You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Noel Butler <no...@ausics.net> on 2013/02/19 04:35:35 UTC
Re: [VOTE] Release Apache httpd 2.4.4 as GA
On Mon, 2013-02-18 at 15:34 -0500, Jim Jagielski wrote:
> The pre-release test tarballs for Apache httpd 2.4.4 can be found
> at the usual place:
>
> http://httpd.apache.org/dev/dist/
>
> I'm calling a VOTE on releasing these as Apache httpd 2.4.4 GA.
> NOTE: The -deps tarballs are included here *only* to make life
> easier for the tester. They will not be, and are not, part
> of the official release.
>
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
>
> Vote will last the normal 72 hrs.
-1
Slackware 13.1 and 13.37
Builds fine but operation now fails on all mysql auths (included APR
problem from -deps ??)
reports: APR-util Version: 1.5.1
[Tue Feb 19 13:16:33.487932 2013] [auth_basic:error] [pid 24811:tid
2996689776] [client xxxxxxxxxxx] AH01617: user noel: authentication
failure for "/": Password Mismatch
This is browser stored password , cleared, entered still fails,
different browser, same, fails
make install back in 2.4.3, and all mysql auths once again succeed
have tested overwrites, and clearing of all bin/ build/ lib/ and fresh
installs no change.
SQL:
29 Prepare SELECT Password FROM users WHERE User = ?
29 Close stmt
29 Quit
Built as (no change since 2.4.0):
./configure --prefix=/usr/local/apache --enable-so --enable-modules=all
--enable-mods-static=all --disable-dav --enable-suexec
--with-suexec-docroot=/var/www --with-suexec-caller=apache
--with-suexec-logfile=/var/log/apache/suexec_log --with-included-apr
--with-mysql --disable-util-dso --enable-ssl
ldd /usr/local/apache/bin/httpd
<snip>
libmysqlclient.so.18 => /usr/lib/mysql/libmysqlclient.so.18
(0xb7159000)
libaprutil-1.so.0 => /usr/local/apache/lib/libaprutil-1.so.0
(0xb742a000)
/usr/local/apache/bin/httpd -t
Syntax OK
-t -D DUMP_MODULES |grep dbd
authn_dbd_module (static)
authz_dbd_module (static)
dbd_module (static)
session_dbd_module (static)
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Feb 19, 2013, at 7:21 PM, Noel Butler <no...@ausics.net> wrote:
>
> On Tue, 2013-02-19 at 07:34 -0500, Jim Jagielski wrote:
>>
>> A simple check would be to rebuild 2.4.3 but using the -deps
>> from 2.4.4...
>>
>
> Close... 2.4.3 with 2.4.4 -deps fail *but* 2.4.4 with -deps from 2.4.3 *works*
>
> So as I suspected it is something in 2.4.4. APR/ APR-util as the cause
>
> About to run Rainer's patch on 2.4.4 with 2.4.4 -deps to see if it sheds any more light
iirc, -deps for both 2.4.3 and 2.4.4 used apr-1.4.6 but apr-util 1.4.x
for 2.4.3 deps and 1.5.x for 2.4.4... so I'm guessing it's something
in apr-util 1.4->1.5
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Feb 19, 2013, at 7:21 PM, Noel Butler <no...@ausics.net> wrote:
>
> On Tue, 2013-02-19 at 07:34 -0500, Jim Jagielski wrote:
>>
>> A simple check would be to rebuild 2.4.3 but using the -deps
>> from 2.4.4...
>>
>
> Close... 2.4.3 with 2.4.4 -deps fail *but* 2.4.4 with -deps from 2.4.3 *works*
>
> So as I suspected it is something in 2.4.4. APR/ APR-util as the cause
>
From what I see, it's something in APR/APU and not in 2.4.4...
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Tue, 2013-02-19 at 07:34 -0500, Jim Jagielski wrote:
> A simple check would be to rebuild 2.4.3 but using the -deps
> from 2.4.4...
>
Close... 2.4.3 with 2.4.4 -deps fail *but* 2.4.4 with
-deps from 2.4.3 *works*
So as I suspected it is something in 2.4.4. APR/ APR-util as the
cause
About to run Rainer's patch on 2.4.4 with 2.4.4 -deps to see if it
sheds any more light
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Jim Jagielski <ji...@jaguNET.com>.
A simple check would be to rebuild 2.4.3 but using the -deps
from 2.4.4...
On Feb 19, 2013, at 2:57 AM, Noel Butler <no...@ausics.net> wrote:
> Hi Bill,
>
> On Mon, 2013-02-18 at 23:23 -0600, William A. Rowe Jr. wrote:
>>
>> in -deps is only 1.4.6, but APR-utils is 1.5.1
>> > have tested overwrites, and clearing of all bin/ build/ lib/ and fresh
>> > installs no change.
>>
>> You cleaned lib/ of all *subdirectories*?
>>
>
> I install httpd under /usr/local/apache, so its all safe as clearing it out simulates as a fresh install, fresh with 2.4.4 fails mysql based auths, fresh install 2.4.3 (like all others since 2.18 when it got incorporated) succeed happily.
>
>> Does an older lib/apr-util-1/apr_dbd_mysql-1.so appear in that tree?
> I also build everything in, not as DSO's, I always found that horribly messy, what I do have is libapr stuff in there, and yes, fresh copies.
>
>> Or in your LD_LIBRARY_PATH? Or did apr-util fail to detect mysql? You
>> will need to review your ./configure output to work out what apr-util
>> thinks it found.
>>
> configure:19751: checking for mysql_config
> configure:19769: found /usr/bin/mysql_config
> configure:19781: result: /usr/bin/mysql_config
> configure:19841: checking for mysql.h
> configure:19841: gcc -c -g -O2 -pthread -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/usr/include/mysql conftest.c >&5In file included from /usr/include/mysql/my_global.h:77,
> from conftest.c:20:
> configure:19872: gcc -o conftest -g -O2 -pthread -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/usr/include/mysql conftest.c -lmysqlclient_r -L/usr/lib/mysql -lmysqlclient_r -lpthread -lz -lm -lrt -lssl -lcrypto -ldl >&5
> configure:19872: $? = 0
> configure:19881: result: yes
>
>
> seems it found it and is mostly happy, I am only assuming its APR related, it might not be.
