Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201923

Summary: =www-servers/apache-2.2.6-r4 SSL-related regression
Product: Gentoo Linux Reporter: Petre Rodan <pr.gentoo-acct>
Component: Current packagesAssignee: Apache Team - Bugzilla Reports <apache-bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: apache-2.eclass patch

Description Petre Rodan 2007-12-11 09:42:36 UTC 
a large POST triggers the following error for https sites:

[Tue Dec 11 11:22:09 2007] [error] [client 192.168.88.165] request body exceeds maximum size for SSL buffer
[Tue Dec 11 11:22:09 2007] [error] [client 192.168.88.165] could not buffer message body to allow SSL renegotiation to proceed

this only started happening since I updated to apache-2.2.6-r4.
apache-2.2.6-r2 and older worked without ever displaying that error.

the same apache-2.2.6-r4 merged without the 04_all_mod_ssl_tls_sni patch does not have the problem.

so please either fix that patch or drop it.

thanks,
peter

Portage 2.1.3.19 (hardened/x86/2.6, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-hardened-r2-a048 i686)
=================================================================
System uname: 2.6.23-hardened-r2-a048 i686 Intel(R) Xeon(TM) CPU 3.00GHz
Timestamp of tree: Tue, 11 Dec 2007 06:46:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control /var/service"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/local/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.roedu.net/pub/mirrors/gentoo.org ftp://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j1"
PKGDIR="/local/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/local/portage/build"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/local/portage/overlay"
SYNC="rsync://mirrors.bu.avira.com/gentoo-portage"
USE="bzip2 caps crypt hardened jpeg nptl nptlonly pam pic png readline sse sse2 ssl truetype unicode utf8 x86 xml zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1      emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m        maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="alias auth_basic authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_user autoindex cache deflate dir disk_cache env filter headers log_config mem_cache mime rewrite setenvif" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt  mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage       siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware  voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-11 12:19:27 UTC 
it's masked for a reason ... but if you have a patch, let me know
Comment 2 Petre Rodan 2007-12-15 11:53:02 UTC 
Created attachment 138538 [details, diff]
apache-2.eclass patch

UNIPATCH_EXCLUDE adaptation for gentoo's apache build.

in case you intend to mark as stable an apache containing that shady patch please also include this eclass tweak.
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-15 12:19:37 UTC 
use EPATCH_EXCLUDE from eutils.eclass
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-15 12:20:29 UTC 
FYI, it will probably become a use-flag as long as it's experimental, to get the USE_EXPANDED ebuild unmasked asap
Comment 5 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-15 12:22:25 UTC 
maybe this is also related to http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 ?
Comment 6 Petre Rodan 2007-12-15 12:42:26 UTC 
Hi,

(In reply to comment #5)
> maybe this is also related to
> http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 ?

I've seen those bug reports, but they do not apply on our infrastructure, because we don't use SSLVerifyClient (or any other per-directory SSL setting), and we never had that error before using an apache with that SNI patch, on any of our production servers.

the error popped up the second day after -r4 has been merged on an internal web server and went away after merging an -r4 without the SNI capability.

having SNI tweakable via USE flag works for me.

thanks,
peter
Comment 7 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-15 14:35:07 UTC 
2.2.6-r6 now has the sni use flag