You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Steffen <in...@apachelounge.com> on 2011/12/27 16:46:14 UTC
Win 2.3.16 :: SSL and AcceptFilter
Reported here already the issue. Also in the AL forum is one with the same issue.
Still there definitly is an issue with Acceptfilter and SSL.
When AcceptFilter https none:
Sometimes page is not displayed, eg. in Chrome with errors
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
or
Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
Nothing in the logs.
When Acceptfilter https data or Acceptfilter commented out:
[mpm_winnt:warn] [pid 2892:tid 356] (OS 121)The semaphore timeout period has expired. : AH00341: winnt_accept: Asynchronous AcceptEx failed.
this is the same as with 2.2 where Win32DisableAcceptEx solved it. Note that some configs have not this problem.
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 1/3/2012 9:19 PM, Rainer Jung wrote:
>
> I tried to reproduce with various AcceptFilter setting inclusing "https none" using MSIE,
> FF and Chrome. I always get the response on the first request.
>
> Steffen, Gregg et. al.: Can you reproduce on a test system? Did you already reproduce once
> with increased log level, e.g.
>
> LogLevel info ssl_module:trace8 mpm_winnt_module:trace8
>
> or maybe, since it seems you can reproduce with a single request just use
>
> LogLevel trace8
>
> and post one example for the working case and one for the broken case.
I'm not sure if this was lost in translation. This information would
be very, very helpful, I haven't seen it posted yet.
This appears to be an artifact of systems with the inability to recycle
sockets. Unfortunately my network drivers have no problem recycling
sockets, and nor do Ranier's.
I believe the problem is that the disconnected-and-now-broken socket is
used for AcceptEx. That AcceptEx'ed connection has no socket, and the
connection is thrown away as AcceptEx reports the error.
We'll need to 'preview' if the socket structure is alive.
Or throw out this idea of recycling sockets altogether.
If someone can provide the detailed error logging, we might work out
the solution before 2.4.0 is tagged... but the request was hanging out
there for a couple weeks so I'm not expecting to make much progress.
And I don't want a 2.4.0 to wait on this issue.
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by Rainer Jung <ra...@kippdata.de>.
On 04.01.2012 06:00, William A. Rowe Jr. wrote:
> On 1/3/2012 9:19 PM, Rainer Jung wrote:
>> On 30.12.2011 22:04, Gregg L. Smith wrote:
>>> On 12/27/2011 10:40 AM, Steffen wrote:
>>>> Gregg reported it also:
>>>>
>>>> I've also found AcceptFilter https none to be problematic. First time
>>>> you hit a site via https it usually comes up with a blank white
>>>> nothing. Hitting reload and it comes up proper.
>>>>
>>>
>>> That I did, fishing to see if others were seeing the same thing. It
>>> looks like they are.
>>
>> I finally also managed to build 2.4.x on Windows 7 using Visual Studio 10.
>>
>> Un(?)fortunately I couldn't reproduce this problem. But the system I use also works with
>> default AcceptFilter.
>
> Reports state you need to combine this with EnableSendfile Off (and perhaps
> EnableMMAP Off) which would disable TransmitFile/socket disconnect/recycling.
No luck, tested with both explicitely set to On and both to Off (and
remember Sendfile is Off by default now) using the none AcceptFilters.
Can't see a problem in trivial local tests ("It works!" page).
Bill: can you reproduce?
I still hope we can get some logs as described in my previous mail.
Regards,
Rainer
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 1/3/2012 9:19 PM, Rainer Jung wrote:
> On 30.12.2011 22:04, Gregg L. Smith wrote:
>> On 12/27/2011 10:40 AM, Steffen wrote:
>>> Gregg reported it also:
>>>
>>> I've also found AcceptFilter https none to be problematic. First time
>>> you hit a site via https it usually comes up with a blank white
>>> nothing. Hitting reload and it comes up proper.
>>>
>>
>> That I did, fishing to see if others were seeing the same thing. It
>> looks like they are.
>
> I finally also managed to build 2.4.x on Windows 7 using Visual Studio 10.
>
> Un(?)fortunately I couldn't reproduce this problem. But the system I use also works with
> default AcceptFilter.
Reports state you need to combine this with EnableSendfile Off (and perhaps
EnableMMAP Off) which would disable TransmitFile/socket disconnect/recycling.
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by Rainer Jung <ra...@kippdata.de>.
On 30.12.2011 22:04, Gregg L. Smith wrote:
> On 12/27/2011 10:40 AM, Steffen wrote:
>> Gregg reported it also:
>>
>> I've also found AcceptFilter https none to be problematic. First time
>> you hit a site via https it usually comes up with a blank white
>> nothing. Hitting reload and it comes up proper.
>>
>
> That I did, fishing to see if others were seeing the same thing. It
> looks like they are.