>
>
>> Maybe you are simply missing a mysql-devel package?
>
> We only use sources, and even the official Slackware mysql packages is "as designed" IOW, none of this -dev or -devel or splitting something up into 150 different packages like a certain distro takes delight in, type of rubbish <face-smile.png>
>
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
Hi Bill,
On Mon, 2013-02-18 at 23:23 -0600, William A. Rowe Jr. wrote:
> in -deps is only 1.4.6, but APR-utils is 1.5.1
> > have tested overwrites, and clearing of all bin/ build/ lib/ and fresh
> > installs no change.
>
> You cleaned lib/ of all *subdirectories*?
>
I install httpd under /usr/local/apache, so its all safe as clearing it
out simulates as a fresh install, fresh with 2.4.4 fails mysql based
auths, fresh install 2.4.3 (like all others since 2.18 when it got
incorporated) succeed happily.
> Does an older lib/apr-util-1/apr_dbd_mysql-1.so appear in that tree?
I also build everything in, not as DSO's, I always found that horribly
messy, what I do have is libapr stuff in there, and yes, fresh copies.
> Or in your LD_LIBRARY_PATH? Or did apr-util fail to detect mysql? You
> will need to review your ./configure output to work out what apr-util
> thinks it found.
>
configure:19751: checking for mysql_config
configure:19769: found /usr/bin/mysql_config
configure:19781: result: /usr/bin/mysql_config
configure:19841: checking for mysql.h
configure:19841: gcc -c -g -O2 -pthread -D_REENTRANT -D_GNU_SOURCE
-D_LARGEFILE64_SOURCE -I/usr/include/mysql conftest.c >&5In file
included from /usr/include/mysql/my_global.h:77,
from conftest.c:20:
configure:19872: gcc -o conftest -g -O2 -pthread -D_REENTRANT
-D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/usr/include/mysql conftest.c
-lmysqlclient_r -L/usr/lib/mysql -lmysqlclient_r -lpthread -lz -lm -lrt
-lssl -lcrypto -ldl >&5
configure:19872: $? = 0
configure:19881: result: yes
seems it found it and is mostly happy, I am only assuming its APR
related, it might not be.
> Maybe you are simply missing a mysql-devel package?
We only use sources, and even the official Slackware mysql packages is
"as designed" IOW, none of this -dev or -devel or splitting something up
into 150 different packages like a certain distro takes delight in, type
of rubbish :)
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On Tue, 19 Feb 2013 14:11:59 +1000
Noel Butler <no...@ausics.net> wrote:
> On Tue, 2013-02-19 at 13:35 +1000, Noel Butler wrote:
>
>
> > reports: APR-util Version: 1.5.1
>
>
> I note the APR version in -deps is only 1.4.6, but APR-utils is 1.5.1
> could this be the issue?
No. APR doesn't care about the APR-util version at all. APR-util
should not compile if it is missing an APR feature. Their version
numbers do not correspond (except at the version major level).
> Builds fine but operation now fails on all mysql auths (included APR
> problem from -deps ??)
> reports: APR-util Version: 1.5.1
>
> [Tue Feb 19 13:16:33.487932 2013] [auth_basic:error] [pid 24811:tid
> 2996689776] [client xxxxxxxxxxx] AH01617: user noel: authentication
> failure for "/": Password Mismatch
>
> This is browser stored password , cleared, entered still fails,
> different browser, same, fails
> make install back in 2.4.3, and all mysql auths once again succeed
>
> have tested overwrites, and clearing of all bin/ build/ lib/ and fresh
> installs no change.
You cleaned lib/ of all *subdirectories*?
Does an older lib/apr-util-1/apr_dbd_mysql-1.so appear in that tree?
Or in your LD_LIBRARY_PATH? Or did apr-util fail to detect mysql? You
will need to review your ./configure output to work out what apr-util
thinks it found.
Maybe you are simply missing a mysql-devel package?
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Tue, 2013-02-19 at 13:35 +1000, Noel Butler wrote:
> reports: APR-util Version: 1.5.1
I note the APR version in -deps is only 1.4.6, but APR-utils is 1.5.1
could this be the issue?
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 11:50 +1000, Noel Butler wrote:
> On Wed, 2013-02-20 at 02:20 +0100, Rainer Jung wrote:
>
> > grep CRYPT build/apache/srclib/apr-util/config.status
>
>
>
> D["HAVE_CRYPT_R"]=" 1"
> D["CRYPT_R_STRUCT_CRYPT_DATA"]=" 1"
>
> | I'd like to check, whether your platform has CRYPT_R_CRYPTD or
> CRYPT_R_STRUCT_CRYPT_DATA defined. If it is the latter, then what OS
> | is it and which glibs version
>
> So has the later, its Slackware 13.1 w/ glibc-2.11.1
>
oops, my bad, forgot also includes glib2-2.22.5
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 02:20 +0100, Rainer Jung wrote:
> grep CRYPT build/apache/srclib/apr-util/config.status
D["HAVE_CRYPT_R"]=" 1"
D["CRYPT_R_STRUCT_CRYPT_DATA"]=" 1"
| I'd like to check, whether your platform has CRYPT_R_CRYPTD or
CRYPT_R_STRUCT_CRYPT_DATA defined. If it is the latter, then what OS |
is it and which glibs version
So has the later, its Slackware 13.1 w/ glibc-2.11.1
Re: apr_password_validate (was: [VOTE] Release Apache httpd 2.4.4
as GA)
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 22:28 +0100, Stefan Fritsch wrote:
> [moving to dev@apr, please remove dev@httpd when replying]
>
> On Wednesday 20 February 2013, Noel Butler wrote:
> > On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
> > > Which remains my point... our current 2.4 and 2.2 candidates
> > > should suffer the same flaw.
> >
> > Confirmed, 2.2 candidate suffers same problem
>
>
> I hope I did not miss this somewhere in the thread, but have you tried
> running the apr-util 1.5.1 test suite (i.e. make check)? It has some
> checks for apr_password_validate
>
it reports success but...
