You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/05/21 14:20:51 UTC

[Bug 54998] New: Apache 2.4 terminates all SSL connections using an abortive shutdown

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

            Bug ID: 54998
           Summary: Apache 2.4 terminates all SSL connections using an
                    abortive shutdown
           Product: Apache httpd-2
           Version: 2.4.4
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: mik4@gmx.ch
    Classification: Unclassified

Apache 2.4.4 always terminates SSL connections using an abortive/unclean
shutdown instead of a standard/clean shutdown. This is probably a bug that has
been introduced in Apache 2.4.x, because it works using Apache 2.2.x.

This can bee seen in Wireshark, but it can also be tested using the "openssl
s_client" utility. Please refer to the attached file for more information.

I have tested this with the Apache versions 2.4.4 and 2.2.24 (with OpenSSL
version 1.0.1e). Both Apache versions log that they will terminate the SSL
connection using a standard shutdown. Apache 2.2.24 performs a standard
shutdown, but Apache 2.4.4 performs an unclean shutdown.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #8 from Michael Kaufmann <mi...@gmx.ch> ---
With your patch:
- it works using the worker MPM
- but it does not work using the event MPM.

Without your patch, it does not work (the MPM does not matter).

So I think that the patch is OK and should be applied to trunk. But I also
think that another patch for the event MPM is needed.

I have tested like this:

(echo -e -n "GET / HTTP/1.1\r\nHost: localhost\r\n\r\n"; sleep 100) |
gnutls-cli --insecure -p 443 127.0.0.1

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #6 from nada <ap...@valgronda.com> ---
With HTTP/1.1 keep-alive is the expected default behavior, hence you don't have
to specify a "Connection: keep-alive" header.

http://tools.ietf.org/html/rfc2616#section-8.1.2

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #12 from Yann Ylavic <yl...@gmail.com> ---
(In reply to Mike Rumph from comment #11)
> In the following excerpt from the patch to server/connection.c, 
> what is the point in casting the result of the ap_shutdown_conn function to
> void?

I usually do this to signify/remind (at least myself) somehow that a result is
lost. It serves no other interest here.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #3 from Tim Kosse <ti...@filezilla-project.org> ---
Created attachment 31593
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31593&action=edit
Proposed patch that fixes this bug.

I figured out what seems to be the problem: The closure alert is being
generated, but is stuck in some buffers without ever making it to the wire, let
alone the peer. Flushing the output BIO seems to solve the problem.

The attached patch fixes the bug for me. The patch has been created against the
2.4.x branch.

Current trunk (rev 1592635) is also affected by this bug. I've tested that this
patch also applies to trunk and fixes the problem there.



As testcase I used the following command:
(echo -e "GET / HTTP/1.0\n\n"; sleep 1) | gnutls-cli --insecure -p 443
127.0.0.1 --crlf

If the bug occurs, gnutls-cli will at the end display a fatal error:
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

Tim Kosse <ti...@filezilla-project.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #31697|0                           |1
        is obsolete|                            |

--- Comment #17 from Tim Kosse <ti...@filezilla-project.org> ---
Created attachment 31718
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31718&action=edit
Proposed 2.4.x backport with additional fix for compile error

Unfortunately the latest patch did not compile, as ssl->wbio is not directly
accessible, as the type of ssl is incomplete.
I've updated the patch to instead use SSH_get_wbio(ssl)

With the compile error fixed, the patched version works fine for me.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #10 from Yann Ylavic <yl...@gmail.com> ---
Created attachment 31650
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31650&action=edit
Shutdown connection with EOC when keepalive expires

Michael, can you try with the attached patch, on top of Tim's?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #16 from Yann Ylavic <yl...@gmail.com> ---
Created attachment 31697
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31697&action=edit
Send and flush the SSL close notify (proposed 2.4.x backport)

Please note that r1601184 is a slightly different version than Tim's patch.
The flush is done by SSL_smart_shutdown() instead of ssl_filter_io_shutdown()
so to flush the close notify before waiting for the client's one should
"ssl-accurate-shutdown" be set.

