You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dirk-Willem van Gulik <di...@webweaving.org> on 2008/02/11 16:35:03 UTC
SNI test case
Does any one (but me :) feel a need to have something like below
living in test/* -- over the past couple
of days I found it very useful to hget folks with embryonic SNI
installations going.
Thanks,
Dw
PS: SNI Rocks !
#!/bin/sh
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version
2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This script will populate a directory 'sni' with 3 sites, httpd.conf
# and certificates as to facilitate testing of TLS server name
# indication support (RFC 4366) or SNI.
#
# $Id$
#
OPENSSL=${OPENSSL:-openssl}
DOMAIN=${DOMAIN:-`hostname | sed -e 's/^[^\.]*\.//g'`}
if [ $# = 1 -a "x$1" != "x-f" -o $# -gt 1 ]; then
echo Syntax: $0 [-f]
exit 1
fi
if test -d sni -a "x$1" != "x-f"; then
echo Aborted - already an $PWD/sni directory. Use the -f flag
to overwrite.
exit 1
fi
mkdir -p sni || exit 1
cd sni || exit 1
mkdir -p ssl htdocs logs || exit 1
if ! openssl version | grep -q OpenSSL; then
echo Aborted - your openssl is very old or misconfigured.
exit 1
fi
set `openssl version`
if test "0$2" \< "00.9"; then
echo Aborted - version of openssl too old, 0.9 or up required.
exit 1
fi
# Create a 'CA'
serial=1
openssl req -new -nodes -batch \
-x509 \
-days 10 -subj '/CN=Da Root/O=SNI testing/' -set_serial
$serial \
-keyout root.key -out root.pem \
|| exit 2
echo '# To append to your hosts file' > hosts
cat > httpd-sni.conf << EOM
# To append to your httpd.conf file'
Listen 127.0.0.1:443
NameVirtualHost 127.0.0.1:443
LoadModule ssl_module modules/mod_ssl.so
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
LogLevel debug
TransferLog $PWD/logs/access_log
ErrorLog $PWD/logs/error_log
SSLSessionCache none
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>
<Directory "$PWD/htdocs">
allow from all
Require all granted
</Directory>
# The first entry is also the default for non SNI
# supporting clients.
EOM
for n in ape nut jane
do
FQDN=$n.$DOMAIN
serial=`expr $serial + 1`
openssl req -new -nodes -batch \
-days 9 -subj "/CN=$FQDN/O=SNI Testing/" \
-keyout $n.key -out $n.req -batch \
|| exit 3
openssl x509 -text -req \
-CA root.pem -CAkey root.key \
-set_serial $serial -in $n.req -out $n.pem \
|| exit 4
cat $n.pem $n.key > ssl/$n.crt
rm $n.req $n.key $n.pem
LST="$LST
https://$FQDN/index.html"
echo "127.0.0.1 $FQDN $n" >> hosts
mkdir -p htdocs/$n
echo We are $FQDN > htdocs/$n/index.html
cat >> httpd-sni.conf << EOM
<VirtualHost 127.0.0.1:443>
SSLEngine On
ServerName $FQDN:443
DocumentRoot $PWD/htdocs/$n
SSLCertificateChainFile $PWD/root.pem
SSLCertificateFile $PWD/ssl/$n.crt
TransferLog $PWD/logs/$n
</VirtualHost>
EOM
done
cat << EOM
SNI Files generated
===================
The directory $PWD/sni has been populated with the following
- root.key|pem Certificate authority root and key
- hosts /etc/hosts file with fake entries for the hosts
- htdocs directory with one docroot for each domain,
each with a small sample file.
- ssl directory with an ssl cert (signed by root)
for each of the domains).
- logs logfiles, one for each domain and an
access_log for any misses.
SNI Test
========
A directory $PWD/sni has been created. Run an apache
server against it with
.../httpd -f $PWD/httpd-sni.conf
and keep an eye on $PWD/logs/... Note that you will see an entries
like
Feb 11 16:12:26 2008] [debug] Init:
SSL server IP/port overlap: ape.*:443 (httpd-sni.conf:24) vs.
jane.*:443 (httpd-sni.conf:42)
and a concluding warning
[Mon Feb 11 16:12:26 2008] [warn] Init:
Name-based SSL virtual hosts only work for clients with TLS
server name indication support (RFC 4366)
If you see an entry like
[Mon Feb 11 15:41:41 2008] [warn] Init:
You should not use name-based virtual hosts in conjunction
with SSL!!
then you are either using an OpenSSL which is too old, or you need to
ensure that the
TLS Extensions are compiled into openssl with the 'enable-tlsext' flag.