<snip>
crypt_r returned 'nHZA1rViSldQk'
SUCCESS
testmd4 : SUCCESS
testmd5 : SUCCESS
testcrypto : SUCCESS
testdbd : SUCCESS
testdate : SUCCESS
testmemcache : SUCCESS
testxml : SUCCESS
testxlate : SUCCESS
testrmm : SUCCESS
testdbm : SUCCESS
testqueue : SUCCESS
testreslist : SUCCESS
All tests passed.
it doesn't seem to test for salted md5, let alone shaxxx
NOTE: replying here since I'm not on dev@apr I'll fix that in a minute
though.
apr_password_validate (was: [VOTE] Release Apache httpd 2.4.4 as GA)
Posted by Stefan Fritsch <sf...@sfritsch.de>.
[moving to dev@apr, please remove dev@httpd when replying]
On Wednesday 20 February 2013, Noel Butler wrote:
> On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
> > Which remains my point... our current 2.4 and 2.2 candidates
> > should suffer the same flaw.
>
> Confirmed, 2.2 candidate suffers same problem
I hope I did not miss this somewhere in the thread, but have you tried
running the apr-util 1.5.1 test suite (i.e. make check)? It has some
checks for apr_password_validate
apr_password_validate (was: [VOTE] Release Apache httpd 2.4.4 as GA)
Posted by Stefan Fritsch <sf...@sfritsch.de>.
[moving to dev@apr, please remove dev@httpd when replying]
On Wednesday 20 February 2013, Noel Butler wrote:
> On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
> > Which remains my point... our current 2.4 and 2.2 candidates
> > should suffer the same flaw.
>
> Confirmed, 2.2 candidate suffers same problem
I hope I did not miss this somewhere in the thread, but have you tried
running the apr-util 1.5.1 test suite (i.e. make check)? It has some
checks for apr_password_validate
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
>
> Which remains my point... our current 2.4 and 2.2 candidates should
> suffer the same flaw.
>
Confirmed, 2.2 candidate suffers same problem
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
On 20.02.2013 13:06, Jim Jagielski wrote:
> Should we be including/moving this discussion to dev@apr ?
I guess so. Strong evidence that the problem sits in
apr_password_validate as part of apu 1.5.1.
Regards,
Rainer
> On Feb 20, 2013, at 3:07 AM, Rainer Jung <ra...@kippdata.de> wrote:
>
>> On 20.02.2013 08:07, William A. Rowe Jr. wrote:
>>> On Wed, 20 Feb 2013 16:42:56 +1000
>>> Noel Butler <no...@ausics.net> wrote:
>>>
>>>> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
>>>>
>>>>
>>>>
>>>>>
>>>>> Note he mentioned SHA512, not crypt(). I don't know that this makes
>>>>> a difference on that architecture.
>>>>>
>>>>
>>>>
>>>> But isn't it just a hand off to system crypt() (modern crypt(), not
>>>> the ancient 8 char one), since httpd is limited in native options,
>>>> what it doesn't understand is passes to system crypt() to handle.
>>
>> Yes.
>>
>>> Which remains my point... our current 2.4 and 2.2 candidates should
>>> suffer the same flaw.
>>
>> Indeed, that's likely. Note that Noel uses SHA512, which is supported in
>> apr_password_validate(), but for instance not wired in htpasswd. So it
>> might not be the most often used password hash in combination with
>> httpd. Nevertheless we need to fix.
>>
>> I prepared another round of patches t check, what's wrong in
>> apr_password_validate. All patches can be applied in srclib/apr-util.
>> They are *not* cumulative:
>>
>> 1) Undo one change in the password validation function and check whether
>> it works then:
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch
>>
>> 2) Keep original validation code but ad some debug output to STDERR:
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch
>>
>> 3) Combination of 1) and 2):
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch
>>
>> All patches only change one file, so if you apply on top of your build
>> tree, make will only compile one file and you only need to copy over the
>> new .libs/libaprutil-1.so to your httpd installation lib.
>>
>> Regards,
>>
>> Rainer
>>
>
>
--
kippdata
informationstechnologie GmbH Tel: 0228 98549 -0
Bornheimer Str. 33a Fax: 0228 98549 -50
53111 Bonn www.kippdata.de
HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Jim Jagielski <ji...@jaguNET.com>.
Should we be including/moving this discussion to dev@apr ?
On Feb 20, 2013, at 3:07 AM, Rainer Jung <ra...@kippdata.de> wrote:
> On 20.02.2013 08:07, William A. Rowe Jr. wrote:
>> On Wed, 20 Feb 2013 16:42:56 +1000
>> Noel Butler <no...@ausics.net> wrote:
>>
>>> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
>>>
>>>
>>>
>>>>
>>>> Note he mentioned SHA512, not crypt(). I don't know that this makes
>>>> a difference on that architecture.
>>>>
>>>
>>>
>>> But isn't it just a hand off to system crypt() (modern crypt(), not
>>> the ancient 8 char one), since httpd is limited in native options,
>>> what it doesn't understand is passes to system crypt() to handle.
>
> Yes.
>
>> Which remains my point... our current 2.4 and 2.2 candidates should
>> suffer the same flaw.
>
> Indeed, that's likely. Note that Noel uses SHA512, which is supported in
> apr_password_validate(), but for instance not wired in htpasswd. So it
> might not be the most often used password hash in combination with
> httpd. Nevertheless we need to fix.
>
> I prepared another round of patches t check, what's wrong in
> apr_password_validate. All patches can be applied in srclib/apr-util.
> They are *not* cumulative:
>
> 1) Undo one change in the password validation function and check whether
> it works then:
>
> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch
>
> 2) Keep original validation code but ad some debug output to STDERR:
>
> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch
>
> 3) Combination of 1) and 2):
>
> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch
>
> All patches only change one file, so if you apply on top of your build
> tree, make will only compile one file and you only need to copy over the
> new .libs/libaprutil-1.so to your httpd installation lib.
>
> Regards,
>
> Rainer
>
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Sat, 2013-02-23 at 13:29 +0100, Rainer Jung wrote:
> Concerning the apr_password_validate() problem in APU 1.5.1 and related
> httpd release testing failures:
>
> The bug was fixed in
>
> http://svn.apache.org/viewvc?view=revision&revision=1449309
>
> Don't know how I could stare so long at the code without seeing the
> obvious bug. Thanks to the reporter of PR 54603 for the correct patch.
