GDBM" says >[Wed Sep 22 21:56:28 2010] [error] (20019)DSO load failed: GnuTLS: > Cannot create DBM Cache at `/tmp-ram/gnutls' >(20019)DSO load failed: GnuTLS: Post Config for GnuTLSCache Failed. > Shutting Down. >and stops apache > - "DEFAULT" works > > Both "DB" and "DEFAULT" generate a file with '/tmp-ram/gnutls: Berkeley > DB (Hash, version 9, native byte-order)' Does the DB have problems with many connections (e.g. when using siege on the webserver)?. I had issues with that and that's why I made sdbm the default. > Anything else I could do? I have libapr 1.3.8 and this could be the issue. Maybe something was introduced in libapr that causes that issue in apr_dbm. It seems I should allow flexibility on using the various DBs. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/22/2010 08:16 PM, Hardy Griech wrote: > Output is now as follows: > > [Wed Sep 22 20:06:00 2010] [notice] Apache/2.2.16 (Debian) DAV/2 > mod_gnutls/0.5.8 configured -- resuming normal operations > [Wed Sep 22 20:06:00 2010] [info] Server built: Aug 29 2010 14:59:54 > [Wed Sep 22 20:06:00 2010] [debug] worker.c(1757): AcceptMutex: sysvsem > (default: sysvsem) > [Wed Sep 22 20:06:13 2010] [debug] gnutls_cache.c(355): [gnutls_cache] > Cleaned up cache '/tmp-ram/gnutls'. Deleted 0 and left 0 > [Wed Sep 22 20:06:13 2010] [debug] gnutls_cache.c(465): (22)Invalid > argument: [gnutls_cache] error storing in cache '/tmp-ram/gnutls': > Invalid argument Which version of apache and libapr do you use? Is it a custom build? The error you get is quite strange since the database is created and can be opened but apr_dbm it cannot write at it. I cannot reproduce this problem so any help from you is welcome. Do other database types such as "db", "gdbm" or "default" work better in your system? (just replace SDBM with those in the ODB define). > PS: "GnuTLSCache none" does not work either: [...] > Ah, I see in gnutls_config.c: only dbm and memcache are allowed. Is > this a documentation flaw? Thanks, not really so I've fixed it. Anyway to disable cache you can leave this line out completely. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/22/2010 09:11 AM, Hardy Griech wrote:
> On 22.09.2010 08:56, Nikos Mavrogiannopoulos wrote:
> :
>>> GnuTLSCache is pointing to a file in a writable directory
>>> (/tmp-ram/gnutls), but: there are only gnutls.dir and gnutls.pag
>>> contained in that directory, no gnutls without extension.
>>
>> This sounds normal. The db backend does use those files. Could you try
>> deleting them and restarting? Do you get the same error? Which version
>> of mod_gnutls do you use?
[...]
> [Wed Sep 22 09:08:12 2010] [debug] gnutls_cache.c(355): [gnutls_cache]
> Cleaned up cache '/tmp-ram/gnutls'. Deleted 0 and left 0
> [Wed Sep 22 09:08:12 2010] [debug] gnutls_cache.c(461): (22)Invalid
> argument: [gnutls_cache] error storing in cache '/tmp-ram/gnutls'
That's strange. What is the output with the patch (prints the DB
internal error as well)?
regards,
Nikos
diff --git a/configure.ac b/configure.ac
index 90f4ab6..6b81ded 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
dnl
-AC_INIT(mod_gnutls, 0.5.8)
+AC_INIT(mod_gnutls, 0.5.9)
OOO_CONFIG_NICE(config.nice)
MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
AC_PREREQ(2.53)
diff --git a/src/gnutls_cache.c b/src/gnutls_cache.c
index 3ca8cb5..2653b4e 100644
--- a/src/gnutls_cache.c
+++ b/src/gnutls_cache.c
@@ -456,12 +456,15 @@ static int dbm_cache_store(void* baton, gnutls_datum_t
key,
}
rv = apr_dbm_store(dbm, dbmkey, dbmval);
-
if (rv != APR_SUCCESS) {
+char err[128], *p;
+
+p = apr_dbm_geterror(dbm, NULL, err, sizeof(err));
+
ap_log_error(APLOG_MARK, APLOG_DEBUG, rv,
ctxt->c->base_server,
- "[gnutls_cache] error storing in cache '%s'",
- ctxt->sc->cache_config);
+ "[gnutls_cache] error storing in cache '%s': %s",
+ ctxt->sc->cache_config, p!=NULL?p:"unknown error");
apr_dbm_close(dbm);
apr_pool_destroy(spool);
return -1;
___
Modules mailing list
Modules@lists.outoforder.cc
http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/22/2010 08:49 AM, Hardy Griech wrote: >>> [Wed Sep 22 07:13:59 2010] [debug] gnutls_cache.c(461): (22)Invalid >>> argument: [gnutls_cache] error storing in cache >>> '/var/cache/apache2/gnutls_cache' >> >> This isn't really relevant. Is the argument a directory? It should be a >> file on a writable directory. > > GnuTLSCache is pointing to a file in a writable directory > (/tmp-ram/gnutls), but: there are only gnutls.dir and gnutls.pag > contained in that directory, no gnutls without extension. This sounds normal. The db backend does use those files. Could you try deleting them and restarting? Do you get the same error? Which version of mod_gnutls do you use? >> Could you check the attached patch? Does it fix your issue? > Great, now the keep-alive seems to work! The client makes three > successful http requests, gets the responses and the last request > (Connection: close) closes the connection as intended. Thanks. It seems a 0.5.9 release is imminent. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/22/2010 07:15 AM, Hardy Griech wrote:
> :
>> Why wouldn't it be? Did you notice any issues? mod_gnutls only offers
>> the secure layer. The HTTP is still handled by apache thus anything that
>> worked without mod_gnutls should work with it.
> :
>
> Perhaps this is the problem (from error.log):
>
> [Wed Sep 22 07:13:59 2010] [debug] gnutls_cache.c(461): (22)Invalid
> argument: [gnutls_cache] error storing in cache
> '/var/cache/apache2/gnutls_cache'
This isn't really relevant. Is the argument a directory? It should be a
file on a writable directory.
