Re: Apache::ASP, SSL problems ... must be LWP ...

["Demetrios C. Christopher" <dc...@darwinmail.net>]

Hey guys, thanks for nothing ... this is the second reply
to my own email :(

Anyway, I contacted the site with which we were having problems
and they went through their logs only to discover that the only
difference between LWP https calls that were successful and those
that failed was the return code!!!

When I ran the local web script (that contacted the remote https
web server) under https then the request would come back 403.5.
When I ran it under http then it would come back 200.  It appears,
although LWP knows it's doing a https call and it successfully
connects, the SSL cipher it used was not 128-bit or was corrupted.
Now think, why would the mode of the server on which the process
is running bear an effect on the outcome of the connection miles
away?  I'm guessing there's a conflict of interest ... Stronghold
is tapping the SSL library (I can find out which one if people are
interested in helping, ah-hem) and when LWP is trying to form a
128-bit cipher it's getting some junk or errors.  Go figure.

Ok guys, I did most of the investigation work, anyone out there
who has seen this before?  Is Joshua out sick or something ;)

Thanks,
Demetrios

My original message follows, useful now that I also cross-posted
to libwww.  Please note that my problem described above has
temporarily subsided after installing Apache::ASP 2.09 (from 2.03).
Given though that the problem appeared all of the sudden without
any "cause", I am not so sure this is going to fly either.  Perhaps
resetting the server cleared some junk.


Hello all,
I am running A::A 2.03 on a Solaris 2.6 box with Stronghold 2.4.2, whatever.
The truth is I doubt the rest matters ... I am running a pretty cool web app
where fields are collected, validated and then appropriate action is taken,
one of which is to make an HTTP call (LWP) to a third-party site and
exchange
some info, register, blah-blah-blah.

To the point: when I use http for everything, the session variables work
fine
and everything works perfectly, as it's coded to do.  The moment I try to
take everything under https (since some of the information is personal and
of
financial nature) things work intermittently.  I have it down to a script of
what things you can do and what you cannot.  There is no logic behind having
to enter everything the first time around (the script is self-posting,
self-validating) in order to get the proper outcome.  At some point I
started
to dump the Session variables to see what's in them and found data from
_OTHER_ sessions!  Argh!  No, this has nothing to do with perl's closure
issue ... all functions come from .pm's and there is no problem with
function
calls.

I am at wits end ... I just went through all this in the last couple of days
and just bothered to check for a newer version of Apache::ASP.  I will try
to
upgrade soon to see if that does anything but I was hoping someone might
have seen this problem before where SSL session information did not work
as well as it should.

Did I mention this?: under https, calls to some remote server would
intermit.
fail and give back a 403 - Access Forbidden ... what the heck?  This
function
merely took data from the session and passed it as parameters ... what sort
of influence would which port the server was running on have on the HTTP
req.
being made and/or on the remote server's ability to process the
request?!?!?!

Oh well, hope someone out there can help out.  Thanks in advance.

Demetrios

Re: Apache::ASP, SSL problems ... must be LWP ...

[Joshua Chamas <jo...@chamas.com>]

"Demetrios C. Christopher" wrote:
> 
> Hey guys, thanks for nothing ... this is the second reply
> to my own email :(
> 
> Anyway, I contacted the site with which we were having problems
> and they went through their logs only to discover that the only
> difference between LWP https calls that were successful and those
> that failed was the return code!!!
> 

Give me your URL that you are contacting, I'll see how it works
with my LWP.  You might try upgrading the Crypt::SSLeay https LWP 
library to the latest should you have an old one.  The latest 
Crypt::SSLeay supports SSLv3 and all that.

> Now think, why would the mode of the server on which the process
> is running bear an effect on the outcome of the connection miles
> away?  I'm guessing there's a conflict of interest ... Stronghold
> is tapping the SSL library (I can find out which one if people are
> interested in helping, ah-hem) and when LWP is trying to form a
> 128-bit cipher it's getting some junk or errors.  Go figure.
> 

I feel that this problem might be that the stronghold server was
insisting on its 128 bit SSLv3, and LWP might have been going 
for a SSLv2 or SSLv23 with 56bit, thus a funky 403. error, but
only time will tell!  It seems to clean an error to be some king
of corruption.

> Ok guys, I did most of the investigation work, anyone out there
> who has seen this before?  Is Joshua out sick or something ;)
> 

Like Ged said...

--Josh

_________________________________________________________________
Joshua Chamas			        Chamas Enterprises Inc.
NodeWorks >> free web link monitoring	Huntington Beach, CA  USA 
http://www.nodeworks.com                1-714-625-4051

Re: Apache::ASP, SSL problems ... must be LWP ...

["G.W. Haywood" <ge...@www.jubileegroup.co.uk>]

Hi Demetrios C.,

On Fri, 16 Feb 2001, Demetrios C. Christopher wrote:

> Is Joshua out sick or something ;)
 
No, but I happen to know that he's very, very busy...

73,
Ged.