>
> Regards,
>
> Rainer
Confirmed fixed in 2.4.4 (and 2.2.24) thanks for your time Rainer, much
appreciated.
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Sat, 2013-02-23 at 13:29 +0100, Rainer Jung wrote:
> Concerning the apr_password_validate() problem in APU 1.5.1 and related
> httpd release testing failures:
>
> The bug was fixed in
>
> http://svn.apache.org/viewvc?view=revision&revision=1449309
>
> Don't know how I could stare so long at the code without seeing the
> obvious bug. Thanks to the reporter of PR 54603 for the correct patch.
>
> Regards,
>
> Rainer
Confirmed fixed in 2.4.4 (and 2.2.24) thanks for your time Rainer, much
appreciated.
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
Concerning the apr_password_validate() problem in APU 1.5.1 and related
httpd release testing failures:
The bug was fixed in
http://svn.apache.org/viewvc?view=revision&revision=1449309
Don't know how I could stare so long at the code without seeing the
obvious bug. Thanks to the reporter of PR 54603 for the correct patch.
Regards,
Rainer
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
Concerning the apr_password_validate() problem in APU 1.5.1 and related
httpd release testing failures:
The bug was fixed in
http://svn.apache.org/viewvc?view=revision&revision=1449309
Don't know how I could stare so long at the code without seeing the
obvious bug. Thanks to the reporter of PR 54603 for the correct patch.
Regards,
Rainer
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Thu, 2013-02-21 at 10:24 +1000, Noel Butler wrote:
> On Wed, 2013-02-20 at 23:56 +0100, Rainer Jung wrote:
>
>
> >
> > That's strange, the additional stderr output
> >
> > "crypt_r returned NULL"
> >
> > or
> >
> > "crypt_r returned '%s'"
> >
> > is not shown here.
> >
>
>
> Indeed, I'm running :
> LogLevel debug auth_basic:trace8 authn_dbd:trace8
>
> Briefly ran trace8 globally, but only briefly for obvious reasons, my
> eyes were starting to bleed :)
>
>
> > As an alternative one could use strace to check the call to crypt_r and
>
>
> strace only shows...
>
> 29311 gettimeofday({1361405772, 894610}, NULL) = 0
> 29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
> 29311 write(17, "*\0\0\0\26SELECT Password FROM users WHERE User
> = ?"..., 46) = 46
> 29311 read(17, "\f\0\0\1\0\1\0\0\0\1\0\1\0\0\0\0\27\0\0\2\3def\0\0\0
> \1?\0\f?\0\0\0\0\0\375\200\0\0\0\0\5\0\0\3\376\0\0\2\0007\0\0\4\3def
> \7members\5users\5users\10Password\10Password\f\10\0\0\1\0\0\375\201
> \20\0\0\0\5\0\0\5\376\0\0\2\0"..., 16384) = 120
> 29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
> 29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
> 29311 write(17, "\23\0\0\0\27\1\0\0\0\0\1\0\0\0\0\1\375\0\4noel"...,
> 23) = 23
> 29311 read(17, "\1\0\0\1\0017\0\0\2\3def\7members\5users\5users
> \10Password\10Password\f\10\0\0\1\0\0\375\201\20\0\0\0\5\0\0\3\376\0\0
> \2\0m\0\0\4\0\0j$6$xxxxxxxxxxxx\5\0\0\5\376\0\0\2\0"..., 16384) = 195
> 29311 gettimeofday({1361405772, 895721}, NULL) = 0
> 29311 write(8, "[Thu Feb 21 10:16:12.895721 2013] [authn_dbd:trace2]
> [pid 29307:tid 3046349680] mod_authn_dbd.c(178): [client
> fd1d:c01d:1ce::145:59592] Got hashed password '$6$xxxxxxxxxxxxx' for
> user 'noel'\n"..., 281) = 281
> 29311 gettimeofday({1361405772, 895975}, NULL) = 0
> 29311 write(8, "[Thu Feb 21 10:16:12.895975 2013] [authn_dbd:debug]
> [pid 29307:tid 3046349680] mod_authn_dbd.c(199): (70024)passwords do
> not match: [client fd1d:c01d:1ce::145:59592] Call to
> apr_password_validate for user 'noel' and hashed password '$6
> $xxxxxxxxxxx"..., 368) = 368
> 29311 gettimeofday({1361405772, 896212}, NULL) = 0
> 29311 write(8, "[Thu Feb 21 10:16:12.896212 2013] [auth_basic:trace1]
> [pid 29307:tid 3046349680] mod_auth_basic.c(246): [client
> fd1d:c01d:1ce::145:59592] Checking password for user 'noel' using
> provider 'dbd', result: 0\n"..., 204) = 204
> 29311 gettimeofday({1361405772, 896399}, NULL) = 0
> 29311 write(8, "[Thu Feb 21 10:16:12.896399 2013] [auth_basic:error]
> [pid 29307:tid 3046349680] [client fd1d:c01d:1ce::145:59592] AH01617:
> user noel: authentication failure for \"/\": Password Mismatch\n"...,
> 184) = 184
> 29311 gettimeofday({1361405772, 896750}, NULL) = 0
> 29311 read(16, 0x8537248, 8000) = -1 EAGAIN (Resource
> temporarily unavailable)
> 29311 gettimeofday({1361405772, 896880}, NULL) = 0
> 29311 gettimeofday({1361405772, 896933}, NULL) = 0
>
>
I don't know if it offers any insight, but running the same strace
command tonight on 2.4.3 with apru1.4.1
prior to, and what I do not see in apru 1.5.1 output (as per above), but
do see in 2.4.3 and apru1.4.1, is talking to mysql
8526 close(17) = 0
8526 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 17
8526 connect(17, {sa_family=AF_INET, sin_port=htons(3306),
sin_addr=inet_addr("guilty.IP.removed")}, 16) = 0
8526 fcntl64(17, F_SETFL, O_RDONLY) = 0
8526 fcntl64(17, F_GETFL) = 0x2 (flags O_RDWR)