> What is there wrong?
Could you check the attached patch? Does it fix your issue?
regards,
Nikos
diff --git a/src/gnutls_io.c b/src/gnutls_io.c
index ba03fce..6db2b28 100644
--- a/src/gnutls_io.c
+++ b/src/gnutls_io.c
@@ -555,15 +555,7 @@ apr_status_t mgs_filter_output(ap_filter_t * f,
while (!APR_BRIGADE_EMPTY(bb)) {
apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
-if (AP_BUCKET_IS_EOC(bucket) || APR_BUCKET_IS_EOS(bucket)) {
-apr_bucket_brigade * tmpb;
-
-if (APR_BUCKET_IS_EOS(bucket)) {
-tmpb = bb;
-} else {
-tmpb = ctxt->output_bb;
-}
-
+if (AP_BUCKET_IS_EOC(bucket)) {
if (ctxt->session != NULL) {
do {
ret = gnutls_bye( ctxt->session, GNUTLS_SHUT_WR);
@@ -573,7 +565,7 @@ apr_status_t mgs_filter_output(ap_filter_t * f,
apr_bucket_copy(bucket, &e);
APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, e);
-if ((status = ap_pass_brigade(f->next, tmpb)) != APR_SUCCESS) {
+if ((status = ap_pass_brigade(f->next, ctxt->output_bb)) !=
APR_SUCCESS) {
apr_brigade_cleanup(ctxt->output_bb);
return status;
}
@@ -584,7 +576,7 @@ apr_status_t mgs_filter_output(ap_filter_t * f,
ctxt->session = NULL;
}
continue;
-} else if (APR_BUCKET_IS_FLUSH(bucket)) {
+} else if (APR_BUCKET_IS_FLUSH(bucket) || APR_BUCKET_IS_EOS(bucket)) {
apr_bucket_copy(bucket, &e);
APR_BRIGADE_INSERT_TAIL(ctxt->output_bb, e);
___
Modules mailing list
Modules@lists.outoforder.cc
http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] Keep-Alive possible?
On 09/21/2010 08:55 PM, Hardy Griech wrote: > Hi, > > I'm trying to configure mod_gnutls/apache to allow keep-alive > connections, i.e. allow multiple http requests through a single connection. > > Is this actually possible with mod_gnutls? Why wouldn't it be? Did you notice any issues? mod_gnutls only offers the secure layer. The HTTP is still handled by apache thus anything that worked without mod_gnutls should work with it. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] About mod_gnutls on 64-bits AIX 5.3 or 6.1
Could you use the gdb on gnutls-cli program? By the way which version of mod_gnutls do you use? Is it the latest? regards, Nikos On 09/11/2010 03:54 PM, 俞黎敏 wrote: > GNU gdb 6.8 > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "powerpc-ibm-aix5.1.0.0". > (gdb) file /usr/local/apache2/bin/httpd > Reading symbols from /usr/local/apache2/bin/httpd...done. > (gdb) run > Starting program: /usr/local/apache2/bin/httpd > > Program received signal SIGSEGV, Segmentation fault. > 0xd3386fe8 in ap_hook_pre_connection () at connection.c:44 > 44 AP_IMPLEMENT_HOOK_RUN_ALL(int,pre_connection,(conn_rec *c, > void *csd),(c, csd),OK,DECLINED) > (gdb) run > The program being debugged has been started already. > Start it from the beginning? (y or n) y > Starting program: /usr/local/apache2/bin/httpd > > Program received signal SIGSEGV, Segmentation fault. > 0xd3386fe8 in ap_hook_pre_connection () at connection.c:44 > 44 AP_IMPLEMENT_HOOK_RUN_ALL(int,pre_connection,(conn_rec *c, > void *csd),(c, csd),OK,DECLINED) > (gdb) break 44 > Breakpoint 1 at 0x10033684: file connection.c, line 44. (3 locations) > (gdb) run > The program being debugged has been started already. > Start it from the beginning? (y or n) y > Starting program: /usr/local/apache2/bin/httpd > > Breakpoint 1, ap_hook_pre_connection (p...@0x20017e60: 0x20015e50, > aszPre=0x20015ed0, aszSucc=0x20002190, nOrder=268864752) at > connection.c:44 > 44 AP_IMPLEMENT_HOOK_RUN_ALL(int,pre_connection,(conn_rec *c, > void *csd),(c, csd),OK,DECLINED) > (gdb) step > apr_array_make (p=0x200053b8, nelts=1, elt_size=20) at apr_tables.c:82 > 82 apr_tables.c: No such file or directory. > in apr_tables.c > > I am not familiar at gdb, here are some debug info, I will do some > homework of gdb first. > > Any suggestions are welcomed. > > 在 2010年9月11日 下午1:12,Nikos Mavrogiannopoulos 写道: >> On 09/11/2010 05:33 AM, 俞黎敏 wrote: >>> [r...@p520a:/ibm/YuLimin/Tools/gnutls-2.10.1]# echo $LDFLAGS >>> -lgcrypt -lz >>> >>> then ./configure, at the end of it, I found static is no: Library >>> types:Shared=yes, Static=no >> >> Something is wrong there. You might want to use gdb to see why it is >> crashing, or valgrind. >> ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] About mod_gnutls on 64-bits AIX 5.3 or 6.1
On 09/11/2010 05:33 AM, 俞黎敏 wrote: > [r...@p520a:/ibm/YuLimin/Tools/gnutls-2.10.1]# echo $LDFLAGS > -lgcrypt -lz > > then ./configure, at the end of it, I found static is no: Library > types:Shared=yes, Static=no Something is wrong there. You might want to use gdb to see why it is crashing, or valgrind. ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] About mod_gnutls on 64-bits AIX 5.3 or 6.1
On 09/10/2010 05:25 PM, 俞黎敏 wrote: > and I make check of guntls-2.10.1 cause error like these Add -lz to LDFLAGS. It seems only static libraries are available to AIX? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] About mod_gnutls on 64-bits AIX 5.3 or 6.1
On 09/10/2010 03:54 PM, 俞黎敏 wrote: > I got many error like these message When I run make check under libgcrypt: > exec(): 0509-036 Cannot load program I don't know about the checks of libgcrypt, they might not operate correctly. What about the checks in gnutls? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Wrong Certificate is choosen