Meanwhile add 'hosts' to your c:\windows\system32\drivers\etc\hosts
or /etc/hosts file as to point the various URL's to your server:
$LST
and verify that each returns its own name (and an entry in its
own $PWD/logs) file).
EOM
exit 0
Re: Win32 httpd console doesnt accept CTRL-C anymore
Posted by Eric Covener <co...@gmail.com>.
On Sat, Mar 29, 2008 at 7:05 PM, Guenter Knauf <fu...@apache.org> wrote:
> Hi Eric,
>
> > On Sat, Mar 29, 2008 at 5:15 PM, Steffen <in...@apachelounge.com> wrote:
> >> When an unchanged Apache 2.2.8 is run from the command line (vs. run as
> >> a
> >> Windows Service), Apache will not stop when the Apache window is closed.
> >>
>
> > Do you have a pointer to the PR handy?
> https://issues.apache.org/bugzilla/show_bug.cgi?id=43534
The comment in this resolved/fixed bug should probably be turned into
a PR of it's own. Not likely anyone is revisiting this issue the way
it stands now.
--
Eric Covener
covener@gmail.com
Re: Win32 httpd console doesnt accept CTRL-C anymore
Posted by Guenter Knauf <fu...@apache.org>.
Hi Eric,
> On Sat, Mar 29, 2008 at 5:15 PM, Steffen <in...@apachelounge.com> wrote:
>> When an unchanged Apache 2.2.8 is run from the command line (vs. run as
>> a
>> Windows Service), Apache will not stop when the Apache window is closed.
>>
> Do you have a pointer to the PR handy?
https://issues.apache.org/bugzilla/show_bug.cgi?id=43534
Guenter.
Re: Win32 httpd console doesnt accept CTRL-C anymore
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
> http://www.mail-archive.com/dev@httpd.apache.org/msg39402.html
thanks.
> was the post you were looking for (no need for a mailserver with so many
> searchable archives ;-)
yeah, but I lacked of an idea for what I should search.....
ok, right - the prob is only when I just double-click httpd.exe; when launched from DOS box then it works.
But this isnt really intuitive since we have a feather icon on httpd.exe + it worked all time before this way, so the users get confused about that new behaviour.
What about making a real windows app, and open an own GUI output console with a stop button when not started as service? Isnt that possible?
Just take this now as a question only since I'm not that familar yet with the Win32 magic inside Apache 2.x...
Guenter.
Re: Win32 httpd console doesnt accept CTRL-C anymore
Posted by Eric Covener <co...@gmail.com>.
On Sat, Mar 29, 2008 at 5:15 PM, Steffen <in...@apachelounge.com> wrote:
> When an unchanged Apache 2.2.8 is run from the command line (vs. run as a
> Windows Service), Apache will not stop when the Apache window is closed.
>
Do you have a pointer to the PR handy?
--
Eric Covener
covener@gmail.com
Re: Win32 httpd console doesnt accept CTRL-C anymore
Posted by Steffen <in...@apachelounge.com>.
See the notes at http://www.apachelounge.com/forum/viewtopic.php?p=9870 :
When an unchanged Apache 2.2.8 is run from the command line (vs. run as a
Windows Service), Apache will not stop when the Apache window is closed.
It is fixed in the 2.2.8 download from the Apache Lounge.
Steffen
----- Original Message -----
From: "Guenter Knauf" <fu...@apache.org>
To: <de...@httpd.apache.org>
Sent: Saturday, 29 March, 2008 22:06
Subject: Win32 httpd console doesnt accept CTRL-C anymore
> Hi,
> I know we discussed in the past a lot about the Win32 console behaviour,
> but I cant currently find the related posts due to a mailserver prob these
> days;
> can someone please tell me if this is now intended behaviour with 2.2.8
> that
> I cant any longer stop an Apache2 console with CTRL-C ? Up to 2.2.6 this
> worked
> fine...
>
> Guenter.
>
>
>
Re: Win32 httpd console doesnt accept CTRL-C anymore
Posted by Eric Covener <co...@gmail.com>.
On Sat, Mar 29, 2008 at 6:52 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net> wrote:
>
> Guenter Knauf wrote:
> > Hi,
> > I know we discussed in the past a lot about the Win32 console behaviour,
> > but I cant currently find the related posts due to a mailserver prob these days;
> > can someone please tell me if this is now intended behaviour with 2.2.8 that
> > I cant any longer stop an Apache2 console with CTRL-C ? Up to 2.2.6 this worked
> > fine...