8526 setsockopt(17, SOL_SOCKET, SO_RCVTIMEO, "\2003\341\1\0\0\0\0"...,
8) = 0
8526 setsockopt(17, SOL_SOCKET, SO_SNDTIMEO, "\2003\341\1\0\0\0\0"...,
8) = 0
8526 setsockopt(17, SOL_IP, IP_TOS, [8], 4) = 0
8526 setsockopt(17, SOL_TCP, TCP_NODELAY, [1], 4) = 0
8526 setsockopt(17, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
8526 read(17, "N\0\0\0\n5.5.30-log\0!\v\0\0x'SNlXQl\0\377\367\10\2\0\17
\200\25\0\0\0\0\0\0\0\0\0\0M|J:$B
\0mysql_native_password\0"..., 16384) = 82
8526 brk(0x856e000) = 0x856e000
8526 stat64("/usr/share/charsets/Index.xml", {st_dev=makedev(8, 1),
st_ino=1359901, st_mode=S_IFREG|0644, st_n
link=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=40,
st_size=18312, st_atime=2013/02/22-11:56:39, st_mtim
e=2013/01/16-17:35:18, st_ctime=2013/02/06-11:28:28}) = 0
8526 open("/usr/share/charsets/Index.xml", O_RDONLY|O_LARGEFILE) = 18
8526 read(18, "<?xml version='1.0' encoding=\"utf-8\"?>\n\n<charsets
max-id=\"99\">\n\n<copyright>\n Copyright (c) 2003, 2012, Oracle
and/or its affiliates. All rights reserved.\n\n This program is free
software; you can redistribute it and/or modify\n it under the terms of
the GNU General Public License as published by\n "..., 18312) = 18312
8526 close(18) = 0
8526 futex(0xb73c7c80, FUTEX_WAKE_PRIVATE, 2147483647) = 0
8526 write(17, "Z\0\0\1\r\242\16\0\0\0\0@\10\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0DBASEUSERRME\0\24d\234ssg\272=\2i(\t\to\336\351\332
\17\314\261fmembers\0mysql_native_password\0"..., 94) = 94
8526 read(17, "\7\0\0\2\0\0\0\2\0\0\0"..., 16384) = 11
8526 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
8526 write(17, "\1\0\0\0\16"..., 5) = 5
8526 read(17, "\7\0\0\1\0\0\0\2\0\0\0"..., 16384) = 11
8526 gettimeofday({1361528535, 599942}, NULL) = 0
8526 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
8526 write(17, "*\0\0\0\26SELECT Password FROM users WHERE User
= ?"..., 46) = 46
its almost like 1.5.1 is not talking passing off to the system crypt,
but I'm only guessing. I did -Nau diff on 1.4.1 to 1.5.1 and seems a
mammoth amount of apr_password changes, so I wouldn't have the first
clue where to start looking further, hope that helps.
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 23:56 +0100, Rainer Jung wrote:
>
> That's strange, the additional stderr output
>
> "crypt_r returned NULL"
>
> or
>
> "crypt_r returned '%s'"
>
> is not shown here.
>
Indeed, I'm running :
LogLevel debug auth_basic:trace8 authn_dbd:trace8
Briefly ran trace8 globally, but only briefly for obvious reasons, my
eyes were starting to bleed :)
> As an alternative one could use strace to check the call to crypt_r and
strace only shows...
29311 gettimeofday({1361405772, 894610}, NULL) = 0
29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
29311 write(17, "*\0\0\0\26SELECT Password FROM users WHERE User
= ?"..., 46) = 46
29311 read(17, "\f\0\0\1\0\1\0\0\0\1\0\1\0\0\0\0\27\0\0\2\3def\0\0\0
\1?\0\f?\0\0\0\0\0\375\200\0\0\0\0\5\0\0\3\376\0\0\2\0007\0\0\4\3def
\7members\5users\5users\10Password\10Password\f\10\0\0\1\0\0\375\201\20
\0\0\0\5\0\0\5\376\0\0\2\0"..., 16384) = 120
29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
29311 write(17, "\23\0\0\0\27\1\0\0\0\0\1\0\0\0\0\1\375\0\4noel"..., 23)
= 23
29311 read(17, "\1\0\0\1\0017\0\0\2\3def\7members\5users\5users
\10Password\10Password\f\10\0\0\1\0\0\375\201\20\0\0\0\5\0\0\3\376\0\0\2
\0m\0\0\4\0\0j$6$xxxxxxxxxxxx\5\0\0\5\376\0\0\2\0"..., 16384) = 195
29311 gettimeofday({1361405772, 895721}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.895721 2013] [authn_dbd:trace2]
[pid 29307:tid 3046349680] mod_authn_dbd.c(178): [client
fd1d:c01d:1ce::145:59592] Got hashed password '$6$xxxxxxxxxxxxx' for
user 'noel'\n"..., 281) = 281
29311 gettimeofday({1361405772, 895975}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.895975 2013] [authn_dbd:debug] [pid
29307:tid 3046349680] mod_authn_dbd.c(199): (70024)passwords do not
match: [client fd1d:c01d:1ce::145:59592] Call to apr_password_validate
for user 'noel' and hashed password '$6$xxxxxxxxxxx"..., 368) = 368
29311 gettimeofday({1361405772, 896212}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.896212 2013] [auth_basic:trace1]
[pid 29307:tid 3046349680] mod_auth_basic.c(246): [client
fd1d:c01d:1ce::145:59592] Checking password for user 'noel' using
provider 'dbd', result: 0\n"..., 204) = 204
29311 gettimeofday({1361405772, 896399}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.896399 2013] [auth_basic:error]
[pid 29307:tid 3046349680] [client fd1d:c01d:1ce::145:59592] AH01617:
user noel: authentication failure for \"/\": Password Mismatch\n"...,
184) = 184
29311 gettimeofday({1361405772, 896750}, NULL) = 0
29311 read(16, 0x8537248, 8000) = -1 EAGAIN (Resource
temporarily unavailable)
29311 gettimeofday({1361405772, 896880}, NULL) = 0
29311 gettimeofday({1361405772, 896933}, NULL) = 0
BTW I am now on dev@apr, I'll leave it to you Rainer if you want this
continued on both or either lists.