Depends on the versions you used. However if the browsers support SNI and you still have the issue then there must be a problem in your configuration. Check the documentation and examples for more information: http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#example regards, Nikos On Thu, Aug 19, 2010 at 1:41 PM, wrote: > Hi, > > I think the Chrome and Firefox should be support SNI ? > > I tested it with this two Browsers. > > greets > > > Original-Nachricht >> Datum: Thu, 19 Aug 2010 03:23:49 +0200 >> Von: Nikos Mavrogiannopoulos >> An: Top44 >> CC: modules@lists.outoforder.cc >> Betreff: Re: [Modules] Wrong Certificate is choosen > >> On 08/18/2010 09:18 PM, Top44 wrote: >> > Hi guys, >> > >> > I noticed on my testsetup that the second virtualhost chooses the >> > certification file from the first virtualhost. >> > Had someone of you a problem thats sounds like this and do someone have >> > a fix for it ? >> >> You have to use a browser that supports SNI. Most modern browsers do. >> >> regards, >> Nikos > > -- > Mit freundlichen Grüßen > > Top44 > > GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 ¿/mtl.!* > http://portal.gmx.net/de/go/dsl > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Wrong Certificate is choosen
On 08/18/2010 09:18 PM, Top44 wrote: > Hi guys, > > I noticed on my testsetup that the second virtualhost chooses the > certification file from the first virtualhost. > Had someone of you a problem thats sounds like this and do someone have > a fix for it ? You have to use a browser that supports SNI. Most modern browsers do. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod gnutls 0.5.8
Hello, I've just released mod_gnutls 0.5.8. The changes since 0.5.7 are: - Session tickets are enabled by default. - Fixes some segmentation faults noticed in some configurations. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Segmentation Fault with mod_gnutls
On 08/11/2010 06:27 AM, Jeff Williams wrote: > Current Setup: > FreeBSD 6.2 release > Apache 2.2.16 > gnutls 2.10.1 > mod_gnutls 0.5.7 > > Configuration/Installation is just fine however whenever a user accesses a > page via https (443), all child processes for apache seg fault. Hi, Could you check the patch in http://issues.outoforder.cc/file_download.php?file_id=54&type=bug . It might be similar to: http://issues.outoforder.cc/view.php?id=106 regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
If I understand correctly you want to redirect https requests to http if the virtual host doesn't exist. You cannot do that, or more precisely you cannot do that before the user is presented with a certificate. Once the server knows that a virtual host doesn't exist the TLS connection has started, and thus will be completed using the default first certificate. The best thing you could do is to reject those clients completed (by having a default site that doesn't support any ciphersuites), or by redirecting after the handshake has been completed and the client has been presented with the default certificate. regards, Nikos On Thu, Aug 5, 2010 at 2:53 PM, Davide Mirtillo wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Il 04/08/2010 12:20, Nikos Mavrogiannopoulos ha scritto: >> On Wed, Aug 4, 2010 at 11:29 AM, Davide Mirtillo wrote: >> >>> Replacing _default_ with the network ip seems to work, but with both >>> your rewrite rule and mine i am now getting this error from the browser: >>> ssl_error_rx_record_too_long >> >> Most probably you didn't enable TLS for this host. You can verify that >> by connecting with normal HTTP url. > > That's correct, i did not add any virtual host for port 443, but that > was kind of the issue i am having, meaning that i'm trying to create a > default config to be used whenever the websites have no SSL virtual host > defined, ie redirect them to plain http. > > That configuration which was giving me the error above (the one that > uses IP:443 as VirtualHost) is also breaking the virtual hosts of the > sites i put the correct certificates in. > > - -- > Davide Mirtillo > EV Network, Via Emilio Salgari 14/e > 31056 Roncade (TV), Italy > Phone/Fax +390422798184 VAT IT02443090267 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkxatDkACgkQKhoNWaTioeayBgCgn+02V03jEb45i4uEDYn2Ao9Z > ya8AnA77r54EYfu/tbzQc+HOq84ntrbI > =+Anf > -END PGP SIGNATURE- > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
On Wed, Aug 4, 2010 at 11:29 AM, Davide Mirtillo wrote: > Replacing _default_ with the network ip seems to work, but with both > your rewrite rule and mine i am now getting this error from the browser: > ssl_error_rx_record_too_long Most probably you didn't enable TLS for this host. You can verify that by connecting with normal HTTP url. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod_gnutls 0.5.7
Hello, I've just released mod_gnutls 0.5.7. The changes since 0.5.6 are: ** Version 0.5.7 (2010-07-01) - Force usage of SDBM. For some reason the default in my system had issues after reaching a limit of entries. SDBM seems stable so force it. - Optimizations in session caching. - Added support for session tickets. This allows a server to avoid using a session cache and still support session resumption. This is at the cost of transporting session data during handshake. New option GnuTLSSessionTickets [on|off] - Depend on gnutls 2.10.0 to force support for safe renegotiation. ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod_gnutls 0.5.6
Just released mod_gnutls 0.5.6. The changes from the previous released are: - Corrected issue with firefox and long POST data (by handling EINTR and EAGAIN errors in read). - Added support for chained client certificates - Corrected more issues related to double frees http://issues.outoforder.cc/view.php?id=102 regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Using OpenPGP for server and client authentication?
