You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Greg Ames <gr...@remulak.net> on 2005/06/27 16:49:26 UTC
event MPM works with mod_ssl
my biggest hurdle in getting the event MPM to work with mod_ssl was learning how
to create a self signed server cert with openssl.
http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ownca is very good but refers
to a sign.sh script that I couldn't find in httpd-2.x . I assume sign.sh was
part of the 1.3 mod_ssl distro when it was separate from httpd.
once I got past that, it just worked. my tests were fairly simple. I had
pipelining enabled in mozilla and also created a script that did HTTP/1.1
pipelining. if anyone can think of other scenarios I should test with mod_ssl
please let me know.
here is a server-status:
http://people.apache.org/~gregames/server-status.event-ssl.html
we do have PR 34040 open which says event is broken on Solaris 10. does anyone
have a Solaris 10 box where I can get an ID for testing?
Greg
event MPM flaky with mod_ssl
Posted by Greg Ames <gr...@remulak.net>.
Paul Querna wrote:
>>once I got past that, it just worked. my tests were fairly simple. I
>>had pipelining enabled in mozilla and also created a script that did
>>HTTP/1.1 pipelining. if anyone can think of other scenarios I should
>>test with mod_ssl please let me know.
>>
>
>
> Yes... I believe it will 'mostly' work, but the issue becomes tricky
> once you consider the SSL protocol. The problem is we might have an
> entire pipe-lined request buffered inside the SSL Packets, and
> therefore, never trigger the socket to come out of the poll(). For
> simple test cases, it might work, but I am pretty sure a malicious
> attack would be easy to create.
yeah I see it. there is no support for MODE_EATCRLF in mod_ssl so
check_pipeline_flush is making bad decisions. with the other mpms it means some
network flows are suboptimal, but it's worse with event as you pointed out.
Greg
Re: event MPM works with mod_ssl
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 11:44 AM 6/27/2005, Greg Ames wrote:
>Paul Querna wrote:
>
>>Yes... I believe it will 'mostly' work, but the issue becomes tricky
>>once you consider the SSL protocol. The problem is we might have an
>>entire pipe-lined request buffered inside the SSL Packets, and
>>therefore, never trigger the socket to come out of the poll(). For
>>simple test cases, it might work, but I am pretty sure a malicious
>>attack would be easy to create.
>
>hmmm...I assume the poll() on the listening socket works ok or worker would be busted too. then as long as we call the input filters to read the request without poll()ing first to see if the new SSL socket is readable, we should be ok. if we completely drain the input filters, we should be reading from the SSL input filters at the same time, so then it should be safe to poll(). or have I missed something?
Anyone trying to read from the input brigade better invoke a request
non-blocking first, so that any filter down the chain gets a chance
to answer. If it's would-block, then perhaps you can poll(), but
that's still pretty dicey.
I solved this with my bucket_poll suggestion a couple years ago, but
it never did gain much traction.
In fact; I think poll buckets are required before we can move alot
further with the event-style mpm. Although you ***MIGHT*** be
blocking on the socket (usually you are), there's another possibility
that you are blocking on read from something else in an input filter.
The poll meta-bucket was ment to be stackable, so that multiple poll
events could percolate up. That way, external_filter sources, etc
could all be added to the poll() event. Each filter could keep/drop
the previous filters' poll bucket list, depending on if the filter
believes there could be side-effects from more data above it.
E.g. if the Z filter knows it has enough buffered to be called again,
it would drop the poll bucket. When called again, it might finally
percolate the poll bucket when it knows it can't return any more data
without more input.
Bill
Re: event MPM works with mod_ssl
Posted by Greg Ames <gr...@remulak.net>.
Paul Querna wrote:
> Yes... I believe it will 'mostly' work, but the issue becomes tricky
> once you consider the SSL protocol. The problem is we might have an
> entire pipe-lined request buffered inside the SSL Packets, and
> therefore, never trigger the socket to come out of the poll(). For
> simple test cases, it might work, but I am pretty sure a malicious
> attack would be easy to create.
hmmm...I assume the poll() on the listening socket works ok or worker would be
busted too. then as long as we call the input filters to read the request
without poll()ing first to see if the new SSL socket is readable, we should be
ok. if we completely drain the input filters, we should be reading from the SSL
input filters at the same time, so then it should be safe to poll(). or have I
missed something?