Cheers
Noel
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 23:56 +0100, Rainer Jung wrote:
>
> That's strange, the additional stderr output
>
> "crypt_r returned NULL"
>
> or
>
> "crypt_r returned '%s'"
>
> is not shown here.
>
Indeed, I'm running :
LogLevel debug auth_basic:trace8 authn_dbd:trace8
Briefly ran trace8 globally, but only briefly for obvious reasons, my
eyes were starting to bleed :)
> As an alternative one could use strace to check the call to crypt_r and
strace only shows...
29311 gettimeofday({1361405772, 894610}, NULL) = 0
29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
29311 write(17, "*\0\0\0\26SELECT Password FROM users WHERE User
= ?"..., 46) = 46
29311 read(17, "\f\0\0\1\0\1\0\0\0\1\0\1\0\0\0\0\27\0\0\2\3def\0\0\0
\1?\0\f?\0\0\0\0\0\375\200\0\0\0\0\5\0\0\3\376\0\0\2\0007\0\0\4\3def
\7members\5users\5users\10Password\10Password\f\10\0\0\1\0\0\375\201\20
\0\0\0\5\0\0\5\376\0\0\2\0"..., 16384) = 120
29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
29311 poll([{fd=17, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
29311 write(17, "\23\0\0\0\27\1\0\0\0\0\1\0\0\0\0\1\375\0\4noel"..., 23)
= 23
29311 read(17, "\1\0\0\1\0017\0\0\2\3def\7members\5users\5users
\10Password\10Password\f\10\0\0\1\0\0\375\201\20\0\0\0\5\0\0\3\376\0\0\2
\0m\0\0\4\0\0j$6$xxxxxxxxxxxx\5\0\0\5\376\0\0\2\0"..., 16384) = 195
29311 gettimeofday({1361405772, 895721}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.895721 2013] [authn_dbd:trace2]
[pid 29307:tid 3046349680] mod_authn_dbd.c(178): [client
fd1d:c01d:1ce::145:59592] Got hashed password '$6$xxxxxxxxxxxxx' for
user 'noel'\n"..., 281) = 281
29311 gettimeofday({1361405772, 895975}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.895975 2013] [authn_dbd:debug] [pid
29307:tid 3046349680] mod_authn_dbd.c(199): (70024)passwords do not
match: [client fd1d:c01d:1ce::145:59592] Call to apr_password_validate
for user 'noel' and hashed password '$6$xxxxxxxxxxx"..., 368) = 368
29311 gettimeofday({1361405772, 896212}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.896212 2013] [auth_basic:trace1]
[pid 29307:tid 3046349680] mod_auth_basic.c(246): [client
fd1d:c01d:1ce::145:59592] Checking password for user 'noel' using
provider 'dbd', result: 0\n"..., 204) = 204
29311 gettimeofday({1361405772, 896399}, NULL) = 0
29311 write(8, "[Thu Feb 21 10:16:12.896399 2013] [auth_basic:error]
[pid 29307:tid 3046349680] [client fd1d:c01d:1ce::145:59592] AH01617:
user noel: authentication failure for \"/\": Password Mismatch\n"...,
184) = 184
29311 gettimeofday({1361405772, 896750}, NULL) = 0
29311 read(16, 0x8537248, 8000) = -1 EAGAIN (Resource
temporarily unavailable)
29311 gettimeofday({1361405772, 896880}, NULL) = 0
29311 gettimeofday({1361405772, 896933}, NULL) = 0
BTW I am now on dev@apr, I'll leave it to you Rainer if you want this
continued on both or either lists.
Cheers
Noel
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
On 20.02.2013 22:33, Noel Butler wrote:
> On Wed, 2013-02-20 at 09:07 +0100, Rainer Jung wrote:
>> 2) Keep original validation code but ad some debug output to STDERR:
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch <http://people.apache.org/%7Erjung/patches/apr-util-password_validate-debug.patch>
>>
> Fails
>
> [Thu Feb 21 07:18:27.549401 2013] [auth_basic:trace1] [pid 31295:tid
> 3012647792] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:58603]
> Checking password for user '' using provider 'dbd', result: 3
>
> [Thu Feb 21 07:18:27.549593 2013] [auth_basic:error] [pid 31295:tid
> 3012647792] [client fd1d:c01d:1ce::145:58603] AH01618: user not found: /
>
> [Thu Feb 21 07:18:29.308367 2013] [authn_dbd:trace2] [pid 31295:tid
> 3004259184] mod_authn_dbd.c(178): [client fd1d:c01d:1ce::145:58603] Got
> hashed password '$6$xxxxxxxxx' for user 'noel'
>
> [Thu Feb 21 07:18:29.308437 2013] [authn_dbd:debug] [pid 31295:tid
> 3004259184] mod_authn_dbd.c(199): (70024)passwords do not match: [client
> fd1d:c01d:1ce::145:58603] Call to apr_password_validate for user 'noel'
> and hashed password '$6$xxxx' validate returned an error
>
> [Thu Feb 21 07:18:29.308471 2013] [auth_basic:trace1] [pid 31295:tid
> 3004259184] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:58603]
> Checking password for user 'noel' using provider 'dbd', result: 0
>
> [Thu Feb 21 07:18:29.308505 2013] [auth_basic:error] [pid 31295:tid
> 3004259184] [client fd1d:c01d:1ce::145:58603] AH01617: user noel:
> authentication failure for "/": Password Mismatch
That's strange, the additional stderr output
"crypt_r returned NULL"
or
"crypt_r returned '%s'"
is not shown here.
As an alternative one could use strace to check the call to crypt_r and
the return value.