I finally also managed to build 2.4.x on Windows 7 using Visual Studio 10.
Un(?)fortunately I couldn't reproduce this problem. But the system I use
also works with default AcceptFilter.
For the reference:
- Windows 7 64 bits Professional
- Visual Studio 10 / Windows SDK 7.1
- OpenSSL 1.0.0e, libz 1.2.5, pcre 8.12
- httpd 2.4.x r1226941
- apr 1.4.5, apu 1.4.1, api 1.2.1
Everything build as win7 / x86 / Release.
I tried to reproduce with various AcceptFilter setting inclusing "https
none" using MSIE, FF and Chrome. I always get the response on the first
request.
Steffen, Gregg et. al.: Can you reproduce on a test system? Did you
already reproduce once with increased log level, e.g.
LogLevel info ssl_module:trace8 mpm_winnt_module:trace8
or maybe, since it seems you can reproduce with a single request just use
LogLevel trace8
and post one example for the working case and one for the broken case.
Regards,
Rainer
>> -----Original Message----- From: Steffen
>> Sent: Tuesday, December 27, 2011 7:21 PM
>> To: dev@httpd.apache.org
>> Subject: Re: Win 2.3.16 :: SSL and AcceptFilter
>>
>> Hard to catch, but I was lucky.
>> These are the steps with loglevel info:
>>
>> Start httpd.exe with AcceptFilter https none
>>
>> 1) In browser https://devxp
>> 2) response browser not found
>>
>> in access log: nothing
>> in error log:
>> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2136] AH01964:
>> Connection to child 63 established (server devxp:443)
>> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01964:
>> Connection to child 63 established (server devxp:443)
>> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH02008: SSL
>> library error 1 in handshake (server devxp:443)
>> [ssl:info] [pid 2432:tid 1036] SSL Library Error: error:140760FC:SSL
>> routines:SSL23_GET_CLIENT_HELLO:unknown protocol -- speaking not SSL to
>> HTTPS port!?
>> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01998:
>> Connection closed to child 63 with abortive shutdown (server devxp:443)
>>
>> 3) In browser press refresh
>> 4)Response is fine
>>
>> in accesslog:
>> SSLv3 RC4-SHA "GET / HTTP/1.1" 200 46 "-" "Mozilla/4.0 (compatible; MSIE
>> 6.0;...
>>
>> in error log:
>> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2138] AH01964:
>> Connection to child 63 established (server devxp:443)
>> [ssl:info] [pid 2432:tid 1036] (70014)End of file found: [client
>> 192.168.1.13:2138] AH01991: SSL input filter read failed.
>> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2139] AH01964:
>> Connection to child 63 established (server devxp:443)
>> [ssl:info] [pid 2432:tid 1036] (OS 10060)A connection attempt failed
>> because
>> the connected party did not properly respond after a period of time, or
>> established connection failed because connected host has failed to
>> respond.
>> : [client 192.168.1.13:2139] AH01991: SSL input filter read failed.
>>
>>
>>
>>
>> -----Original Message----- From: William A. Rowe Jr.
>> Sent: Tuesday, December 27, 2011 5:42 PM
>> To: dev@httpd.apache.org
>> Subject: Re: Win 2.3.16 :: SSL and AcceptFilter
>>
>> On 12/27/2011 9:46 AM, Steffen wrote:
>>> Reported here already the issue. Also in the AL forum is one with the
>>> same issue.
>>>
>>> Still there definitly is an issue with Acceptfilter and SSL.
>>>
>>> When AcceptFilter https none:
>>> Sometimes page is not displayed, eg. in Chrome with errors
>>>
>>> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
>>> or
>>> Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
>>>
>>> Nothing in the logs.
>>
>> --- almost always means you want to change LogLevel to debug ---
>> (or maybe even info level will be sufficient).
>>
>> With the new methodology, you can toggle the mpm alone to debug level.
>> Something like;
>>
>> LogLevel info ssl_module:debug mpm_winnt_module:debug
>>
>>
>
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by "Gregg L. Smith" <gl...@gknw.net>.
On 12/27/2011 10:40 AM, Steffen wrote:
> Gregg reported it also:
>
> I've also found AcceptFilter https none to be problematic. First time
> you hit a site via https it usually comes up with a blank white
> nothing. Hitting reload and it comes up proper.
>
That I did, fishing to see if others were seeing the same thing. It
looks like they are.
> -----Original Message----- From: Steffen
> Sent: Tuesday, December 27, 2011 7:21 PM
> To: dev@httpd.apache.org
> Subject: Re: Win 2.3.16 :: SSL and AcceptFilter
>
> Hard to catch, but I was lucky.