Daniel Clark wrote: > Issue 096: mod_gnutls does not accept client OpenPGP certificates > which have no expiration - http://issues.outoforder.cc/view.php?id=96 > - seems to suggest that there is some way either converting OpenPGP > keys into pkcs12 (.p12) for import into web browsers or a web browser > plugin similar to the one used by http://www.gpgauth.com that would > allow one to log in to a web site using the private key located on the > computer a user owns (in conjunction with apache + mod_gnutls or > another web server using gnutls running on the server); but I've been > unable to find any other documentation on that, or even indication > that it is possible. > Is there some way of doing this someone could expound upon? No it cannot be done. The popular Web clients do not support openpgp authentication, nor openpgp keys. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Announcement: Fedora + EL packages now available
On Fri, Oct 2, 2009 at 4:49 AM, Erick Calder wrote: > Hello everyone, > > mod_gnutls is a great solution and should be available as a standard > part of the various distributions out there. I've taken the trouble > to walk the module through the Fedora submission process - it is now > available in distributions F10, F11, F12 and Rawhide, for the all > platforms, x86, PPC, 32 and 64 bit. Great, thank you! > additionally, as Fedora does not support SRP, the module had to be > compiled with --disable-srp. Please make sure to document its > availability wherever possible. Do you happen to know if there are plans to include SRP support in Fedora? ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls "missing a Certificate file!"
Julian Blake Kongslie wrote: > I'm trying to setup an apache 2 server that offers SSL using anonymous > DH, and does not offer any certificate at all. Presently, my virtual > host configuration is as follows: > > > ServerName testbed > GnuTLSEnable on > GnuTLSPriorities NORMAL:+ANON-DH > DocumentRoot /web > > > Unfortunately, apache 2 refuses to start, with the error: > [GnuTLS] - Host 'testbed:0' is missing a Certificate File! > > But that, of course, is exactly what I want. > > If I provide a X.509 certificate to satisfy mod_gnutls, it is delivered > to clients, even if I add "-CTYPE-X.509" to the priorities. I can get > approximately the right thing by providing an OpenPGP certificate > instead - it, too, is sent to clients, but nothing in the world > understands it, so it is simply ignored and the connection falls back to > ANON-DH mode as I desire. > Please tell me there's a better way? Don't really think so. I've never considered anon to be the only option in mod_gnutls. If you provide a dummy certificate and set -CTYPE-X509 and -CTYPE-OPENPGP does it do what you expect? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] packaging for Fedora Core 11
Erick Calder wrote: Hello Erick, > 2. SRP seemed to fail when the module tried to load, complaining about a > missing function gnutls_srp_server_get_username. is there something > else I need to have installed or is it a bug? I've compiled with > --disable-srp for now but would like to figure out whether there is a > hard dependency I should respect Fedora for their reasons decided to disable SRP from gnutls in their distribution, thus mod_gnutls cannot support it as well. > 3. the document below indicates that without the dhfile or rsafile, the > module will never work. however, after making those files don't get > created... are they no longer needed or is something wrong with my setup? > > http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/ This was the case on older mod_gnutls versions. Now default values will be used at least for DH file. The rsa file is only needed when you use the RSA-EXPORT ciphersuites. > 5. I've placed the following assertives in one of my virtual hosts: > > GnuTLSEnable on > GnuTLSCertificateFile /path/to/my/crt > GnuTLSKeyFile /path/to/my/key > > but when I visit the virtual host, the following shows up on the logs: > > [Fri Sep 11 20:09:49 2009] [error] GnuTLS: Hanshake Alert (42) > 'Certificate is bad'. > [Fri Sep 11 20:09:49 2009] [error] [client 98.149.115.77] GnuTLS: > Handshake Failed (-12) 'A TLS fatal alert has been received.' > > the domain is one of two that I'm using to test. one of them works, the > other doesn't. the certificates were generated in the same way and > signed by the same CA. what could be the matter here? It seems that the client (firefox or so) send an alert that he doesn't like the certificate of that site. Does the browser support virtual tls hosts (check with firefox 3+ that supports them for sure). > 6. By turning off GnuTLS on the domain that works ok, I get the message > below from the second domain: > > SSL received a record that exceeded the maximum permissible length. > (Error code: ssl_error_rx_record_too_long) I don't understand what you describe here. Who is getting this error? It doesn't look like an error from gnutls. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [mod_gnutls] [PATCH] Fix building with Apache 2.4
Arfrever Frehtes Taifersar Arahesis wrote: > I'm attaching the patch which fixes building mod_gnutls with Apache 2.4 > (trunk). Applied. Thank you! ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod_gnutls 0.5.5
Hello, I've just released mod_gnutls 0.5.5. I have also renamed the stable branch as old-stable and the development branch as stable. The changes since last release are: - Removed limits on CA certificate loading. Reported by Sander Marechal and Jack Bates. - Do not allow sending empty TLS packets even when instructed to. This had the side effect of clients closing connection (noticed by Tobias Gruetzmacher using SVN webdav module and mod_gnutls) regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] GnuTls: Base64 unexpected header error
g...@itchybit.org wrote: > Hello, > > dpkg shows me this: > > ii gnutls-bin2.6.6-1the GNU > TLS library - commandline utilities > ii gnutls-doc2.6.6-1the GNU > TLS library - documentation and exam > ii libgnutls13 2.0.4-4the GNU > TLS library - runtime library > ii libgnutls26 2.6.6-1the GNU > TLS library - runtime library Sorry it seems that mod_gnutls doesn't use the gnutls' functions that do the autodetection. The next release will support it. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] GnuTls: Base64 unexpected header error
g...@itchybit.org wrote: > Hello, > > dpkg shows me this: > > ii gnutls-bin2.6.6-1the GNU > TLS library - commandline utilities > ii gnutls-doc2.6.6-1the GNU > TLS library - documentation and exam > ii libgnutls13 2.0.4-4the GNU > TLS library - runtime library > ii libgnutls26 2.6.6-1the GNU > TLS library - runtime library could it be that mod_gnutls is using libgnutls13? Could you check the output of ldd path/to/mod_gnutls.so? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] GnuTls: Base64 unexpected header error