Rainer
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
On 20.02.2013 22:33, Noel Butler wrote:
> On Wed, 2013-02-20 at 09:07 +0100, Rainer Jung wrote:
>> 2) Keep original validation code but ad some debug output to STDERR:
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch <http://people.apache.org/%7Erjung/patches/apr-util-password_validate-debug.patch>
>>
> Fails
>
> [Thu Feb 21 07:18:27.549401 2013] [auth_basic:trace1] [pid 31295:tid
> 3012647792] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:58603]
> Checking password for user '' using provider 'dbd', result: 3
>
> [Thu Feb 21 07:18:27.549593 2013] [auth_basic:error] [pid 31295:tid
> 3012647792] [client fd1d:c01d:1ce::145:58603] AH01618: user not found: /
>
> [Thu Feb 21 07:18:29.308367 2013] [authn_dbd:trace2] [pid 31295:tid
> 3004259184] mod_authn_dbd.c(178): [client fd1d:c01d:1ce::145:58603] Got
> hashed password '$6$xxxxxxxxx' for user 'noel'
>
> [Thu Feb 21 07:18:29.308437 2013] [authn_dbd:debug] [pid 31295:tid
> 3004259184] mod_authn_dbd.c(199): (70024)passwords do not match: [client
> fd1d:c01d:1ce::145:58603] Call to apr_password_validate for user 'noel'
> and hashed password '$6$xxxx' validate returned an error
>
> [Thu Feb 21 07:18:29.308471 2013] [auth_basic:trace1] [pid 31295:tid
> 3004259184] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:58603]
> Checking password for user 'noel' using provider 'dbd', result: 0
>
> [Thu Feb 21 07:18:29.308505 2013] [auth_basic:error] [pid 31295:tid
> 3004259184] [client fd1d:c01d:1ce::145:58603] AH01617: user noel:
> authentication failure for "/": Password Mismatch
That's strange, the additional stderr output
"crypt_r returned NULL"
or
"crypt_r returned '%s'"
is not shown here.
As an alternative one could use strace to check the call to crypt_r and
the return value.
Rainer
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
Hi Rainer,
On Wed, 2013-02-20 at 09:07 +0100, Rainer Jung wrote:
> I prepared another round of patches t check, what's wrong in
> apr_password_validate. All patches can be applied in srclib/apr-util.
> They are *not* cumulative:
>
> 1) Undo one change in the password validation function and check whether
> it works then:
>
> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch
>
Still fails
> 2) Keep original validation code but ad some debug output to STDERR:
>
> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch
>
Fails
[Thu Feb 21 07:18:27.549401 2013] [auth_basic:trace1] [pid 31295:tid
3012647792] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:58603]
Checking password for user '' using provider 'dbd', result: 3
[Thu Feb 21 07:18:27.549593 2013] [auth_basic:error] [pid 31295:tid
3012647792] [client fd1d:c01d:1ce::145:58603] AH01618: user not
found: /
[Thu Feb 21 07:18:29.308367 2013] [authn_dbd:trace2] [pid 31295:tid
3004259184] mod_authn_dbd.c(178): [client fd1d:c01d:1ce::145:58603] Got
hashed password '$6$xxxxxxxxx' for user 'noel'
[Thu Feb 21 07:18:29.308437 2013] [authn_dbd:debug] [pid 31295:tid
3004259184] mod_authn_dbd.c(199): (70024)passwords do not match: [client
fd1d:c01d:1ce::145:58603] Call to apr_password_validate for user 'noel'
and hashed password '$6$xxxx' validate returned an error
[Thu Feb 21 07:18:29.308471 2013] [auth_basic:trace1] [pid 31295:tid
3004259184] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:58603]
Checking password for user 'noel' using provider 'dbd', result: 0
[Thu Feb 21 07:18:29.308505 2013] [auth_basic:error] [pid 31295:tid
3004259184] [client fd1d:c01d:1ce::145:58603] AH01617: user noel:
authentication failure for "/": Password Mismatch
> 3) Combination of 1) and 2):
>
> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch
>
Fails with:
[Thu Feb 21 07:27:26.761557 2013] [authn_dbd:trace2] [pid 14586:tid
3038497648] mod_authn_dbd.c(178): [client fd1d:c01d:1ce::145:58640] Got
hashed password '$6xxxxxxxxxxx' for user 'noel'
[Thu Feb 21 07:27:26.761737 2013] [authn_dbd:debug] [pid 14586:tid
3038497648] mod_authn_dbd.c(199): (70024)passwords do not match: [client
fd1d:c01d:1ce::145:58640] Call to apr_password_validate for user 'noel'
and hashed password '$6$xxxx' validate returned an error
[Thu Feb 21 07:27:26.761804 2013] [auth_basic:trace1] [pid 14586:tid
3038497648] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:58640]
Checking password for user 'noel' using provider 'dbd', result: 0
[Thu Feb 21 07:27:26.761848 2013] [auth_basic:error] [pid 14586:tid
3038497648] [client fd1d:c01d:1ce::145:58640] AH01617: user noel:
authentication failure for "/": Password Mismatch
Cheers
N
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
On 20.02.2013 08:07, William A. Rowe Jr. wrote:
> On Wed, 20 Feb 2013 16:42:56 +1000
> Noel Butler <no...@ausics.net> wrote:
>
>> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
>>
>>
>>
>>>
>>> Note he mentioned SHA512, not crypt(). I don't know that this makes
>>> a difference on that architecture.
>>>
>>
>>
>> But isn't it just a hand off to system crypt() (modern crypt(), not
>> the ancient 8 char one), since httpd is limited in native options,
>> what it doesn't understand is passes to system crypt() to handle.
Yes.
> Which remains my point... our current 2.4 and 2.2 candidates should
> suffer the same flaw.
Indeed, that's likely. Note that Noel uses SHA512, which is supported in
apr_password_validate(), but for instance not wired in htpasswd. So it
might not be the most often used password hash in combination with
httpd. Nevertheless we need to fix.
I prepared another round of patches t check, what's wrong in
apr_password_validate. All patches can be applied in srclib/apr-util.
They are *not* cumulative:
1) Undo one change in the password validation function and check whether
it works then:
http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch
2) Keep original validation code but ad some debug output to STDERR:
http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch
3) Combination of 1) and 2):
http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch
All patches only change one file, so if you apply on top of your build
tree, make will only compile one file and you only need to copy over the
new .libs/libaprutil-1.so to your httpd installation lib.
Regards,
Rainer
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
> On Wed, 20 Feb 2013 16:42:56 +1000
> Noel Butler <no...@ausics.net> wrote:
>
> > On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
> >
> >
> >
> > >
> > > Note he mentioned SHA512, not crypt(). I don't know that this makes
> > > a difference on that architecture.
> > >
> >
> >
> > But isn't it just a hand off to system crypt() (modern crypt(), not
> > the ancient 8 char one), since httpd is limited in native options,
> > what it doesn't understand is passes to system crypt() to handle.
