Bug 201923 - =www-servers/apache-2.2.6-r4 SSL-related regression
Bug#: 201923 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: apache-bugs@gentoo.org Reported By: petre.rodan@simplex.ro
Component: Applications
URL: 
Summary: =www-servers/apache-2.2.6-r4 SSL-related regression
Keywords:  
Status Whiteboard: 
Opened: 2007-12-11 09:42 0000
Description:   Opened: 2007-12-11 09:42 0000 
a large POST triggers the following error for https sites:

[Tue Dec 11 11:22:09 2007] [error] [client 192.168.88.165] request body exceeds
maximum size for SSL buffer
[Tue Dec 11 11:22:09 2007] [error] [client 192.168.88.165] could not buffer
message body to allow SSL renegotiation to proceed

this only started happening since I updated to apache-2.2.6-r4.
apache-2.2.6-r2 and older worked without ever displaying that error.

the same apache-2.2.6-r4 merged without the 04_all_mod_ssl_tls_sni patch does
not have the problem.

so please either fix that patch or drop it.

thanks,
peter

Portage 2.1.3.19 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0,
2.6.23-hardened-r2-a048 i686)
=================================================================
System uname: 2.6.23-hardened-r2-a048 i686 Intel(R) Xeon(TM) CPU 3.00GHz
Timestamp of tree: Tue, 11 Dec 2007 06:46:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control
/var/service"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/local/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks metadata-transfer sandbox
sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.roedu.net/pub/mirrors/gentoo.org
ftp://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu
http://www.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j1"
PKGDIR="/local/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/local/portage/build"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/local/portage/overlay"
SYNC="rsync://mirrors.bu.avira.com/gentoo-portage"
USE="bzip2 caps crypt hardened jpeg nptl nptlonly pam pic png readline sse sse2
ssl truetype unicode utf8 x86 xml zlib" ALSA_CARDS="ali5451 als4000 atiixp
atiixp-modem bt87x ca0106 cmipci emu10k1      emu10k1x ens1370 ens1371 es1938
es1968 fm801 hda-intel intel8x0 intel8x0m        maestro3 trident usb-audio
via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix
dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter
mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="alias
auth_basic authn_dbd authn_default authn_file authz_default authz_groupfile
authz_host authz_user autoindex cache deflate dir disk_cache env filter headers
log_config mem_cache mime rewrite setenvif" APACHE2_MPMS="prefork"
ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt 
mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage      
siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware 
voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #1 From Benedikt Böhm 2007-12-11 12:19:27 0000 ------- 
it's masked for a reason ... but if you have a patch, let me know

------- Comment #2 From Petre Rodan 2007-12-15 11:53:02 0000 ------- 
Created an attachment (id=138538) [details]
apache-2.eclass patch

UNIPATCH_EXCLUDE adaptation for gentoo's apache build.

in case you intend to mark as stable an apache containing that shady patch
please also include this eclass tweak.

------- Comment #3 From Benedikt Böhm 2007-12-15 12:19:37 0000 ------- 
use EPATCH_EXCLUDE from eutils.eclass

------- Comment #4 From Benedikt Böhm 2007-12-15 12:20:29 0000 ------- 
FYI, it will probably become a use-flag as long as it's experimental, to get
the USE_EXPANDED ebuild unmasked asap

------- Comment #5 From Benedikt Böhm 2007-12-15 12:22:25 0000 ------- 
maybe this is also related to
http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 ?

------- Comment #6 From Petre Rodan 2007-12-15 12:42:26 0000 ------- 
Hi,

(In reply to comment #5)
> maybe this is also related to
> http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 ?

I've seen those bug reports, but they do not apply on our infrastructure,
because we don't use SSLVerifyClient (or any other per-directory SSL setting),
and we never had that error before using an apache with that SNI patch, on any
of our production servers.

the error popped up the second day after -r4 has been merged on an internal web
server and went away after merging an -r4 without the SNI capability.

having SNI tweakable via USE flag works for me.

thanks,
peter

------- Comment #7 From Benedikt Böhm 2007-12-15 14:35:07 0000 ------- 
2.2.6-r6 now has the sni use flag