It is gnutls (not mod_gnutls) that does the auto-detection. Thus please specify the version you have in your system. regards, Nikos On Thu, May 21, 2009 at 10:56 AM, wrote: > Hello, > >> That command generates a new key, it does not convert your existing key. >> So signature failures is expected. Try: >> >> certtool -k < oldkey.pem > newkey.pem > > ^^ this helped, thank you very much for advices. I have another question - > the version of mod_gnutls which i provided in former email - should it or > should it not autodetect the key type ? > > kind regards, > > gnd/ > > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] GnuTls: Base64 unexpected header error
On Wed, May 20, 2009 at 5:51 PM, wrote: > hello, > > I investigated further on the private key. Its obtained from the provider > 1&1 via some free SSL certificate giveaway that is a deal with Geotrust .. > > So the problem with the key is that its not generated by us, but its > generated by either 1&1 or Geotrust - which provides the certificate to > it. > Another thing is that the key length is different from the keys that we > generated by ourselves. Our private keys are 1024 bit RSA with the size of > 887 bytes, whilst the key from 1&1 has a size of 912 bytes. Also its > starting with "-BEGIN PRIVATE KEY-" instead of "-BEGIN RSA > PRIVATE KEY-". It seems it is a PKCS #8 key. You can convert it to a format that mod_gnutls should be able to read using certtool -k. However which version of gnutls do you use? Newer versions seem to autodetect the private key file. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls CertificateChainFile / CertificateCAFile
In your certificate file just include the Intermediate CA certificate after your certificate. On Mon, Jan 26, 2009 at 1:15 AM, amine wrote: > i used mod_gnutls for its sni support with many certificates signed by > Verisign CA and everything worked fine > > for a new projet , i use startcom ssl certificate , but they have a > chained CA > StartCom (trusted by geeko/webkit family browsers) -> StartCom Class 1 > Primary Intermediate Server CA (unknown to the browser)-> My server > certifcate > > With mod-ssl i used SSLCertificateChainFile directive that helps the > browser to get access to the intermediate certificate (StartCom Class > 1...) and it does not ask me to add an exception > Is there any comparable directive in mod_gnutls .. i tried > GnuTLSCertificateChainFile but with no succes :) > > thanks for your help > am...@jeeko.org > > > > > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Jack Bates wrote:
> Sander Marechal reports that he cannot use the CA certificates
> distributed in the Debian ca-certificates package with mod_gnutls:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573
>
> I confirmed that this behaviour is the same in mod_gnutls trunk revision
> 403:
Hello,
I believe the attached patch fixes the issue. It will be included in
the next release.
regards,
Nikos
Index: include/mod_gnutls.h.in
===
--- include/mod_gnutls.h.in (revision 402)
+++ include/mod_gnutls.h.in (working copy)
@@ -79,10 +79,6 @@
} mgs_dirconf_rec;
-/* The maximum number of client CA certificates allowed.
- */
-#define MAX_CA_CRTS 128
-
/* The maximum number of certificates to send in a chain
*/
#define MAX_CHAIN_SIZE 8
@@ -111,7 +107,7 @@
const char* cache_config;
const char* srp_tpasswd_file;
const char* srp_tpasswd_conf_file;
-gnutls_x509_crt_t ca_list[MAX_CA_CRTS];
+gnutls_x509_crt_t *ca_list;
gnutls_openpgp_keyring_t pgp_list;
unsigned int ca_list_size;
int client_verify_mode;
Index: src/gnutls_config.c
===
--- src/gnutls_config.c (revision 402)
+++ src/gnutls_config.c (working copy)
@@ -398,6 +398,7 @@
return NULL;
}
+#define INIT_CA_SIZE 128
const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
const char *arg)
{
@@ -419,16 +420,37 @@
"Client CA File '%s'", file);
}
-sc->ca_list_size = MAX_CA_CRTS;
+sc->ca_list_size = INIT_CA_SIZE;
+sc->ca_list = malloc(sc->ca_list_size * sizeof(*sc->ca_list));
+if (sc->ca_list == NULL) {
+ return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error");
+}
+
rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size,
- &data, GNUTLS_X509_FMT_PEM,
- GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
-if (rv < 0) {
- return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
+ &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
"Client CA File '%s': (%d) %s", file, rv,
gnutls_strerror(rv));
}
+
+if (INIT_CA_SIZE < sc->ca_list_size) {
+ sc->ca_list = realloc(sc->ca_list, sc->ca_list_size*sizeof(*sc->ca_list));
+ if (sc->ca_list == NULL) {
+return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error");
+ }
+ /* re-read */
+ rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size,
+ &data, GNUTLS_X509_FMT_PEM, 0);
+
+ if (rv < 0) {
+ return apr_psprintf(parms->pool, "GnuTLS: Failed to load "
+ "Client CA File '%s': (%d) %s", file, rv,
+ gnutls_strerror(rv));
+ }
+}
+
apr_pool_destroy(spool);
return NULL;
}
Index: NEWS
===
--- NEWS (revision 402)
+++ NEWS (working copy)
@@ -1,5 +1,10 @@
-** Verison 0.5.4 (2009-01-04)
+** Version 0.5.5 (unreleased)
+- Removed limits on CA certificate loading. Reported by
+ Sander Marechal and Jack Bates.
+
+** Version 0.5.4 (2009-01-04)
+
- mod_gnutls.h: modified definition to extern to avoid compilation
errors in darwin.
___
Modules mailing list
Modules@lists.outoforder.cc
http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: > Nikos Mavrogiannopoulos wrote: >> Sander Marechal wrote: >> >>> When I connect to the root I do not get asked for a client certificate, >>> as expected. But when I go to /xmlrpc or to /users/certificate then I do >>> not get asked for a client certificate. Instead it simply shows the page >>> as if verification succeeded. >> What is the session ID of the latter connections? Is it because they are >> being resumed? > > How do I check (I'm using Firefox 3)? And if that is teh case, how do I > start a new session when someone hits one of the paths that > require client certificates? You can check the environment variables for the certificate information and print them (server side). regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: > When I connect to the root I do not get asked for a client certificate, > as expected. But when I go to /xmlrpc or to /users/certificate then I do > not get asked for a client certificate. Instead it simply shows the page > as if verification succeeded. What is the session ID of the latter connections? Is it because they are being resumed? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Jack Bates wrote: > Sander Marechal reports that he cannot use the CA certificates > distributed in the Debian ca-certificates package with mod_gnutls: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573 > > I confirmed that this behaviour is the same in mod_gnutls trunk revision > 403: Thanks for the report. I'll try to fix it as soon. However note that if you want to set all the list of ca-certificates.crt as the trusted list then probably you are doing something wrong. mod_gnutls uses this list to authenticate clients that should have access to this website, thus a list of 1-2 ca certificates should be the typical use. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Name-based virtual hosts not supported?