>>we do have PR 34040 open which says event is broken on Solaris 10. does
>>anyone have a Solaris 10 box where I can get an ID for testing?
>
>
> The ASF has Helios, a quad opteron running solaris 10. httpd has
> requested a Zone on there, but one has not been created yet...
could you let me/us know when this is set up? I unsubscribed from
infrastructure@ due to the high volume of "my id is broken" posts.
thanks,
Greg
Re: event MPM works with mod_ssl
Posted by Mads Toftum <ma...@toftum.dk>.
On Mon, Jun 27, 2005 at 08:05:27AM -0700, Paul Querna wrote:
> The ASF has Helios, a quad opteron running solaris 10. httpd has
> requested a Zone on there, but one has not been created yet...
>
Unless I hear any complaints, I'll create a zone later today or
tomorrow.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
Re: event MPM works with mod_ssl
Posted by Paul Querna <ch...@force-elite.com>.
Greg Ames wrote:
> my biggest hurdle in getting the event MPM to work with mod_ssl was
> learning how to create a self signed server cert with openssl.
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ownca is very good but
> refers to a sign.sh script that I couldn't find in httpd-2.x . I assume
> sign.sh was part of the 1.3 mod_ssl distro when it was separate from httpd.
>
> once I got past that, it just worked. my tests were fairly simple. I
> had pipelining enabled in mozilla and also created a script that did
> HTTP/1.1 pipelining. if anyone can think of other scenarios I should
> test with mod_ssl please let me know.
>
Yes... I believe it will 'mostly' work, but the issue becomes tricky
once you consider the SSL protocol. The problem is we might have an
entire pipe-lined request buffered inside the SSL Packets, and
therefore, never trigger the socket to come out of the poll(). For
simple test cases, it might work, but I am pretty sure a malicious
attack would be easy to create.
> here is a server-status:
> http://people.apache.org/~gregames/server-status.event-ssl.html
>
> we do have PR 34040 open which says event is broken on Solaris 10. does
> anyone have a Solaris 10 box where I can get an ID for testing?
The ASF has Helios, a quad opteron running solaris 10. httpd has
requested a Zone on there, but one has not been created yet...
-paul
Re: event MPM works with mod_ssl
Posted by Greg Ames <gr...@remulak.net>.
Joe Orton wrote:
> You can create a self-signed cert for mod_ssl testing with just one
> command: "openssl req -x509 -nodes -new -out foo.cert -keyout foo.key"
> the docs are a bit too helpful there really.
thanks Joe! this looks like a time saver.
Greg
Re: event MPM works with mod_ssl
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Jun 27, 2005 at 10:49:26AM -0400, Greg Ames wrote:
> my biggest hurdle in getting the event MPM to work with mod_ssl was
> learning how to create a self signed server cert with openssl.
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ownca is very good but
> refers to a sign.sh script that I couldn't find in httpd-2.x . I assume
> sign.sh was part of the 1.3 mod_ssl distro when it was separate from httpd.
You can create a self-signed cert for mod_ssl testing with just one
command: "openssl req -x509 -nodes -new -out foo.cert -keyout foo.key"
the docs are a bit too helpful there really.
joe
Re: event MPM works with mod_ssl
Posted by Cliff Woolley <jw...@virginia.edu>.
On Mon, 27 Jun 2005, Greg Ames wrote:
> my biggest hurdle in getting the event MPM to work with mod_ssl was learning how
> to create a self signed server cert with openssl.
> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ownca is very good but refers
> to a sign.sh script that I couldn't find in httpd-2.x . I assume sign.sh was
> part of the 1.3 mod_ssl distro when it was separate from httpd.
That is correct. It was removed intentionally (I think it was someone
trying to discourage self-signed certificates?) but the docs were never
updated to tell you how to do what it does, which is kind of a bummer.
Personally I always just do a google search for sign.sh and use the old
one anyway.
--Cliff