Upgrade 2.0.55 -> 2.0.59 hangs SSL server

[Henk Fictorie <he...@kpn.com>]

Hi,

We tried to upgrade our Apache server from 2.0.55 to 2.0.59. For HTTP
traffic this was successful. However for HTTPS the server would hang after a
couple of hours (serveral hundred thousands request). Our HTTP and HTTPS
servers are different unix processes.

Nothing is logged in the error logfiles, the server just stops to accept new
connections.
When I try to connect to the server with the openssl command, I get the
CONNECTED message, but the SSL handshake does not take place.

Environment: Sun V440 with Solaris 8. Webserver (2.0.55 and 2.0.59) compiled
with gcc 3.3. Both using openssl-0.9.8a. We use the worker MPM.

When looking at the Changelog for Apache the only notable mod_ssl fix is:
http://issues.apache.org/bugzilla/show_bug.cgi?id=34452
Correct issue where mod_ssl does not pick up the ssl-unclean-shutdown
setting when configured.

We have several cron jobs monitoring our server.
- every minute the /server-status is retrieved and logged
- every 5 minutes with the netstat command the number of connections on port
80/443 is logged.
- with prstat we log system usage

Nothing out of the ordinary is logged with these tools.

Changes from a 'stock' apache install:
- use mod_jk.1.2.15 for connecting to tomcat
- use mod_deflate
- use mod_rewrite
- use 3rd party module (Entrust/getAccess) for authenticating/authorisation

Differences between HTTP server and HTTPS server:
- mod_ssl (obvious)
- use 3rd party module (Entrust/getAccess) for authenticating/authorisation

I have attached our HTTPS config file. It has 3 virtual hosts. The second
one take 95% of the load.

Is anyone familiar with this problem? Does anyone sees an error in our
configuration file?

regards 

Henk Fictorie
http://www.nabble.com/user-files/235793/httpd.443.conf httpd.443.conf 
-- 
View this message in context: http://www.nabble.com/Upgrade-2.0.55--%3E-2.0.59-hangs-SSL-server-tf2178092.html#a6022543
Sent from the Apache HTTP Server - Dev forum at Nabble.com.

Re: upgrade apr(-util) 0.9.7 -> 0.9.12 hangs Apache 2.0.59 SSL server

[Henk Fictorie <he...@kpn.com>]

I just recompiled Apache 2.0.59, using the 0.9.7 apr(-util) which is the
version supplied with Apache 2.0.55.
This results in a working system. I can kill -9 an apache process and the
webserver will respond normally. The master process willl create a new
apache process.
I  conclude that somewhere in the changes towards apr(-util) 0.9.12 the
error is introlduced.
We will continue using apr(-util) 0.9.7

regards Henk Fictorie




Henk Fictorie wrote:
> 
> I did some more research on our test environment. We don't have that much
> traffic in there, but I was able to reproduce the problem with manual
> actions.
> 
> The culprit seems to be our setting
> 
> AcceptMutex pthread
> 
> With Apache 2.0.59:
> 
> If I kill -9 the listener process, no new listener process is created.
> This causes requests to hang, only a server restart will help.
> 
> If I disable the AcceptMutex setting (defaults to fcntl) and kill -9 the
> listener process, a new listener process is created. The webserver
> continues to function normally.
> 
> 
> With Apache 2.0.55
> Our current production webserver is 2.0.55. The webserver is started on
> August 14th. The listener process is dated August 21th. I conclude that
> with Apache 2.0.55 the listener process is restarted after it dies. 
> 
> We can probably change the AcceptMutex setting to fcntl. I don't know what
> kind of performance penalty this will have...
> 
> 
> 
> Joshua Slive-2 wrote:
>> 
>> On 8/28/06, Henk Fictorie <he...@kpn.com> wrote:
>>>
>>> Hi,
>>>
>>> We tried to upgrade our Apache server from 2.0.55 to 2.0.59. For HTTP
>>> traffic this was successful. However for HTTPS the server would hang
>>> after a
>>> couple of hours (serveral hundred thousands request). Our HTTP and HTTPS
>>> servers are different unix processes.
>>>
>>> Nothing is logged in the error logfiles, the server just stops to accept
>>> new
>>> connections.
>>> When I try to connect to the server with the openssl command, I get the
>>> CONNECTED message, but the SSL handshake does not take place.
>> 
>> Here's instructions on how to debug hung servers:
>> http://httpd.apache.org/dev/debugging.html#backtrace
>> 
>> Joshua.
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Upgrade-2.0.55--%3E-2.0.59-hangs-SSL-server-tf2178092.html#a6152526
Sent from the Apache HTTP Server - Dev forum at Nabble.com.

Re: Upgrade 2.0.55 -> 2.0.59 hangs SSL server

[Henk Fictorie <he...@kpn.com>]

I did some more research on our test environment. We don't have that much
traffic in there, but I was able to reproduce the problem with manual
actions.

The culprit seems to be our setting

AcceptMutex pthread

With Apache 2.0.59:

If I kill -9 the listener process, no new listener process is created. This
causes requests to hang, only a server restart will help.

If I disable the AcceptMutex setting (defaults to fcntl) and kill -9 the
listener process, a new listener process is created. The webserver continues
to function normally.


With Apache 2.0.55
Our current production webserver is 2.0.55. The webserver is started on
August 14th. The listener process is dated August 21th. I conclude that with
Apache 2.0.55 the listener process is restarted after it dies. 

We can probably change the AcceptMutex setting to fcntl. I don't know what
kind of performance penalty this will have...



Joshua Slive-2 wrote:
> 
> On 8/28/06, Henk Fictorie <he...@kpn.com> wrote:
>>
>> Hi,
>>
>> We tried to upgrade our Apache server from 2.0.55 to 2.0.59. For HTTP
>> traffic this was successful. However for HTTPS the server would hang
>> after a
>> couple of hours (serveral hundred thousands request). Our HTTP and HTTPS
>> servers are different unix processes.
>>
>> Nothing is logged in the error logfiles, the server just stops to accept
>> new
>> connections.
>> When I try to connect to the server with the openssl command, I get the
>> CONNECTED message, but the SSL handshake does not take place.
> 
> Here's instructions on how to debug hung servers:
> http://httpd.apache.org/dev/debugging.html#backtrace
> 
> Joshua.
> 
> 

-- 
View this message in context: http://www.nabble.com/Upgrade-2.0.55--%3E-2.0.59-hangs-SSL-server-tf2178092.html#a6078688
Sent from the Apache HTTP Server - Dev forum at Nabble.com.

Re: Upgrade 2.0.55 -> 2.0.59 hangs SSL server

[Joshua Slive <jo...@slive.ca>]

On 8/28/06, Henk Fictorie <he...@kpn.com> wrote:
>
> Hi,
>
> We tried to upgrade our Apache server from 2.0.55 to 2.0.59. For HTTP
> traffic this was successful. However for HTTPS the server would hang after a
> couple of hours (serveral hundred thousands request). Our HTTP and HTTPS
> servers are different unix processes.
>
> Nothing is logged in the error logfiles, the server just stops to accept new
> connections.
> When I try to connect to the server with the openssl command, I get the
> CONNECTED message, but the SSL handshake does not take place.

Here's instructions on how to debug hung servers:
http://httpd.apache.org/dev/debugging.html#backtrace

Joshua.