Sander Marechal wrote: > I have done some more digging with regards to the Client Certificate > issue I described in my previous e-mail. It looks like name-based > virtual hosting isn't working at all on my setup. I discovered that > after I changed the self-signed certificate from one of the virtual > hosts for a certificate signed by CACert. Indeed. Your certificate has: Subject's DN: CN=*.jejik.com and you cannot use it for different virtual hosts (the name of the certificate must match the name of the virtual host). regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: > I have done some more digging and its weirdness. It looks like > mod_gnutls does not take the VirtualHost directive into account. > > Below is again the configuration of my two virtual hosts. The Subversion > server only has a server certificate. The CakePHP virtual host has a > server certtificate (in fact, the same one as the subversion server) and > requires client-side certification. > > If the Subversion server is loaded first then neither virtual host will > ask for a client certificate. If the CakePHP host is loaded first then > *both* virtual hosts will ask for client-side certificates. > > So, it looks like GnuTLSClientVerify does not take the virtual host into > account in the below configuration. > > Bug? Or is something wrong with my configuration? Does http://test[123].gnutls.org work for your browser? In those only test2 asks for certificate. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Session Cache is not configured - hint SSLSessionCache
I don't think you can mix mod_ssl with mod_gnutls. The issue here it was that gnutls dbm was started on a server where gnutls wasn't enabled. regards, Nikos On Wed, Jan 7, 2009 at 11:02 PM, wrote: > >>> NameVirtualHost *:80 >> >> If you remove this line does it have any effect? > > I'm afraid not. It's just the same as before. > > Maybe interesting: > If I comment out "LoadModule ssl_module libexec/apache22/mod_ssl.so" > there is no error message at all. Apache doesn't start, no crash, no > comment, nothing. > > - Alexander > > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Session Cache is not configured - hint SSLSessionCache
m...@alexg.org wrote: > Hallo, > > I am currently trying to install mod_gnutls on FreeBSD 6.3 within a Jail. > - Apache 2.2.10 (also tried 2.2.8) > - mod_gnutls 0.5.3 (also 0.4.3, svn) > > Everytime I try to start apache I'll get an error-log entry as follows: > > "[Thu Jan 01 20:05:12 2009] [warn] Init: Session Cache is not configured > [hint: SSLSessionCache]" > NameVirtualHost *:80 If you remove this line does it have any effect? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod gnutls 0.5.4
Hello, I'm glad to announce mod_gnutls 0.5.4. This release fixes the long standing bug with mod_proxy. The full list of changes is below: - mod_gnutls.h: modified definition to extern to avoid compilation errors in darwin. - Added patch to fix issue with mod_proxy. Investigation and patch by Alain Knaff. - libgnutls detection uses pkg-config. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Difficulty with Server Name Indication and ServerAlias
Stephane Bortzmeyer wrote: > I'm pretty sure that ServerAlias worked before and I wonder what could > have break recently? New version of mod_gnutls? Stupid configuration > error from my side? Could you find out on which version of mod_gnutls this broke? What was your previous version? ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] Fwd: mod_gnutls
> From: Web Response <[EMAIL PROTECTED]> > Date: November 6, 2008 10:41:18 PM GMT-05:00 > To: Edward Rudd <[EMAIL PROTECTED]> > Subject: mod_gnutls > Reply-To: Brad <[EMAIL PROTECTED]> > > > Message: > > I've setup everything exactly as specified...however, I am running > two vhosts in apache 2.0.63 > For some reason though when you access the second vhost via the web > browser, it comes up with a security warning using the first vhosts > certificate. So XXX.com is the first vhost and YYY.com is the second. > The first works fine but when accessing YYY you get a prompt saying > the cert belongs to XXX. > The permissions and everything is exact same for both of them. > Any idea why this is? I'm using the latest stable version of gnutls > and mod_gnutls. > > Thanks! ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Fwd: mod_gnutls
Edward Rudd wrote: >> Message: >> >> Hi, I could compile mod_gnutls 0.5.3 successfully but it makes httpd >> crash immediately on start, there is nothing written into error_log. >> I'm on Fedora 9, Apache 2.2.10, gnutls 2.6.0, mod_ssl disabled. I >> removed fedora gnutls and recompiled the one from gnu.org. The rest is >> distro default. I have indicated the correct path to apxs and >> libgnutls while configure. >> >> Silly question, I saw on your site "A SSL/TLS Encryption Module >> for Apache 2.1." So I suppose it's not compatible with Apache 2.2? Hello, It is compatible with apache 2.2. Could you try running apache with gdb or valgrind and check where the crash is? Also increase the logging level just in case the error wasn't shown. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Fwd: mod_gnutls
Edward Rudd wrote: >> Hello, Edward Rudd: >>I am interesting in "mod_gnutls" module, but now i >> want to known that if this module will support TLS-PSK cipher suite? >> or support it in the road map? >> >> Whuige Hello, No TLS-PSK is not on the roadmap. TLS-PSK is not for web authentication. If you are interested for password authentication check TLS-SRP which is supported already by mod_gnutls. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Dynamically loading certificates.
