You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Sander Temme <sa...@temme.net> on 2004/12/21 20:15:28 UTC
[1.3 PATCH] Select SSL version on ab command line
The following patch (inline and attached) expands the experimental -s
flag to ab to specify the SSL version used for the benchmark run. Valid
versions are SSLv2, SSLv3, TLSv1 and ANY in which case the program will
use the highest version available. This code is active when httpd is
configured with CFLAGS="-DUSE_SSL" and LDFLAGS="-lssl -lcrypto".
Downside: getopt(3) doesn't allow for an optional optarg, so a bare -s
no longer works. I could possibly hack around that by scanning the bare
argv string but that seems to me like a significant can of worms.
Patch:
Index: src/support/ab.8
===================================================================
--- src/support/ab.8 (revision 122972)
+++ src/support/ab.8 (working copy)
@@ -28,7 +28,7 @@
] [
.B \-i
] [
-.B \-s
+.BI \-s " version"
] [
.BI \-n " requests"
] [
@@ -95,14 +95,15 @@
one or two times the standard deviation apart. And default to the
min/avg/max values. (legacy support).
.TP 12
-.B \-s
+.BI \-s " version"
When compiled in (ab -h will show you) use the SSL protected
.B https
rather than the
.B http
protocol. This feature is experimental and
.B very
-rudimentary. You propably do not want to use it.
+rudimentary. You probably do not want to use it. The version parameter
+can be (SSLv2|SSLv3|TLSv1|ANY).
.TP 12
.B \-k
Enable the HTTP KeepAlive feature; that is, perform multiple requests
Index: src/support/ab.c
===================================================================
--- src/support/ab.c (revision 122972)
+++ src/support/ab.c (working copy)
@@ -1364,7 +1364,8 @@
fprintf(stderr, " -g filename Output collected data to
gnuplot format file.\n");
fprintf(stderr, " -e filename Output CSV file with
percentages served\n");
#ifdef USE_SSL
- fprintf(stderr, " -s Use httpS instead of HTTP
(SSL)\n");
+ fprintf(stderr, " -s version Use httpS instead of HTTP
(SSL)\n");
+ fprintf(stderr, " version is
(SSLv2|SSLv3|TLSv1|ANY)\n");
#endif
fprintf(stderr, " -h Display usage information
(this message)\n");
exit(EINVAL);
@@ -1463,6 +1464,10 @@
{
int c, r, l;
char tmp[1024];
+#ifdef USE_SSL
+ char ssl_err[40];
+ SSL_METHOD *ssl_method;
+#endif
/* table defaults */
tablestring = "";
trstring = "";
@@ -1474,13 +1479,25 @@
optind = 1;
while ((c = getopt(argc, argv,
"n:c:t:T:p:v:kVhwix:y:z:C:H:P:A:g:X:de:Sq"
#ifdef USE_SSL
- "s"
+ "s:"
#endif
)) > 0) {
switch (c) {
#ifdef USE_SSL
case 's':
ssl = 1;
+ if (!strcmp(optarg, "ANY")) {
+ ssl_method = SSLv23_client_method();
+ } else if (!strcmp(optarg, "SSLv2")) {
+ ssl_method = SSLv2_client_method();
+ } else if (!strcmp(optarg, "SSLv3")) {
+ ssl_method = SSLv3_client_method();
+ } else if (!strcmp(optarg, "TLSv1")) {
+ ssl_method = TLSv1_client_method();
+ } else {
+ sprintf(ssl_err, "SSL method %.4s not supported.\n",
optarg);
+ err(ssl_err);
+ }
break;
#endif
case 'n':
@@ -1655,7 +1672,7 @@
#ifdef USE_SSL
SSL_library_init();
- if (!(ctx = SSL_CTX_new(SSLv2_client_method()))) {
+ if (!(ctx = SSL_CTX_new(ssl_method))) {
fprintf(stderr, "Could not init SSL CTX: ");
ERR_print_errors_fp(stderr);
exit(1);
Similar patch for Apache 2 ab is forthcoming.
S.
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by Mads Toftum <ma...@toftum.dk>.
On Tue, Dec 21, 2004 at 02:02:46PM -0800, Sander Temme wrote:
> We're also not talking about Ciphers here, just protocol versions. It
> figures out the ciphersuites for itself. I figure if we want to get
> that sophisticated, we'd better pour our energy into flood instead of
> ab.
>
Cipher was a mistake on my part - I wanted to say protocol but got
distracted ;)
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by Sander Temme <sa...@temme.net>.
