[users@httpd] RE: DH Parameters upgrading from 2.4.7 to 2.4.9
I tried to replicate this error but wasn't able to, but I was also unable to install OpenSSL 0.9.8e on my current VM. Could you provide snippets of your SSL configuration?
[users@httpd] Binary build request 2.2.27
Could someone generate a binary build for 2.2.27? In the past I have used the builds located at: http://apache.mirror.quintex.com//httpd/binaries/win32/ which have all worked great, however new versions have not been posted with the last ones being version 2.2.25. Could someone please make a binary build for 2.2.27 for me? Thank you! Jason - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] module identification
Is there a command in Apache that lists the modules loaded with their version numbers? -M shows everything but without the version numbers. -l does the same for modules that are compiled in. I just updated to openssl 1.0.1g and I need to confirm that that is really the version that is running. Thanks for any help. John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Intermittent Performance Problem (waiting on "establishing secure connection")
Hi, Apache 2.2 Tomcat 7 Windows Server 2008 64 bit I have a problem that has been dogging me for weeks and seems to be getting worse. I have Windows server and am fronting a Tomcat app server with Apache (using AJP connector) and SSL. This configuration has been in place for years without any issues. Suddenly, somewhat randomly, during the day, users are experiencing long waits for server response. The difficult part is that it's difficult to reproduce. They'll say it's slow, I'll jump on, and everything is zippy fast for me. However, I have been able to experience it a few times. When I've seen it, I've seen the browser hang for a while (~10+ seconds) on "establishing secure connection". For one small period of time, the wait was so long, it was timing out on the client. When this was happening, I jumped onto the server and hit the Tomcat app locally (directly to Tomcat, bypassing Apache) and everything worked perfectly.. super fast. This makes me think it's something on the Apache side or at least the AJP connector. Also note that during all of these episodes, no hardware seems to be taxed. Disk I/O, memory, CPU, etc all appear to be underutilized. The only changes that have been made in recent months was that I have added a few new apps to Tomcat. This has not really increased users though. But I did have to added the additional ajp/proxy lines to the httpd.conf file and modify the rewrite rules in the virtual host config. In trying to troubleshoot this problem, I also upped the MaxClients which didn't seem to have effect on anything. Although it does *appear* to be load related. I could be wrong on that, but it seems most complaint tend be during the busier times of the day. My hunch is that this is SSL related, but I really don't know. I've included the results from the server-status below... this was from one of those moments that it hung on "establishing secure connection" for a bit. I don't see anything obvious in it... but maybe someone here will. Any ideas? Thanks!!! Apache Server Status for my.domain Server Version: Apache/2.2.9 (Win32) mod_ssl/2.2.9 OpenSSL/0.9.8h Server Built: Jun 13 2008 04:04:59 Current Time: Friday, 11-Apr-2014 11:36:32 Mountain Daylight Time Restart Time: Friday, 11-Apr-2014 01:23:20 Mountain Daylight Time Parent Server Generation: 0 Server uptime: 10 hours 13 minutes 12 seconds Total accesses: 81852 - Total Traffic: 784.1 MB 2.22 requests/sec - 21.8 kB/second - 9.8 kB/request 64 requests currently being processed, 0 idle workers KKKRKWCCRKRRKKKKRKRRKKRRKKRRKWKRKKCKKRRRKKKRKRKR Scoreboard Key: "_" Waiting for Connection, "S" Starting up, "R" Reading Request, "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, "C" Closing connection, "L" Logging, "G" Gracefully finishing, "I" Idle cleanup of worker, "." Open slot with no current process SrvPIDAccMSSReqConnChildSlotClient VHostRequest 0-081841/744/744K680.05.985.98 the.ip.addresswww.my.domainGET /zzz2/polling?key=43DADEF1%2DB469%2DF802%2DD0C4%2D51DC8F2ED 0-0
RE: [users@httpd] RE: DH Parameters upgrading from 2.4.7 to 2.4.9
There’s not a whole lot to it, defaults except: SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4 SSLCertificateFile /usr/local/apache2/conf/cert.pem #SSLCertificateChainFile /usr/local/apache2/conf/intermediate.pem SSLCertificateKeyFile /usr/local/apache2/conf/cert.key The error occurs when SSLCertificateChainFile is commented. From: Falco Schwarz [mailto:hid...@falco.me] Sent: Friday, April 11, 2014 7:50 AM To: users@httpd.apache.org Subject: [users@httpd] RE: DH Parameters upgrading from 2.4.7 to 2.4.9 I tried to replicate this error but wasn't able to, but I was also unable to install OpenSSL 0.9.8e on my current VM. Could you provide snippets of your SSL configuration?