On Fri, Oct 17, 2008 at 12:51 PM, Adam Hasselbalch Hansen <[EMAIL PROTECTED]> wrote: > Adam Hasselbalch Hansen wrote: > >> Ok, so, here's the deal. >> >> One (1) virtual host is defined in the Apache configuration. A seperate >> module directs requests to the right docroot, based on the hostname from >> request_req. This needs to be replicated my mod_gnutls for this to work >> with HTTPS. >> >> Right now, I am hooking in just after the SNI-stuff in gnutls_hooks.c, >> basically repeating the stuff from mgs_set_key_file and >> mgs_set_cert_file, to overwrite whatever cert is in the server conf. >> Also, I set the cert_cn, so subsequent requests for the same domain does >> not reread the certificate/key files. >> This seems to work, with negligible overhead. >> >> One thing, though, is concurrency. If many requests to different domains >> enter at once, I run the risk of some other request to overwrite the >> cert before the previous request was completed, which results in the >> wrong cert being sent. You could avoid it by some kind of locking. >> >> Also, I can't seem to actually save the cert_cn with the >> mgs_servconf_rec, just with the server_rec. But that's minor, as I can >> easily grab that instead. >> >> The cache seems to not care about this, and stores and fetches like >> there's no tomorrow. >> >> Any thoughts? > > No thoughts at all? Hello Adam, I see no problem in your plan. However due to engagements I haven't really had time to seriously think about it. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] mod_gnutls 0.5.3
Hello, I've just released gnutls 0.5.3. This release it includes a fix to allow an OpenPGP-only website to be operated, as well as an increase to the number of iterations allowed in gnutls_handshake(). The latter should affect mod_proxy configurations, thus I'd appreciate any reports from people who use it. My main priority for the 0.5.x branch is to close the open incompatibility with mod_proxy. Suggestions and bug reports are welcome. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] PATCH: mod_gnutls README
I have commited your patch plus a fix for your issue in the svn repository. regards, Nikos On Tue, Sep 30, 2008 at 8:53 PM, Jack Bates <[EMAIL PROTECTED]> wrote: > On Mon, 2008-09-29 at 10:44 +0300, Nikos Mavrogiannopoulos wrote: >> Jack Bates wrote: >> > - but when I start Apache, it complains: >> > >> > ket% /usr/sbin/apache2 -f httpd.conf >> > Syntax error on line 16 of httpd.conf-gpg: >> > GnuTLS: Failed to Import PGP Private Key '/home/jablko/trash/key.asc': >> > (-59) GnuTLS internal error. >> > ket% >> >> Hello, >> gnutls and mod_gnutls cannot read encrypted openpgp keys. That is your >> gpg key must not be protected with a passphrase. > > Doh - thank you Nikos : ) > > I created a key without a passphrase and got a bit further. I also found > some documentation in the GnuTLS manual on creating OpenPGP server > credentials: > http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv > > I created this patch for the mod_gnutls README, to add instructions for > creating OpenPGP server credentials: > http://cgi.sfu.ca/~jdbates/tmp/mod-gnutls/200809300/patch > > Would you consider applying it? > > Unfortunately, I am still stuck. As per the instructions in the GnuTLS > manual, I created a gpg key using my server name. I tried "localhost" > and added "ServerName localhost" to my httpd.conf. However, when I try > to start Apache, the error log complains: > > [Tue Sep 30 10:33:37 2008] [emerg] [GnuTLS] - Host 'localhost:0' is > missing a Certificate File! > > I also tried creating a gpg key using "localhost:0" - with the same > result. > > Here is my httpd.conf: > http://cgi.sfu.ca/~jdbates/tmp/mod-gnutls/200809300/httpd.conf > > - and a screenlog of how I generated the OpenPGP server credentials: > http://cgi.sfu.ca/~jdbates/tmp/mod-gnutls/200809300/screenlog > > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules > > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] PATCH: mod_gnutls README
Jack Bates wrote: > Doh - thank you Nikos : ) > > I created a key without a passphrase and got a bit further. I also found > some documentation in the GnuTLS manual on creating OpenPGP server > credentials: > http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv > > I created this patch for the mod_gnutls README, to add instructions for > creating OpenPGP server credentials: > http://cgi.sfu.ca/~jdbates/tmp/mod-gnutls/200809300/patch > > Would you consider applying it? > > Unfortunately, I am still stuck. As per the instructions in the GnuTLS > manual, I created a gpg key using my server name. I tried "localhost" > and added "ServerName localhost" to my httpd.conf. However, when I try > to start Apache, the error log complains: > > [Tue Sep 30 10:33:37 2008] [emerg] [GnuTLS] - Host 'localhost:0' is > missing a Certificate File! Hello Jack, It seems there is a check that looks if a site has an X.509 certificate and prints that error if it doesn't. I'll need to update it to account for openpgp-only certificate sites as well. (Currently you have to have a site that handles both X.509 and openpgp to work). regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls pgp key and certificate
Jack Bates wrote: > - but when I start Apache, it complains: > > ket% /usr/sbin/apache2 -f httpd.conf > Syntax error on line 16 of httpd.conf-gpg: > GnuTLS: Failed to Import PGP Private Key '/home/jablko/trash/key.asc': > (-59) GnuTLS internal error. > ket% Hello, gnutls and mod_gnutls cannot read encrypted openpgp keys. That is your gpg key must not be protected with a passphrase. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] GnuTLSClientVerify segmentation fault
Indeed it seems svn cannot handle rehandshakes. mod_gnutls uses a rehandshake to upgrade the connection from server authenticated to client and server authenticate (requests client certificate). regards, Nikos On Wed, Sep 24, 2008 at 7:45 PM, Jack Bates <[EMAIL PROTECTED]> wrote: > On Tue, 2008-09-16 at 11:28 +0300, Nikos Mavrogiannopoulos wrote: >> Hello Jack, >> Could you check if gnutls 2.4.2 fixes your issue? > > Thank you very much Nikos, GnuTLS 2.4.2 seems to fix the issue : ) > > Now I am having trouble getting Subversion to do client certificate > authentication with mod_gnutls - but I think that this is an issue with > Subversion: > > ket% svn co https://localhost:8080/test > svn: OPTIONS of 'https://localhost:8080/test': Could not read status line: > SSL error: Rehandshake was requested by the peer. (https://localhost:8080) > ket% > > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules > > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls/SNI breaks under load
Most probably this is a problem of the client you use. mod_gnutls has the same behaviour being on reload or not. If you believe this is a problem of mod_gnutls please use tcpdump (or wireshark) and verify that this is indeed a mod_gnutls issue. regards, Nikos On Fri, Sep 19, 2008 at 12:32 PM, Adam Hasselbalch Hansen <[EMAIL PROTECTED]> wrote: > Hi. > > I have server configured with three virtual hosts, each with its own > certificate (using SNI). > > Simply pressing 'reload' in a browser multiple times fast (or holding it > down), breaks this, and the server reverts to serving the default > certificate (in this case, the one defined in the first vhost). > > Apache says: > > GnuTLS: Handshake Failed (-9) 'A TLS packet with unexpected length was > received.' > > What gives? > > All other settings (cache, etc.) are default. > > -- > Adam Hasselbalch Hansen > UNIX Systems Developer, CPH > e: [EMAIL PROTECTED], w: www.one.com > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] [error] GnuTLS: Hanshake Alert (48) 'CA is unknown'.