>
> When started in a console, you can. But not using 'start' "detached"
> since then you aren't actually running in a console (duh).
Thanks, the additional commentary helped. The previous writeup had me
scratching my head, as I've used a 2.2.8-based httpd and interrupted
it in the console as normal.
--
Eric Covener
covener@gmail.com
Re: Win32 httpd console doesnt accept CTRL-C anymore
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guenter Knauf wrote:
> Hi,
> I know we discussed in the past a lot about the Win32 console behaviour,
> but I cant currently find the related posts due to a mailserver prob these days;
> can someone please tell me if this is now intended behaviour with 2.2.8 that
> I cant any longer stop an Apache2 console with CTRL-C ? Up to 2.2.6 this worked
> fine...
When started in a console, you can. But not using 'start' "detached"
since then you aren't actually running in a console (duh).
http://www.mail-archive.com/dev@httpd.apache.org/msg39402.html
was the post you were looking for (no need for a mailserver with so many
searchable archives ;-)
Bill
Win32 httpd console doesnt accept CTRL-C anymore
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
I know we discussed in the past a lot about the Win32 console behaviour,
but I cant currently find the related posts due to a mailserver prob these days;
can someone please tell me if this is now intended behaviour with 2.2.8 that
I cant any longer stop an Apache2 console with CTRL-C ? Up to 2.2.6 this worked
fine...
Guenter.
Re: apxs on Win32?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guenter Knauf wrote:
> if the one we have in ./support works already with 3rd-party modules (other than mod_perl) on Win32 then we can just use that; otherwise I'm +1 to add yours.
It does not, its crafted from libtool-junk last time I looked, and
requires apr similarly provisioned (apr-config script et al).
Better that we recraft Randy's work into an apr bit, and apu bit (and
submit those over to apr), and either "fix" the libtool-specific crap
in apxs.in, or use Randy's httpd bits as well.
Bill
Re: apxs on Win32?
Posted by Guenter Knauf <fu...@apache.org>.
Hi Randy,
> There's a perl script that emulates apxs on Win32 available
> in apxs_win32.tar.gz at
> http://perl.apache.org/dist/win32-bin/
perfect answer since the one who asked me did that for mod_perl!
> Right now this is installed assuming an already-installed
> Apache; if there's interest, I could look at incorporating
> this into the build of Apache itself.
lets see what Bill says - if the one we have in ./support works already with 3rd-party modules (other than mod_perl) on Win32 then we can just use that; otherwise I'm +1 to add yours.
thanks, Guenter.
Re: apxs on Win32?
Posted by Issac Goldstand <ma...@beamartyr.net>.
Randy Kobes wrote:
> On Thu, 21 Feb 2008, Guenter Knauf wrote:
>
>> Hi (Bill?),
>> another dev just asked me privately about apxs for Win32....
>> does this meanwhile work on Win32?
>> And if so can we perhaps ship it with future distros?
>> I think that would make sense since the include and lib dir is already
>> included....
>>
>> Guenter.
>
> There's a perl script that emulates apxs on Win32 available
> in apxs_win32.tar.gz at
> http://perl.apache.org/dist/win32-bin/
> Right now this is installed assuming an already-installed
> Apache; if there's interest, I could look at incorporating
> this into the build of Apache itself.
>
+1
Re: apxs on Win32?
Posted by Randy Kobes <ra...@theoryx5.uwinnipeg.ca>.
On Thu, 21 Feb 2008, Guenter Knauf wrote:
> Hi (Bill?),
> another dev just asked me privately about apxs for Win32....
> does this meanwhile work on Win32?
> And if so can we perhaps ship it with future distros?
> I think that would make sense since the include and lib dir is already included....
>
> Guenter.
There's a perl script that emulates apxs on Win32 available
in apxs_win32.tar.gz at
http://perl.apache.org/dist/win32-bin/
Right now this is installed assuming an already-installed
Apache; if there's interest, I could look at incorporating
this into the build of Apache itself.
--
best regards,
Randy Kobes
Re: apxs on Win32?
Posted by Randy Kobes <ra...@theoryx5.uwinnipeg.ca>.
On Thu, 21 Feb 2008, William A. Rowe, Jr. wrote:
> Guenter Knauf wrote:
>> Hi (Bill?),
>> another dev just asked me privately about apxs for Win32....
>> does this meanwhile work on Win32?
>> And if so can we perhaps ship it with future distros?
>> I think that would make sense since the include and lib dir is already
>> included....
>
> Dunno if Randy's package has been updated for trunk, 2.2 etc, but
> it's been mentioned several times that this should be incorporated
> back into httpd. (It was dropped with 2.0, after I solved it for 1.3,
> given the additional complexity behind the autocrap/libfool stuff we
> introduced into httpd 2.0).
