You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/01/19 18:07:56 UTC

DO NOT REPLY [Bug 14219] - apache with mod_ssl fail to start when return value of open syscall of certificates and key files are more than 255

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=14219>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=14219


petr.sumbera@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |REOPENED
         Resolution|FIXED                       |




------- Additional Comments From petr.sumbera@sun.com  2006-01-19 18:07 -------
I am reopening this bug because this limitation in Solaris OS is not bug but
rather feature (coming from history of Unix). This is well know and well
documented limitation. See USAGE paragraph in man page for fopen(3C).

Beside this there is also other solution than using 64bits Apache. Look what
Apache (at least version 2.0.x) does in our configuration:

- it creates socket for each defined virtual host. This is done by system call
socket(3SOCKET), which is issued from Apache's shared library libapr-0.so.0.9.5
(function apr_socket_create_ex()). Each socket is defined as file descriptor and
they are assigned from lower to bigger.

- after all sockets are created (and few other configuration files are read),
some SSL handling is done. For each virtual server is called function
BIO_new_file() from OpenSSL shared library (/usr/sfw/lib/libcrypto.so.0.9.7).
This function uses fopen() and fails when there is no lower free file descriptor
under 255. Note, that when there is more then about 240 virtual servers (this
depends on number of opened files) it will fail. Also note that SSL needs to
open files via fopen only temporary. It means that the files are closed
immediately after they are read.

The following patch for Apache 2.0.55 duplicates each file descriptor for newly
created socket above 255. 

--- httpd-2.0.55/srclib/apr/network_io/unix/sockets.c.orig      Thu Jan 19
17:56:03 2006
+++ httpd-2.0.55/srclib/apr/network_io/unix/sockets.c   Thu Jan 19 17:57:30 2006
@@ -90,6 +90,17 @@

     (*new)->socketdes = socket(family, type, protocol);

+#ifdef SOLARIS2
+    /* This rather hack saves on Solaris OS file descriptors under 255, which
+       we can really need in case of using a lot of virtual servers with SSL.
+       Solaris fopen() is limited to use only first 255 file descriptors. */
+    {
+        int high_socketdes = fcntl((*new)->socketdes, F_DUPFD, 255);
+        close((*new)->socketdes);
+        (*new)->socketdes = high_socketdes;
+    }
+#endif
+
 #if APR_HAVE_IPV6
     if ((*new)->socketdes < 0 && ofamily == APR_UNSPEC) {
         family = APR_INET;


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org