On Tuesday 09:01 PM 7/21/2009, Mark Aufflick wrote:
You say that "This bug ONLY occurs with an AOLserver client (any
version) running against an AOLserver 4 / nsopenssl 3.0beta26 server"
- so you're saying this issue doesn't occur when using httpsget
against, say, Apache?
Yes, that's correct. As I mention in the bug report, we were unable to
reproduce the bug in any of these scenarios:
- AOLserver client talking to an Apache server
- AOLserver client talking to a Java server
- wget client talking to an AOLserver server
- Firefox/IE client talking to an AOLserver server
And, crucially, it also doesn't happen with an AOLserver client (any
version) running against an AOLserver 3/nsopenssl 2.1a server. For the
bug to occur, the server *must* be AOLserver 4 with nsopenssl 3.0beta26.
It seems very odd that it would be server specific - that would fall
in that painful bug category of "If I wanted that behaviour I have no
idea how I would code it"!
Actually, I think you're going on the assumption that it's a client bug,
but it appears to me that it's a server bug (since an AOLserver
4/nsopenssl 3.0beta26 server is the consistent feature of the failing
scenarios). The odd part to me is that only an AOLserver client triggers
the bug.
By the way, this isn't a theoretical problem; we ran into this bug because
Arena's web application comprises multiple services which sometimes make
client calls to one another via SSL. When we tried to migrate from
AOLserver 3/nsopenssl 2.1a to AOLserver 4/nsopenssl 3.0beta26, we saw
occasional and seemingly random failures on various pages--and after a lot
of investigation we managed to narrow it down to this bug. This is
actually just one of several SSL-related issues that have prevented us
from migrating to AOLserver 4 (but we haven't investigated all of them as
deeply as this one, and so we're hoping this is the root cause of all of
them).
- John
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