>
> Which remains my point... our current 2.4 and 2.2 candidates should
> suffer the same flaw.
>
If I get time later I'll put 2.2 on dev box (got a 2.2 config round here
somewhere still) and try it for you, heading off to dinner now for a few
hours.
It certainly appears related to passing to system crypt() though ... If
I regenerate my password using old md5crypt - $1$foobaretc it still
fails, however, when I change to use the native apache md5 variant -
$apr1$foobaretc auth succeeds.
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On Wed, 20 Feb 2013 16:42:56 +1000
Noel Butler <no...@ausics.net> wrote:
> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
>
>
>
> >
> > Note he mentioned SHA512, not crypt(). I don't know that this makes
> > a difference on that architecture.
> >
>
>
> But isn't it just a hand off to system crypt() (modern crypt(), not
> the ancient 8 char one), since httpd is limited in native options,
> what it doesn't understand is passes to system crypt() to handle.
Which remains my point... our current 2.4 and 2.2 candidates should
suffer the same flaw.
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
>
> Note he mentioned SHA512, not crypt(). I don't know that this makes
> a difference on that architecture.
>
But isn't it just a hand off to system crypt() (modern crypt(), not the
ancient 8 char one), since httpd is limited in native options, what it
doesn't understand is passes to system crypt() to handle.
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On Wed, 20 Feb 2013 02:20:55 +0100
Rainer Jung <ra...@kippdata.de> wrote:
> On 20.02.2013 01:39, Noel Butler wrote:
> > On Tue, 2013-02-19 at 12:03 +0100, Rainer Jung wrote:
>
> OK, so we know it is correctly retrieving the hash and the aces
> control really fails in the apu password_validate.
>
> Next: Could you please
>
> grep CRYPT /path/to/build/apache/srclib/apr-util/config.status
>
> I'd like to check, whether your platform has CRYPT_R_CRYPTD or
> CRYPT_R_STRUCT_CRYPT_DATA defined. If it is the latter, then what OS
> is it and which glibs version?
>
> It might be the following change:
>
> http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?r1=998533&r2=998532&pathrev=998533
>
> which was ported to 1.5 (file crypto/apr_passwd.c) but not to 1.4. All
> other differences between the source of password_validate() in 1.4 and
> 1.5 seem to be unrelated to your problem.
Note he mentioned SHA512, not crypt(). I don't know that this makes
a difference on that architecture.
This would apply to 2.2.24 then? (Moreso, given that 2.4.x -deps
tarballs seem to disclaim being part of the release.)
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
On 20.02.2013 01:39, Noel Butler wrote:
> On Tue, 2013-02-19 at 12:03 +0100, Rainer Jung wrote:
OK, so we know it is correctly retrieving the hash and the aces control
really fails in the apu password_validate.
Next: Could you please
grep CRYPT /path/to/build/apache/srclib/apr-util/config.status
I'd like to check, whether your platform has CRYPT_R_CRYPTD or
CRYPT_R_STRUCT_CRYPT_DATA defined. If it is the latter, then what OS is
it and which glibs version?
It might be the following change:
http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?r1=998533&r2=998532&pathrev=998533
which was ported to 1.5 (file crypto/apr_passwd.c) but not to 1.4. All
other differences between the source of password_validate() in 1.4 and
1.5 seem to be unrelated to your problem.
Regards,
Rainer
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Noel Butler <no...@ausics.net>.
On Tue, 2013-02-19 at 12:03 +0100, Rainer Jung wrote:
> LogLevel info auth_basic:trace8 authn_dbd:trace8
Thanks
> I checked whether the patch compiles fine, but haven't tested it, so
> careful if applying to production.
no problem this is only on dev at present.
NOTE: passwords returned in below fields were complete, and match the DB
correctly, so I removed all after the sha512 indicator.
[Wed Feb 20 10:32:09.846242 2013] [authn_dbd:trace2] [pid 6877:tid
3004689264] mod_authn_dbd.c(178): [client fd1d:c01d:1ce::145:35101] Got
hashed password '$6$ for user 'noel'
[Wed Feb 20 10:32:09.846360 2013] [authn_dbd:debug] [pid 6877:tid
3004689264] mod_authn_dbd.c(199): (70024)passwords do not match: [client
fd1d:c01d:1ce::145:35101] Call to apr_password_validate for user 'noel'
and hashed password '$6$' validate returned an error
[Wed Feb 20 10:32:09.846388 2013] [auth_basic:trace1] [pid 6877:tid
3004689264] mod_auth_basic.c(246): [client fd1d:c01d:1ce::145:35101]
Checking password for user 'noel' using provider 'dbd', result: 0
[Wed Feb 20 10:32:09.846402 2013] [auth_basic:error] [pid 6877:tid
3004689264] [client fd1d:c01d:1ce::145:35101] AH01617: user noel:
authentication failure for "/": Password Mismatch
Re: [VOTE] Release Apache httpd 2.4.4 as GA
Posted by Rainer Jung <ra...@kippdata.de>.
On 19.02.2013 04:35, Noel Butler wrote:
> Builds fine but operation now fails on all mysql auths (included APR
> problem from -deps ??)
> reports: APR-util Version: 1.5.1
>
> [Tue Feb 19 13:16:33.487932 2013] [auth_basic:error] [pid 24811:tid
> 2996689776] [client xxxxxxxxxxx] AH01617: user noel: authentication
> failure for "/": Password Mismatch
>
> This is browser stored password , cleared, entered still fails,
> different browser, same, fails
Could you please apply the following patch:
http://people.apache.org/~rjung/patches/aaa_debug_2_4_4.patch
The patch adds debug output to mod_auth_basic and mod_authn_dbd.
Note that the output will contain the hashed password retrieved form the
database, but not the password send from the browser.
To activate the output, you would have to increase the log level for
those two modules, e.g. if you are usually using LogLevel info, you
would now use:
LogLevel info auth_basic:trace8 authn_dbd:trace8
The output should allow us to clarify, whether the denied actually came
from authn_dbd and what the return code of the apu password check was.
I checked whether the patch compiles fine, but haven't tested it, so
careful if applying to production.
Thanks!
Rainer