Ling-hua Tseng wrote: > Here is my environment: >FreeBSD 7.1-PRERELEASE >apache-worker-2.2.9_5 >mod_ssl/2.2.9 (bundled with apache2 in FreeBSD's package/ports system) >OpenSSL/0.9.8e (OS bundled library) >gnutls-2.4.1_1 >mod_gnutls-0.4.3 (0.5.2 is also tested) > > There are 7 name-based SSL virtual hosts configured in my web server. > The following 2 lines are appeared in the error log of my default SSL > site when every one is accessing any SSL sites: > [error] GnuTLS: Hanshake Alert (48) 'CA is unknown'. > [error] [client 220.133.199.45] GnuTLS: Handshake Failed (-12) 'A TLS > fatal alert has been received.' Some browsers that visited your sites do not like the certificates and send this alert. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls 0.5.1 crashes Apache 2.0.58
Verify with ldd that mod_gnutls.so is indeed linked with the gnutls version you compiled. Try also to use valgrind with the same options. regards, Nikos On Thu, Sep 18, 2008 at 5:19 PM, David Schueler <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote on 18.09.2008 16:00:21: >> [EMAIL PROTECTED] wrote on 18.09.2008 15:21:17: >> >> > Does this occur with gnutls 2.4.2? Otherwise could you send the output >> > of gdb with apache -X? >> > (or even valgrind). >> >> I hope it helps a bit. Otherwise please tell me what to do with gdb. >> >> Thanks. >> >> David > > Ok i did a second try and compiled mod_gnutls with CFLAGS="-g" and stared > apache in gdb again and did an backtrace, but all i got is this: > ---8<--- > Program received signal SIGSEGV, Segmentation fault. > 0xa8876a9c in ?? () > (gdb) bt > #0 0xa8876a9c in ?? () > #1 0x11984ec0 in ?? () > #2 0x11b2e1d0 in ?? () > #3 0x in ?? () > (gdb) > ---8<--- > > Not very helpful :-( > But how to get this to spit out more useful information? > > David > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls 0.5.1 crashes Apache 2.0.58
Does this occur with gnutls 2.4.2? Otherwise could you send the output of gdb with apache -X? (or even valgrind). On Thu, Sep 18, 2008 at 3:34 PM, David Schueler <[EMAIL PROTECTED]> wrote: > Hello all out there on this list. > > I have a problem with mod_gnutls 0.5.1 and apache 2.0.58. > I used normal SSL on my apache before and now i want to set a different > certificate on every vhost. So i installed mod_gnutls on my hardened > Gentoo system using the normal "emerge" way. All compiled fine with > gcc-3.4.6-hardened but if i enable GNUTLS the apache crashes every time > with a segfault when a user tries to access my website, regardless if its > a HTTP or HTTPS request. Without loading the mod_gnutls module everything > is working well. > > Here is the error log from apache: > ---8<--- > [Thu Sep 18 13:58:21 2008] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec2) > [Thu Sep 18 13:58:21 2008] [notice] Digest: generating secret for digest > authentication ... > [Thu Sep 18 13:58:21 2008] [notice] Digest: done > [Thu Sep 18 13:58:21 2008] [notice] Apache configured -- resuming normal > operations > [Thu Sep 18 13:58:30 2008] [notice] child pid 13381 exit signal > Segmentation fault (11) > [Thu Sep 18 13:58:30 2008] [notice] child pid 13382 exit signal > Segmentation fault (11) > [Thu Sep 18 13:58:31 2008] [notice] child pid 13383 exit signal > Segmentation fault (11) > [Thu Sep 18 13:58:31 2008] [notice] child pid 13384 exit signal > Segmentation fault (11) > [Thu Sep 18 13:58:31 2008] [notice] child pid 13385 exit signal > Segmentation fault (11) > [Thu Sep 18 13:59:16 2008] [notice] child pid 13402 exit signal > Segmentation fault (11) > [Thu Sep 18 14:00:17 2008] [notice] child pid 13407 exit signal > Segmentation fault (11) > [Thu Sep 18 14:00:57 2008] [notice] caught SIGTERM, shutting down > ---8<--- > > Now my apache mod_gnutls.conf follows: > ---8<--- > > LoadModule gnutls_module modules/mod_gnutls.so > Listen *:443 > GnuTLSCache dbm /var/cache/mod_gnutls/gnutls_cache > > ---8<--- > > and my vhost config looks like this: > ---8<--- > # SSL/TLS Configvor vhost > > ServerName www.wapk.de > DocumentRoot /srv/www/www.wapk.de/html > ScriptAlias /cgi-bin/ /srv/www/www.wapk.de/html/cgi-bin/ > php_admin_value open_basedir /srv/www/www.wapk.de/:/usr/share/php > GnuTLSEnable on > GnuTLSCertificateFile /etc/apache2/ssl/www.wapk.de.crt > GnuTLSKeyFile /etc/apache2/ssl/server.key > GnuTLSPriorities NORMAL > > ---8<--- > > Does someone have an idea why the apache crashes and how to solve this? > > Many thanks in advance! > > David > ___ > Modules mailing list > Modules@lists.outoforder.cc > http://lists.outoforder.cc/mailman/listinfo/modules > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
