201923 2007-12-11 09:42 0000 =www-servers/apache-2.2.6-r4 SSL-related regression 2007-12-15 14:35:07 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED P2 normal --- 1 petre.rodan@simplex.ro apache-bugs@gentoo.org petre.rodan@simplex.ro 2007-12-11 09:42:36 0000 a large POST triggers the following error for https sites: [Tue Dec 11 11:22:09 2007] [error] [client 192.168.88.165] request body exceeds maximum size for SSL buffer [Tue Dec 11 11:22:09 2007] [error] [client 192.168.88.165] could not buffer message body to allow SSL renegotiation to proceed this only started happening since I updated to apache-2.2.6-r4. apache-2.2.6-r2 and older worked without ever displaying that error. the same apache-2.2.6-r4 merged without the 04_all_mod_ssl_tls_sni patch does not have the problem. so please either fix that patch or drop it. thanks, peter Portage 2.1.3.19 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-hardened-r2-a048 i686) ================================================================= System uname: 2.6.23-hardened-r2-a048 i686 Intel(R) Xeon(TM) CPU 3.00GHz Timestamp of tree: Tue, 11 Dec 2007 06:46:01 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control /var/service" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/local/portage/distfiles" FEATURES="buildpkg collision-protect distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.roedu.net/pub/mirrors/gentoo.org ftp://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j1" PKGDIR="/local/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/local/portage/build" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/local/portage/overlay" SYNC="rsync://mirrors.bu.avira.com/gentoo-portage" USE="bzip2 caps crypt hardened jpeg nptl nptlonly pam pic png readline sse sse2 ssl truetype unicode utf8 x86 xml zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="alias auth_basic authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_user autoindex cache deflate dir disk_cache env filter headers log_config mem_cache mime rewrite setenvif" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS hollow@gentoo.org 2007-12-11 12:19:27 0000 it's masked for a reason ... but if you have a patch, let me know petre.rodan@simplex.ro 2007-12-15 11:53:02 0000 Created an attachment (id=138538) apache-2.eclass patch UNIPATCH_EXCLUDE adaptation for gentoo's apache build. in case you intend to mark as stable an apache containing that shady patch please also include this eclass tweak. hollow@gentoo.org 2007-12-15 12:19:37 0000 use EPATCH_EXCLUDE from eutils.eclass hollow@gentoo.org 2007-12-15 12:20:29 0000 FYI, it will probably become a use-flag as long as it's experimental, to get the USE_EXPANDED ebuild unmasked asap hollow@gentoo.org 2007-12-15 12:22:25 0000 maybe this is also related to http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 ? petre.rodan@simplex.ro 2007-12-15 12:42:26 0000 Hi, (In reply to comment #5) > maybe this is also related to > http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 ? I've seen those bug reports, but they do not apply on our infrastructure, because we don't use SSLVerifyClient (or any other per-directory SSL setting), and we never had that error before using an apache with that SNI patch, on any of our production servers. the error popped up the second day after -r4 has been merged on an internal web server and went away after merging an -r4 without the SNI capability. having SNI tweakable via USE flag works for me. thanks, peter hollow@gentoo.org 2007-12-15 14:35:07 0000 2.2.6-r6 now has the sni use flag 138538 2007-12-15 11:53 0000 apache-2.eclass patch apache-2.eclass.patch text/plain LS0tIGFwYWNoZS0yLmVjbGFzcy5vcmlnCTIwMDctMTEtMjkgMjE6MDY6MDUuMDAwMDAwMDAwICsw MjAwCisrKyBhcGFjaGUtMi5lY2xhc3MJMjAwNy0xMi0xNSAxMzo0MjoxOS4wMDAwMDAwMDAgKzAy MDAKQEAgLTMyLDYgKzMyLDExIEBACiAjIFRoaXMgdmFyaWFibGUgbmVlZHMgdG8gYmUgc2V0IGlu IHRoZSBlYnVpbGQgYW5kIGNvbnRhaW5zIHRoZSBuYW1lIG9mIHRoZQogIyBnZW50b28gZGV2ZWxv cGVyIHdobyBjcmVhdGVkIHRoZSBwYXRjaCB0YXJiYWxsCiAKKyMgQEVDTEFTUy1WQVJJQUJMRTog QVBBQ0hFX1BBVENIX0RST1AKKyMgQERFU0NSSVBUSU9OOgorIyBUaGlzIHZhcmlhYmxlIGlzIGEg c3BhY2UgZGVsaW1pdGVkIGxpc3Qgb2YgcGF0Y2hlcyB0aGF0IHdpbGwgYmUgZHJvcHBlZCBmcm9t CisjICRHRU5UT09fUEFUQ0hOQU1FLiBuZXZlciB0byBiZSB1c2VkIGZyb20gYW4gZWJ1aWxkLCBp dCBpcyBtZW50IHRvIGJlIHVzZWQgYnkgdGhlIGVuZCB1c2VyCisKICMgQEVDTEFTUy1WQVJJQUJM RTogR0VOVE9PX1BBVENIU1RBTVAKICMgQERFU0NSSVBUSU9OOgogIyBUaGlzIHZhcmlhYmxlIG5l ZWRzIHRvIGJlIHNldCBpbiB0aGUgZWJ1aWxkIGFuZCBjb250YWlucyB0aGUgZGF0ZSB0aGUgcGF0 Y2gKQEAgLTM2Niw2ICszNzEsMTIgQEAKIAkJIiR7R0VOVE9PX1BBVENIRElSfSIve2NvbmYvaHR0 cGQuY29uZixpbml0LyoscGF0Y2hlcy9jb25maWcubGF5b3V0fSBcCiAJCXx8IGRpZSAibGliZGly IHNlZCBmYWlsZWQiCiAKKwlmb3IgcGF0Y2ggaW4gJHtBUEFDSEVfUEFUQ0hfRFJPUH07IGRvCisJ CWViZWdpbiAiRXhjbHVkaW5nIHBhdGNoICR7cGF0Y2h9IgorCQlybSAtZiAiJHtHRU5UT09fUEFU Q0hESVJ9Ii9wYXRjaGVzLyR7cGF0Y2h9KiAyPi9kZXYvbnVsbAorCQllZW5kICQ/CisJZG9uZQor CiAJZXBhdGNoICIke0dFTlRPT19QQVRDSERJUn0iL3BhdGNoZXMvKi5wYXRjaAogCiAJIyBzZXR1 cCB0aGUgZmlsZXN5c3RlbSBsYXlvdXQgY29uZmlnCg==