On Dec 21, 2004, at 1:12 PM, Mads Toftum wrote:
> Could this be similar to openssl s_client - ssl2, ssl3, ... and the
> no_ssl2, no_ssl3 etc? Just like you might want to specify a specific
> version, I could see where it would be nice to go the other way and
> remove a specific cipher.
That's right, this is either selecting a specific version or (the
default) send an SSLv2 compatible hello and offer up all versions it
can do.
We're also not talking about Ciphers here, just protocol versions. It
figures out the ciphersuites for itself. I figure if we want to get
that sophisticated, we'd better pour our energy into flood instead of
ab.
S.
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by Mads Toftum <ma...@toftum.dk>.
On Tue, Dec 21, 2004 at 01:03:13PM -0800, Sander Temme wrote:
>
> On Dec 21, 2004, at 11:21 AM, William A. Rowe, Jr. wrote:
>
> >Can we use a separate flag to specific protocol version?
>
> To address both your and André's response, yes we can. I even found an
> unused letter that makes sense: -m for 'method'. And yes, I'll do a 2.1
> patch. The reason my personal itch was with the 1.3 ab is that it
> defaults to SSLv2 and my company's product doesn't support SSLv2.
>
Could this be similar to openssl s_client - ssl2, ssl3, ... and the
no_ssl2, no_ssl3 etc? Just like you might want to specify a specific
version, I could see where it would be nice to go the other way and
remove a specific cipher.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by Sander Temme <sa...@temme.net>.
On Dec 21, 2004, at 1:03 PM, Sander Temme wrote:
>
> On Dec 21, 2004, at 11:21 AM, William A. Rowe, Jr. wrote:
>
>> Can we use a separate flag to specific protocol version?
>
> To address both your and André's response, yes we can. I even found an
> unused letter that makes sense: -m for 'method'. And yes, I'll do a
> 2.1 patch. The reason my personal itch was with the 1.3 ab is that it
> defaults to SSLv2 and my company's product doesn't support SSLv2.
Now that the holidays are over:
<Tickle>
If we (as a community) don't want to put that kind of work into ab,
especially 1.3 ab, I totally understand. In that case, I would like you
to consider the following one-line patch that just makes ab negotiate
the highest SSL version available rather than finding itself stuck at
the obsolete SSL version 2:
Index: src/support/ab.c
===================================================================
--- src/support/ab.c (revision 124022)
+++ src/support/ab.c (working copy)
@@ -1655,7 +1655,7 @@
#ifdef USE_SSL
SSL_library_init();
- if (!(ctx = SSL_CTX_new(SSLv2_client_method()))) {
+ if (!(ctx = SSL_CTX_new(SSLv23_client_method()))) {
fprintf(stderr, "Could not init SSL CTX: ");
ERR_print_errors_fp(stderr);
exit(1);
Thanks!
S.
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by Sander Temme <sa...@temme.net>.
On Dec 21, 2004, at 11:21 AM, William A. Rowe, Jr. wrote:
> Can we use a separate flag to specific protocol version?
To address both your and André's response, yes we can. I even found an
unused letter that makes sense: -m for 'method'. And yes, I'll do a 2.1
patch. The reason my personal itch was with the 1.3 ab is that it
defaults to SSLv2 and my company's product doesn't support SSLv2.
Here's a new 1.3 patch (also attached for line-wrappy goodness):
Index: src/support/ab.8
===================================================================
--- src/support/ab.8 (revision 122972)
+++ src/support/ab.8 (working copy)
@@ -30,6 +30,8 @@
] [
.B \-s
] [
+.BI \-m " version"
+] [
.BI \-n " requests"
] [
.BI \-t " timelimit"
@@ -102,11 +104,19 @@
.B http
protocol. This feature is experimental and
.B very
-rudimentary. You propably do not want to use it.
+rudimentary. You probably do not want to use it.
.TP 12
+.BI \-m " version"
+SSL version to use.
+.B Version
+can be SSLv2, SSLv3 or TLSv1. To be used together with
+.B \-s
+option. Default is highest available version.
+.TP 12
.B \-k
Enable the HTTP KeepAlive feature; that is, perform multiple requests
within one HTTP session. Default is no KeepAlive.
+.TP 12
.B \-i
Use an HTTP 'HEAD' instead of the GET method. Cannot be mixed with
POST.