> These are the steps with loglevel info:
>
> Start httpd.exe with AcceptFilter https none
>
> 1) In browser https://devxp
> 2) response browser not found
>
> in access log: nothing
> in error log:
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2136] AH01964:
> Connection to child 63 established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01964:
> Connection to child 63 established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH02008: SSL
> library error 1 in handshake (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] SSL Library Error: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol -- speaking not SSL to
> HTTPS port!?
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01998:
> Connection closed to child 63 with abortive shutdown (server devxp:443)
>
> 3) In browser press refresh
> 4)Response is fine
>
> in accesslog:
> SSLv3 RC4-SHA "GET / HTTP/1.1" 200 46 "-" "Mozilla/4.0 (compatible; MSIE
> 6.0;...
>
> in error log:
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2138] AH01964:
> Connection to child 63 established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] (70014)End of file found: [client
> 192.168.1.13:2138] AH01991: SSL input filter read failed.
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2139] AH01964:
> Connection to child 63 established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] (OS 10060)A connection attempt failed
> because
> the connected party did not properly respond after a period of time, or
> established connection failed because connected host has failed to
> respond.
> : [client 192.168.1.13:2139] AH01991: SSL input filter read failed.
>
>
>
>
> -----Original Message----- From: William A. Rowe Jr.
> Sent: Tuesday, December 27, 2011 5:42 PM
> To: dev@httpd.apache.org
> Subject: Re: Win 2.3.16 :: SSL and AcceptFilter
>
> On 12/27/2011 9:46 AM, Steffen wrote:
>> Reported here already the issue. Also in the AL forum is one with the
>> same issue.
>>
>> Still there definitly is an issue with Acceptfilter and SSL.
>>
>> When AcceptFilter https none:
>> Sometimes page is not displayed, eg. in Chrome with errors
>>
>> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
>> or
>> Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
>>
>> Nothing in the logs.
>
> --- almost always means you want to change LogLevel to debug ---
> (or maybe even info level will be sufficient).
>
> With the new methodology, you can toggle the mpm alone to debug level.
> Something like;
>
> LogLevel info ssl_module:debug mpm_winnt_module:debug
>
>
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by Steffen <in...@apachelounge.com>.
Gregg reported it also:
I've also found AcceptFilter https none to be problematic. First time you
hit a site via https it usually comes up with a blank white nothing. Hitting
reload and it comes up proper.
-----Original Message-----
From: Steffen
Sent: Tuesday, December 27, 2011 7:21 PM
To: dev@httpd.apache.org
Subject: Re: Win 2.3.16 :: SSL and AcceptFilter
Hard to catch, but I was lucky.
These are the steps with loglevel info:
Start httpd.exe with AcceptFilter https none
1) In browser https://devxp
2) response browser not found
in access log: nothing
in error log:
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2136] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH02008: SSL
library error 1 in handshake (server devxp:443)
[ssl:info] [pid 2432:tid 1036] SSL Library Error: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol -- speaking not SSL to
HTTPS port!?
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01998:
Connection closed to child 63 with abortive shutdown (server devxp:443)
3) In browser press refresh
4)Response is fine
in accesslog:
SSLv3 RC4-SHA "GET / HTTP/1.1" 200 46 "-" "Mozilla/4.0 (compatible; MSIE
6.0;...
in error log:
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2138] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] (70014)End of file found: [client
192.168.1.13:2138] AH01991: SSL input filter read failed.
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2139] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] (OS 10060)A connection attempt failed because
the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond.
: [client 192.168.1.13:2139] AH01991: SSL input filter read failed.
-----Original Message-----
From: William A. Rowe Jr.
Sent: Tuesday, December 27, 2011 5:42 PM
To: dev@httpd.apache.org
Subject: Re: Win 2.3.16 :: SSL and AcceptFilter
On 12/27/2011 9:46 AM, Steffen wrote:
> Reported here already the issue. Also in the AL forum is one with the same
> issue.
>
> Still there definitly is an issue with Acceptfilter and SSL.
>
> When AcceptFilter https none:
> Sometimes page is not displayed, eg. in Chrome with errors
>
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
> or
> Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
>
> Nothing in the logs.
--- almost always means you want to change LogLevel to debug ---
(or maybe even info level will be sufficient).
With the new methodology, you can toggle the mpm alone to debug level.
Something like;
LogLevel info ssl_module:debug mpm_winnt_module:debug
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 12/27/2011 12:21 PM, Steffen wrote:
> Hard to catch, but I was lucky.
> These are the steps with loglevel info:
>
> Start httpd.exe with AcceptFilter https none
>
> 1) In browser https://devxp
> 2) response browser not found
>
> in access log: nothing
> in error log:
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2136] AH01964: Connection to child 63
> established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01964: Connection to child 63
> established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH02008: SSL library error 1 in
> handshake (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] SSL Library Error: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol -- speaking not SSL to HTTPS port!?