I did some testing but obviously the more testers the better.
Attached is the proposed backport (modulo CHANGES/MMN).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #9 from Tim Kosse <ti...@filezilla-project.org> ---
For me it works with the event MPM. httpd -V shows that the Server MPM is
event.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #7 from Tim Kosse <ti...@filezilla-project.org> ---
Thanks nada, my mistake.

I've just tried my patch with keep-alive enabled and could not spot anything
unusual, the client did receive the closure alert after expiration of the
keep-alive interval.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

nada <ap...@valgronda.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |apache_bugzilla@valgronda.c
                   |                            |om

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #15 from Yann Ylavic <yl...@gmail.com> ---
Committed in r1601184 and r1601185.
I will propose 2.4.x backport once reviewed.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #13 from Yann Ylavic <yl...@gmail.com> ---
(In reply to Yann Ylavic from comment #12)
> I usually do this to signify/remind (at least myself) somehow that a result
> is lost. It serves no other interest here.

More exactly it means I chose to lose the result on purpose (in this particular
situation, I had no -ABI compatible- choice).

I use casts to force things (when needed), and make implicit ones explicit only
when to notify an intended (but still noteworthy) behaviour: truncation,
expansion, lost result, could do better but works...

Whether that one is noteworthy is disputable though, probably more for the
review than the commit (if any).
As soon as things become more serious, I usually add a comment ;)

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #14 from Michael Kaufmann <mi...@gmx.ch> ---
With both patches together, it works :-) Thank you very much, Tim & Yann!

Would it be possible to include these patches in a future version of Apache 2.4
?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

Yann Ylavic <yl...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #5 from Tim Kosse <ti...@filezilla-project.org> ---
Strange, you're not even requesting keep-alive using the Connection: keep-alive
request header.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

Tim Kosse <ti...@filezilla-project.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #19 from Yann Ylavic <yl...@gmail.com> ---
(In reply to Tim Kosse from comment #17)
> Unfortunately the latest patch did not compile, as ssl->wbio is not directly
> accessible, as the type of ssl is incomplete.
> I've updated the patch to instead use SSH_get_wbio(ssl)

Yes, fixed by r1601274 but I forgot to update this PR, sorry for that.

> 
> With the compile error fixed, the patched version works fine for me.

Thanks for testing anyway, the 2.4.x backport is proposed in r1601697, waiting
for votes. I'll update here if/when done.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #1 from mik4@gmx.ch ---
Created attachment 30305
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=30305&action=edit
Additional information about this issue

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #11 from Mike Rumph <mi...@oracle.com> ---
Hello Yann,

I have a question on your patch "Shutdown connection ...":

In the following excerpt from the patch to server/connection.c, 
what is the point in casting the result of the ap_shutdown_conn function to
void?


90     AP_CORE_DECLARE(void) ap_flush_conn(conn_rec *c)

91     {

92         (void)ap_shutdown_conn(c, 1);

93     }


I can see that it doesn't hurt anything.
But does it serve some purpose?

Thanks,

Mike Rumph

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #4 from Michael Kaufmann <mi...@gmx.ch> ---
Thank you for the patch, but unfortunately it does not work for HTTP 1.1
connections with keep-alive. To test this, send a HTTP 1.1 request and then
wait until Apache closes the connection:

(echo -e "GET / HTTP/1.1\nHost: localhost\n\n"; sleep 100) | gnutls-cli
--insecure -p 443 127.0.0.1 --crlf

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

Tim Kosse <ti...@filezilla-project.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tim.kosse@filezilla-project
                   |                            |.org

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #18 from Tim Kosse <ti...@filezilla-project.org> ---
> SSH_get_wbio(ssl)
Oops, typo. Of course the patch uses SSL_get_wbio(ssl)

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54998] Apache 2.4 terminates all SSL connections using an abortive shutdown

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54998

--- Comment #2 from Tim Kosse <ti...@filezilla-project.org> ---
I confirm that this bug exists in Apache 2.4.9 as shipped in Debian Jessie as
of today.

The workaround for me is to use mod_gnutls, it does not suffer from this
problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org