.TP 12
Index: src/support/ab.c
===================================================================
--- src/support/ab.c (revision 122972)
+++ src/support/ab.c (working copy)
@@ -1365,6 +1365,9 @@
fprintf(stderr, " -e filename Output CSV file with
percentages served\n");
#ifdef USE_SSL
fprintf(stderr, " -s Use httpS instead of HTTP
(SSL)\n");
+ fprintf(stderr, " -m version SSL version is
(SSLv2|SSLv3|TLSv1)\n");
+ fprintf(stderr, " If not specified, use highest
available.\n");
+ fprintf(stderr, " Use this option together with
-s.\n");
#endif
fprintf(stderr, " -h Display usage information
(this message)\n");
exit(EINVAL);
@@ -1463,6 +1466,9 @@
{
int c, r, l;
char tmp[1024];
+#ifdef USE_SSL
+ SSL_METHOD *ssl_method = NULL;
+#endif
/* table defaults */
tablestring = "";
trstring = "";
@@ -1474,13 +1480,30 @@
optind = 1;
while ((c = getopt(argc, argv,
"n:c:t:T:p:v:kVhwix:y:z:C:H:P:A:g:X:de:Sq"
#ifdef USE_SSL
- "s"
+ "sm:"
#endif
)) > 0) {
switch (c) {
#ifdef USE_SSL
case 's':
ssl = 1;
+ if (ssl_method == NULL) {
+ ssl_method = SSLv23_client_method();
+ }
+ break;
+ case 'm':
+ ssl = 1;
+ if (!strcmp(optarg, "SSLv2")) {
+ ssl_method = SSLv2_client_method();
+ } else if (!strcmp(optarg, "SSLv3")) {
+ ssl_method = SSLv3_client_method();
+ } else if (!strcmp(optarg, "TLSv1")) {
+ ssl_method = TLSv1_client_method();
+ } else {
+ fprintf(stderr, "SSL method %s not supported.
Defaulting to highest "
+ "supported version.\n", optarg);
+ ssl_method = SSLv23_client_method();
+ }
break;
#endif
case 'n':
@@ -1655,7 +1678,7 @@
#ifdef USE_SSL
SSL_library_init();
- if (!(ctx = SSL_CTX_new(SSLv2_client_method()))) {
+ if (!(ctx = SSL_CTX_new(ssl_method))) {
fprintf(stderr, "Could not init SSL CTX: ");
ERR_print_errors_fp(stderr);
exit(1);
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 01:15 PM 12/21/2004, Sander Temme wrote:
>The following patch (inline and attached) expands the experimental -s flag to ab to specify the SSL version used for the benchmark run. Valid versions are SSLv2, SSLv3, TLSv1 and ANY in which case the program will use the highest version available. This code is active when httpd is configured with CFLAGS="-DUSE_SSL" and LDFLAGS="-lssl -lcrypto".
>
>Downside: getopt(3) doesn't allow for an optional optarg, so a bare -s no longer works. I could possibly hack around that by scanning the bare argv string but that seems to me like a significant can of worms.
Due to a change I hope to introduce, allowing a generic '-s' for
http:// connections (to trigger client-selected connection upgrade)
that would be a big downside.
Can we use a separate flag to specific protocol version?
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Dec 21, 2004, at 2:15 PM, Sander Temme wrote:
> The following patch (inline and attached) expands the experimental -s
> flag to ab to specify the SSL version used for the benchmark run.
> Valid versions are SSLv2, SSLv3, TLSv1 and ANY in which case the
> program will use the highest version available. This code is active
> when httpd is configured with CFLAGS="-DUSE_SSL" and LDFLAGS="-lssl
> -lcrypto".
>
+1
Re: [1.3 PATCH] Select SSL version on ab command line
Posted by André Malo <nd...@perlig.de>.
* Sander Temme wrote:
> The following patch (inline and attached) expands the experimental -s
> flag to ab to specify the SSL version used for the benchmark run. Valid
> versions are SSLv2, SSLv3, TLSv1 and ANY in which case the program will
> use the highest version available. This code is active when httpd is
> configured with CFLAGS="-DUSE_SSL" and LDFLAGS="-lssl -lcrypto".
>
> Downside: getopt(3) doesn't allow for an optional optarg, so a bare -s
> no longer works. I could possibly hack around that by scanning the bare
> argv string but that seems to me like a significant can of worms.
The solution is simple. Use -s for turning on SSL and another flag for the
version. I'd suggest anyway to start with 2.1 and then go down the backport
chain. That's the desired way.
nd
--
Already I've seen people (really!) write web URLs in the form:
http:\\some.site.somewhere
[...] How soon until greengrocers start writing "apples $1\pound"
or something? -- Joona I Palaste in clc