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01998: Connection closed to
> child 63 with abortive shutdown (server devxp:443)
>
> 3) In browser press refresh
> 4)Response is fine
>
> in accesslog:
> SSLv3 RC4-SHA "GET / HTTP/1.1" 200 46 "-" "Mozilla/4.0 (compatible; MSIE 6.0;...
>
> in error log:
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2138] AH01964: Connection to child 63
> established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] (70014)End of file found: [client 192.168.1.13:2138]
> AH01991: SSL input filter read failed.
> [ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2139] AH01964: Connection to child 63
> established (server devxp:443)
> [ssl:info] [pid 2432:tid 1036] (OS 10060)A connection attempt failed because the connected
> party did not properly respond after a period of time, or established connection failed
> because connected host has failed to respond. : [client 192.168.1.13:2139] AH01991: SSL
> input filter read failed.
Simple guess, we are missing a pre-init to a null or invalid_handle_value state.
Researching. Likely different than the socket reuse scenario.
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by Steffen <in...@apachelounge.com>.
Hard to catch, but I was lucky.
These are the steps with loglevel info:
Start httpd.exe with AcceptFilter https none
1) In browser https://devxp
2) response browser not found
in access log: nothing
in error log:
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2136] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH02008: SSL
library error 1 in handshake (server devxp:443)
[ssl:info] [pid 2432:tid 1036] SSL Library Error: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol -- speaking not SSL to
HTTPS port!?
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2137] AH01998:
Connection closed to child 63 with abortive shutdown (server devxp:443)
3) In browser press refresh
4)Response is fine
in accesslog:
SSLv3 RC4-SHA "GET / HTTP/1.1" 200 46 "-" "Mozilla/4.0 (compatible; MSIE
6.0;...
in error log:
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2138] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] (70014)End of file found: [client
192.168.1.13:2138] AH01991: SSL input filter read failed.
[ssl:info] [pid 2432:tid 1036] [client 192.168.1.13:2139] AH01964:
Connection to child 63 established (server devxp:443)
[ssl:info] [pid 2432:tid 1036] (OS 10060)A connection attempt failed because
the connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond.
: [client 192.168.1.13:2139] AH01991: SSL input filter read failed.
-----Original Message-----
From: William A. Rowe Jr.
Sent: Tuesday, December 27, 2011 5:42 PM
To: dev@httpd.apache.org
Subject: Re: Win 2.3.16 :: SSL and AcceptFilter
On 12/27/2011 9:46 AM, Steffen wrote:
> Reported here already the issue. Also in the AL forum is one with the same
> issue.
>
> Still there definitly is an issue with Acceptfilter and SSL.
>
> When AcceptFilter https none:
> Sometimes page is not displayed, eg. in Chrome with errors
>
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
> or
> Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
>
> Nothing in the logs.
--- almost always means you want to change LogLevel to debug ---
(or maybe even info level will be sufficient).
With the new methodology, you can toggle the mpm alone to debug level.
Something like;
LogLevel info ssl_module:debug mpm_winnt_module:debug
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 12/27/2011 9:46 AM, Steffen wrote:
> Reported here already the issue. Also in the AL forum is one with the same issue.
>
> Still there definitly is an issue with Acceptfilter and SSL.
>
> When AcceptFilter https none:
> Sometimes page is not displayed, eg. in Chrome with errors
>
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
> or
> Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
>
> Nothing in the logs.
--- almost always means you want to change LogLevel to debug ---
(or maybe even info level will be sufficient).
With the new methodology, you can toggle the mpm alone to debug level.
Something like;
LogLevel info ssl_module:debug mpm_winnt_module:debug
Re: Win 2.3.16 :: SSL and AcceptFilter
Posted by Steffen <in...@apachelounge.com>.
More and more reports coming in that SSL is NOT usable with 2.4. All have no issues with 2.2.
Way back in July and September I reported the issue too, see also the info there
From: Steffen
Sent: Tuesday, December 27, 2011 4:46 PM
To: dev@httpd.apache.org
Subject: Win 2.3.16 :: SSL and AcceptFilter
Reported here already the issue. Also in the AL forum is one with the same issue.
Still there definitly is an issue with Acceptfilter and SSL.
When AcceptFilter https none:
Sometimes page is not displayed, eg. in Chrome with errors
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
or
Error 15 (net::ERR_SOCKET_NOT_CONNECTED): Unknown error.
Nothing in the logs.
When Acceptfilter https data or Acceptfilter commented out:
[mpm_winnt:warn] [pid 2892:tid 356] (OS 121)The semaphore timeout period has expired. : AH00341: winnt_accept: Asynchronous AcceptEx failed.
this is the same as with 2.2 where Win32DisableAcceptEx solved it. Note that some configs have not this problem.