Re: [users@httpd] module identification
At 12:41 PM 4/11/2014 -0400, you wrote: Is there a command in Apache that lists the modules loaded with their version numbers? -M shows everything but without the version numbers. -l does the same for modules that are compiled in. I just updated to openssl 1.0.1g and I need to confirm that that is really the version that is running. Debian/ubuntu: openssl version If that fails, cross check with the installation: dpkg-query -l 'openssl' Best -- Paul - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] module identification
Restart apache and take a look at your error log. There will be a line with the Apache version which will include what version of openSSL it's using. ** Katherine Manfre katherine.man...@sita.aero From: John Iliffe To: users@httpd.apache.org Date: 04/11/2014 12:41 PM Subject:[users@httpd] module identification Is there a command in Apache that lists the modules loaded with their version numbers? -M shows everything but without the version numbers. -l does the same for modules that are compiled in. I just updated to openssl 1.0.1g and I need to confirm that that is really the version that is running. Thanks for any help. John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero
[users@httpd] websockets and chunked encoding
Hi, Not sure which part to blame - whether Apache, mod_passenger or a browser - but my websocket handshake gets corrupted by apache sending it using chunked encoding. Following is the response header that indicates switching to websocket: HTTP/1.1 101 Switching Protocols Date: Thu, 10 Apr 2014 15:21:28 GMT Server: Apache/2.2.15 (CentOS) Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: S7wgnmtVSahQDCifkYwFlQajWcI= X-Powered-By: Phusion Passenger 4.0.41 Status: 101 Switching Protocols Transfer-Encoding: chunked Content-Type: text/plain; charset=UTF-8 5 ..1:: The problem is that right after that the server sends actual websocket frame but apache encodes it using chunked encoding (prepends it with chunk length - the number 5 in my example). Since the first byte of websocket frame is supposed to be frame opcode the chunk length is taken by browser (tested with Chrome) as this opcode and whole websocket is corrupted. What's wrong? Is this apache's fault? I can see other webservers are not using chunked encoding when connection gets upgraded to websocket... Thanks, Antony. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod ssl
I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. So far everything looks good EXCEPT that Apache won't start. After making a number of tweaks to the configuration, I'm stuck. The error from httpd -t is: httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open shared object file: No such file or directory I compiled with: "./configure" \ "--prefix=/usr/apache-2.4.9" \ "--with-included-apr" \ "--with-pcre=/usr/pcre-8.32" \ "--with-ssl=/usr/openssl-1.0.1g" \ and the modules/ directory has the following partial listing: -rwxr-xr-x 1 root root35192 Apr 10 20:23 mod_socache_memcache.so -rwxr-xr-x 1 root root66857 Apr 10 20:23 mod_socache_shmcb.so -rwxr-xr-x 1 root root36732 Apr 10 20:23 mod_speling.so -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so -rwxr-xr-x 1 root root61870 Apr 10 20:23 mod_status.so -rwxr-xr-x 1 root root42570 Apr 10 20:23 mod_substitute.so Note that mod_ssl.so is third from the bottom. I'm assuming that there is some problem with the way I compiled openssl but it doesn't save a copy of the command line. Here is what I "think" I used: ./configure --prefix=/usr/openssl-1.0.1g share which worked OK when I compiled Apache. I'm sure if I weren't in such an all-fired hurry I could figure this out but I would ask anyone who has already done this update to help me out here. Thanks in advance. John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod ssl
On 12/04/2014 03:40, John Iliffe wrote: I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. So far everything looks good EXCEPT that Apache won't start. After making a number of tweaks to the configuration, I'm stuck. The error from httpd -t is: httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open shared object file: No such file or directory I compiled with: "./configure" \ "--prefix=/usr/apache-2.4.9" \ "--with-included-apr" \ "--with-pcre=/usr/pcre-8.32" \ "--with-ssl=/usr/openssl-1.0.1g" \ and the modules/ directory has the following partial listing: -rwxr-xr-x 1 root root35192 Apr 10 20:23 mod_socache_memcache.so -rwxr-xr-x 1 root root66857 Apr 10 20:23 mod_socache_shmcb.so -rwxr-xr-x 1 root root36732 Apr 10 20:23 mod_speling.so -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so -rwxr-xr-x 1 root root61870 Apr 10 20:23 mod_status.so -rwxr-xr-x 1 root root42570 Apr 10 20:23 mod_substitute.so Note that mod_ssl.so is third from the bottom. I'm assuming that there is some problem with the way I compiled openssl but it doesn't save a copy of the command line. Here is what I "think" I used: ./configure --prefix=/usr/openssl-1.0.1g share which worked OK when I compiled Apache. I'm sure if I weren't in such an all-fired hurry I could figure this out but I would ask anyone who has already done this update to help me out here. Thanks in advance. John