>
> So maybe it's time to get cracking ;-)
>
> Bill
The apxs win32 package does work for 2.2. I'm not sure the
best way to incorporate this into the httpd build; as a
first step, I've placed at
http://people.apache.org/~randyk/
an install_win32_apxs.zip which can be used as
nmake -f install_win32_apxs.mak INSTDIR=C:\Path\to\Apache2.x
to install apxs, apr-config, and apu-config. This assumes
a point in the installation when Apache has been installed
(eg, towards the end of httpd's Makefile.win). Compared to
the apxs utility at
http://perl.apache.org/dist/win32-bin/
this version is more minimalistic (no user prompts, etc.);
the modules used are included with modern versions of
Perl.
One thing it does assume is that Perl is in the PATH; I'm
not sure how to check for this in the Makefile.
--
best regards,
Randy
Re: apxs on Win32?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guenter Knauf wrote:
> Hi (Bill?),
> another dev just asked me privately about apxs for Win32....
> does this meanwhile work on Win32?
> And if so can we perhaps ship it with future distros?
> I think that would make sense since the include and lib dir is already included....
Dunno if Randy's package has been updated for trunk, 2.2 etc, but
it's been mentioned several times that this should be incorporated
back into httpd. (It was dropped with 2.0, after I solved it for 1.3,
given the additional complexity behind the autocrap/libfool stuff we
introduced into httpd 2.0).
So maybe it's time to get cracking ;-)
Bill
apxs on Win32?
Posted by Guenter Knauf <fu...@apache.org>.
Hi (Bill?),
another dev just asked me privately about apxs for Win32....
does this meanwhile work on Win32?
And if so can we perhaps ship it with future distros?
I think that would make sense since the include and lib dir is already included....
Guenter.
Re: SNI test case
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
On Feb 11, 2008, at 9:05 PM, Ruediger Pluem wrote:
>
>
> On 02/11/2008 06:11 PM, Mads Toftum wrote:
>> On Mon, Feb 11, 2008 at 04:35:03PM +0100, Dirk-Willem van Gulik
>> wrote:
>>> Does any one (but me :) feel a need to have something like below
>>> living in test/* -- over the past couple
>>> of days I found it very useful to hget folks with embryonic SNI
>>> installations going.
>>>
>> Very useful. Might also make sense in a "perlified" version as part
>> of
>> the test code.
>
> +1
Ok - I'll clean it up a bit and add it. Feel free to perlify it and/or
move it to a more proper place.
Dw.
Re: SNI test case
Posted by Ruediger Pluem <rp...@apache.org>.
On 02/11/2008 06:11 PM, Mads Toftum wrote:
> On Mon, Feb 11, 2008 at 04:35:03PM +0100, Dirk-Willem van Gulik wrote:
>> Does any one (but me :) feel a need to have something like below living in
>> test/* -- over the past couple
>> of days I found it very useful to hget folks with embryonic SNI
>> installations going.
>>
> Very useful. Might also make sense in a "perlified" version as part of
> the test code.
+1
Regards
RĂ¼diger
Re: SNI test case
Posted by Dan Poirier <po...@pobox.com>.
Guenter Knauf <fu...@apache.org> writes:
>> Very useful. Might also make sense in a "perlified" version as part of
>> the test code.
> here's a first "perlified" version; not finished yet;
> needs some cleanup, and not checked yet the results;
> but before someone else starts on it and doubles work I thought I post what I have so far...
> http://svwe10.itex.at/downloads/httpd-sni/make_sni.pl
Has this ever made it into subversion? I looked in test but
didn't see it.
--
Dan Poirier <po...@pobox.com>
Re: SNI test case
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
> Very useful. Might also make sense in a "perlified" version as part of
> the test code.
here's a first "perlified" version; not finished yet;
needs some cleanup, and not checked yet the results;
but before someone else starts on it and doubles work I thought I post what I have so far...
http://svwe10.itex.at/downloads/httpd-sni/make_sni.pl
Guenter.
Re: SNI test case
Posted by Mads Toftum <ma...@toftum.dk>.
On Mon, Feb 11, 2008 at 04:35:03PM +0100, Dirk-Willem van Gulik wrote:
> Does any one (but me :) feel a need to have something like below living in
> test/* -- over the past couple
> of days I found it very useful to hget folks with embryonic SNI
> installations going.
>
Very useful. Might also make sense in a "perlified" version as part of
the test code.
vh
Mads Toftum
--
http://soulfood.dk