/ Zope / Apsis / Pound Mailing List / Archive / 2003 / 2003-10 / new -current

[ << ] [ >> ]

[ dynamic content does not work? / Rolandas ... ] [ Build problems with -current on stock RedHat 7.2 ... ]

new -current
Robert Segall <roseg(at)apsis.ch>
2003-10-27 16:35:29 [ FULL ]
A new -current was uploaded to the web site. New features that require 
testing:

- added a call-back for ephemeral RSA keys, which may fix some problems with 
IE (5.x?) in SSL mode.
- new X-SSL-cipher header with the current cipher values.
- new CheckURL parameter - if not enabled no URL checking is done at all.

Please let me know how it looks.[...]

Re: new -current
Michael Dunstan <michael(at)elyt.com>
2003-10-28 09:27:56 [ FULL ]
On Tuesday, October 28, 2003, at 04:35 AM, Robert Segall wrote:
[...]

Thanks. Some early results from testing...

The construction of the ephemeral RSA keys is quite a task. I'm 
measuring the time this takes in minutes rather than seconds on my box 
and with the default value of N_RSA_KEYS = 101. That has conveniently 
revealed a couple of bugs:

- the initial loop to construct the keys is not mutex'd. Because the 
loop takes some time to finish I was seeing early attempts to make 
connections that would fail because the server was using trying to use 
keys that had not been created yet.

- the initial loop is effectively run twice on startup. Increasing the 
pain of waiting for this to finish :-) Second time through it is 
correctly mutex'd though.

However once the keys were created I was able to establish HTTPS 
connections from older export grade browsers just fine. Excellent.

The X-SSL-cipher header is only injected into the request when a 
certificate is presented by the client. I would like to be able to 
always have this header injected. I guess that's going to need a tweak 
to the configuration directive:

   HTTPSHeaders cert "value" [cipher]

where cipher of 1 enables injection of the X-SSL-cipher header. 
(Perhaps its time to break that into individual directives?)

One last note - seems that X-SSL-serial got left out as one of headers 
that are injected into the request. Not sure if that was intentional.

--
Michael

Re: new -current
"Yoshinori TAKESAKO" <y_takesako(at)dreamarts.co.jp>
2003-10-28 13:29:30 [ FULL ]
At Mon, 27 Oct 2003 16:35:29 +0100
 Robert Segall <roseg(at)apsis.ch> wrote:[...]

Thanks. I downloaded and tried it.
[...]

I saw that the CheckURL directive can be added to pound.cfg.
Default is 0 (non-checking). It sounds good.

However, an error still occurs when the CheckURL is set 1.

  e.g.
  http://www.example.com/cgi-bin/printenv.cgi?
  http://www.example.com/cgi-bin/printenv.cgi?a=1&

For your information, this patch corrects check_URL()'s matching. 

* Pound-current-fix.patch 
-------------------------------------------------------------------
diff -urN Pound-current-orig/http.c Pound-current/http.c
--- Pound-current-orig/http.c	2003-10-28 00:39:19.000000000 +0900
+++ Pound-current/http.c	2003-10-28 20:48:37.000000000 +0900
(at)(at) -439,8 +439,16 (at)(at)
     if(line[len] == '?') {
         len++;
         for(;;) {
-            if(!(span = strspn(line + len, CS_qid)))
-                return -2;
+            if(!(span = strspn(line + len, CS_qid))) {
+                if(line[len] == 0 || line[len] == '#') {
+                    break;
+                } else if(line[len] == '&') {
+                    len++;
+                    continue;
+                } else {
+                    return -2;
+                }
+            }
             len += span;
             if(line[len] == '=') {
                 len++;
-------------------------------------------------------------------

* How to apply this patch?

# tar zxvf Pound-current.tgz
# cd Pound-current
# patch -p1 < ../Pound-current-fix.patch 
patching file http.c

--
  Namazu Project - Search engine software in Japanese.
    Yoshinori TAKESAKO <y_takesako(at)dreamarts.co.jp>

Re: new -current
Robert Segall <roseg(at)apsis.ch>
2003-10-28 15:43:32 [ FULL ]
Thanks for all the responses. Please download and try again -current. We have 
corrected the issues raised:

- the OpenSSL version dependency (it now checks for versions less than 0.9.7)
- the RSA ephemeral keys (key generation correctly mutexed, number of keys 
drastically reduced, time-to-live shortened to compensate)
- URL matching (allows empty query/parameters)

Please let me know.[...]

Re: new -current
"Simon Matter" <simon.matter(at)ch.sauter-bc.com>
2003-10-28 16:50:24 [ FULL ]
> Thanks for all the responses. Please download and try again -current.
We[...]

Thanks, rebuild runs okay now, tested on RedHat 7.2 and 9.

For those interested, our rpms can be found here:
http://www.invoca.ch/pub/packages/pound/

Regards,
Simon

Re: new -current
Michael Dunstan <michael(at)elyt.com>
2003-10-31 11:34:41 [ FULL ]
On Wednesday, October 29, 2003, at 03:43 AM, Robert Segall wrote:
[...]

Thanks - That cleans up the RSA ephemeral keys.

I still have a problem with the switch to inject the X-SSL-cipher 
header. I would prefer that to be not be dependant on the use of client 
certificates. Simplest solution would be to use:

   https_header != NULL

rather than what is there now:

   https_headers > 0

(he problem I have with having to enable client certificates just to 
get at X-SSL-cipher is that some browsers will prompt the user to 
select a certificate to use for identification when challenged. 
https_headers > 0 will provoke such a challenge.

--
Michael

MailBoxer