Well, if you installed opensl-1.0.1g and have openssl dynamically linked by httpd, I don't see the need to re-compile http, rebooting should be enough I think (someone correct if I'm wrong). Here (Slackware-14.0), oepnssl upgraded to openssl-1.0.1g but httpd nor recompiled since): bash-4.2$ ldd /usr/sbin/httpd linux-gate.so.1 (0xe000) libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb75fb000) libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb75d2000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0xb75aa000) libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0xb74fb000) libdb-4.4.so => /lib/libdb-4.4.so (0xb73dd000) libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0xb7393000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7379000) libssl.so.1 => /lib/libssl.so.1 (0xb7316000) libcrypto.so.1 => /lib/libcrypto.so.1 (0xb715f000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb715) libresolv.so.2 => /lib/libresolv.so.2 (0xb7137000) libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb7104000) libuuid.so.1 => /lib/libuuid.so.1 (0xb710) librt.so.1 => /lib/librt.so.1 (0xb70f7000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb70c4000) libpthread.so.0 => /lib/libpthread.so.0 (0xb70aa000) libdl.so.2 => /lib/libdl.so.2 (0xb70a4000) libc.so.6 => /lib/libc.so.6 (0xb6f1f000) /lib/ld-linux.so.2 (0xb76ef000) bash-4.2$ openssl version OpenSSL 1.0.1g 7 Apr 2014 bash-4.2$ I just upgraded openssl. But this message > Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open > shared object file: No such file or directory doesn't say that there was a problem in compiling https, only that you miss the shared library libssl.so.1.0.0. Did you check that it is where expected? FYI, the configure command in Slackware 14.0 is: ./configure \ --enable-layout=Slackware-FHS \ --with-apr=/usr \ --with-apr-util=/usr \ --enable-mods-shared=all \ --enable-so \ --enable-mpms-shared=all \ --enable-pie \ --enable-cgi \ --with-pcre \ --enable-ssl \ --enable-rewrite \ --enable-vhost-alias \ --enable-proxy \ --enable-proxy-http \ --enable-proxy-ftp \ --enable-cache \ --enable-mem-cache \ --enable-file-cache \ --enable-disk-cache \ --enable-dav \ --enable-ldap \ --enable-authnz-ldap \ --enable-authn-anon \ --enable-authn-alias \ --build=$ARCH-slackware-linux || exit 1 HTH, Didier PS I don't see the need for this: > ./configure --prefix=/usr/openssl-1.0.1g share I'd just keep *only* the good version of openssl. In any case ldd /path/to/httpd should confirm you that there is a problem linking to openssl (maybe it's not in /usr/openssl-1.0.1g/lib ?) - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] undefined symbol: apr_crypto_init
On Thu, Apr 10, 2014 at 06:07:53PM -0600, Jeff Trawick wrote: >On Thu, Apr 10, 2014 at 3:33 PM, David Benfell >I unfortunately missed your clear, earlier statement that you are using >the provided RPM specs which install apr + apr-util as system >libraries. IMO that is not a good idea for most people, in case you >want to install arbitrary software from your system package repository >and have it use the apr + apr-util it is built with and at the same >time have your httpd use the apr + apr-util you selected for that >particular purpose. I don't use the RPM builds myself, never install >into system directories, and don't really know what the considerations >are. Sorry. I think more seriously, I was trying to get too far ahead of my distribution (Contabo 6.5). This became apparent when, having found a way around this problem, I tackled php. Recall that modules, including the one for php, need to be rebuilt for the new version of apache. Taking this on, I rapidly found even more ratholes. I decided it was time for a distribution change. I apologize for my delay in responding to this message. I'm now running on Fedora 20, which comes with apache 2.4. But, just at the stage where I lose mail every time, this seems to be going fairly smoothly. (We'll see when I try sending this message.) I have encountered problems on Fedora, but I think they're related to Fedora's packaging. And I'm trying to get a question in on their community about it. (Their forum server seems to have gone down.) > >Same error as before, or something different? Can you copy and paste >the exact message? It was the same error. >I don't think your current LD_LIBRARY_PATH actually changes anything. A reasonable suspicion. I'm unable to test it now. Sorry. > > I'm thinking I ought to be able to substitute apachectl for the > start > script with a symbolic link. Would this work? Any reason I > shouldn't? > >Where did you get /etc/init.d/httpd? Is that from an RPM build you did >of httpd 2.4? Yes, incredibly, the spec file seems to do everything including instructing rpmbuild how to build that script. Was I surprised? Yes. But it seems to me to be a strong argument in general for using rpmbuild. That is, if you aren't trying to get too far ahead of your distribution. CentOS 6.5 is just too 'stable' and this isn't the only security-related issue I've had with it (I want Apache 2.4 for perfect forwared secrecy). -- David Benfell See https://parts-unknown.org/node/2 if you don't understand the attachment. pgpZAd9aRp301.pgp Description: PGP signature
