RE: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-02-24 Thread Marc 
> 
> Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
> 

I agree. The days of relying on a lts distribution are coming to an end. I have 
the impression that RedHat is not the place to be anymore. Moving packages from 
the lts to scl, now dropping centos etc. They seem not to be able to catch up 
with patching everything. I think the trend will be getting your crucial rpm's 
directly from the source.

Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-02-24 Thread Yehuda Katz 
In terms of getting a RedHat eningeer, it looks like you have done all you
can do. There are RedHat developers on this list and on the RedHat forums
and they also look at Bugzilla, so there probably isn't much more you can
do.

Since you don't have paid support from RedHat, there is absolutely no
reason to not install your own version of httpd.

- Y

On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx 
wrote:

> Hello Yehuda,
>
> First: sorry for my very late reply!
>
> > You mention in the bug report that you are running an old version of
> HTTPD because you are using the version packaged by RedHat.
> > Your bug report asks RedHat to backport the specific fixes for your
> issue.
>
> Yes, that's a really good summary of what I try to achieve!
>
>
> About the two options:
>
>
>1. I have the 'Red Hat Developer Subscription for Individuals' and
>thus I'm not entitled to get any official support.
>2. Red Hat strongly discourages the installation of a different
>version of Apache (https://access.redhat.com/solutions/445713) .
>
>
>
> I asked the same question on Red Hat Community portal (
> https://access.redhat.com/discussions/6756211) but so far I didn't get
> any reaction.
>
>
> Does someone know where the Apache developers of Red Hat hang out?
>
>
>
> Jeroen Verhoeckx
>
>
>
> 
> *Support the independent web, use **Firefox*
> 
>
>
>
> --- Original Message ---
> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz 
> wrote:
>
>
> I see two options for you going forward:
> 1. Contacting RedHat: You need a subscription to do this. Posting to the
> upstream HTTPD mailing list probably won't help.
>
> 2. Use a different package: There are newer rpms available if you don't
> want to build your own. You can look at rpmfind or build the rpm yourself (
> https://httpd.apache.org/docs/2.4/platform/rpm.html)
>
> - Y
>
> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx
>  wrote:
>
>> Hello Apache Administrators,
>>
>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but
>> no one has responded since then.
>>
>> It's about this bug report:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>
>>
>> Does someone have an idea about what I could do next?
>> Does someone know I place where I can contact RHEL Apache
>> developers/administrators?
>> Or is there another friendly way to get attention for this bug report?
>>
>>
>> Yours sincerely,
>>
>> Jeroen Verhoeckx
>>
>>
>>
>> 
>> *Support the independent web, use **Firefox*
>> 
>>
>>
>>
>

[users@httpd] Support for OpenSSL 3.0 providers and provider-based key loading

2022-02-24 Thread Ingo Franzki 
Hi all,

now that OpenSSL 3.0 support is available, I would like to ask if there are any 
plans to support loading OpenSSL provider-based keys similar to loading 
Engine-based keys from an URI.

When using an OpenSSL PKCS#11 engine, one can specify a PKCS#11 URL with 
SSLCertificateKeyFile to have the engine load the server's private key. 

When looking at the code it seems that this only work with Engines. 
The code in ssl_init_server_certs() checks via modssl_is_engine_id() if the key 
is an URI starting with 'pkcs11:', and if so, it loads the key via 
modssl_load_engine_keypair() which load the key via ENGINE_load_private_key() 
and friends. So this code is Engine-specific, and won't work with providers. 
The other code paths all expect the server private key to be in PEM format.

What I am looking for is a way to load the private key using a PKCS#11 URL, not 
using Engines, but a PKCS#11 provider (such a provider might not exist at the 
moment, but lets assume that one exists). That would require that mod_ssl loads 
the private key via OSSL_STORE_open() / OSSL_STORE_load() and friends, so that 
a PKCS#11 provider that was configured to be loaded is fetched for the 
'pkcs11'-type URI and can in turn load the PKCS#11 key. 

The ultimate goal is to allow httpd to use an HSM based private key via a 
PKCS#11 provider, so that the servers private key is never exposed in clear.
This is already possible when using the libp11 Engine from 
https://github.com/OpenSC/libp11, but given that Engines are deprecated and 
will go away at some point in time, I would like to be able to do the same with 
a (still to be implemented) PKCS#11 provider.

Are there any plans to implement such provider-based key loading in httpd? 

-- 
Ingo Franzki
eMail: ifran...@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: 
Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 
243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Reverse proxy for TLS connections

2022-02-24 Thread Tom Browder 
On Wed, Feb 23, 2022 at 16:04 Eric Covener  wrote:
...

> It could be, the full unredacted error_log entries might have more details.
> I would test with curl/wget on the proxy and make sure the backend is
> reachable. If curl/wget don't work, the proxy server isn't going to
> work.


SOLVED

The reverse proxy setup was fine. My problem was my Raku listener program
on the backend was tied to localhost instead of the public IP address.
(Solved by Geoffrey Broadwell on IRC #cro.)

Now I need the reverse proxy to handle multiple virtual hosts on the same
IP using SNI.

I'll attempt that in another email.

Thank you very much, Eric.

Cheers!

-Tom