Hi,

With pound 1.7 these ciphers were supported in sslv3:
RSA + DES [40-bit] + SHA
RSA + RC2 [40-bit] + MD5
RSA + RC4 [40-bit] + MD5
RSA + DES [56-bit] + SHA
RSA + RC4 [128-bit] + MD5
RSA + RC4 [128-bit] + SHA
RSA + Triple DES [168-bit] + SHA

The current -current only exposes these for sslv3:
RSA + DES [40-bit] + SHA
RSA + DES [56-bit] + SHA
RSA + RC4 [128-bit] + MD5
RSA + RC4 [128-bit] + SHA
RSA + Triple DES [168-bit] + SHA

so these are no longer there:
RSA + RC2 [40-bit] + MD5
RSA + RC4 [40-bit] + MD5

and this is export grade stuff that is used before the connection gets 
upgraded using  an SGC certificate from Verisign.

This also breaks IE on Mac OS 9 and Mac OS X
By the way, these are the ciphers that mod_ssl supported:
DH + DES [40-bit] + SHA
RSA + DES [40-bit] + SHA
RSA + RC2 [40-bit] + MD5
RSA + RC4 [40-bit] + MD5
DH + DES [56-bit] + SHA
RSA + DES [56-bit] + SHA
RSA + RC4 [128-bit] + MD5
RSA + RC4 [128-bit] + SHA
DH + Triple DES [168-bit] + SHA
RSA + Triple DES [168-bit] + SHA[...]

On Friday 23 July 2004 12.41, Thierry Coopman wrote:[...]

There was no change in Pound in this area. This is probably a result of an 
updated OpenSSL library or of the cipher configuration string you use in the 
config file.[...]

> On Friday 23 July 2004 12.41, Thierry Coopman wrote:[...][...]

OpenSSL version is the same and the cipher string worked in 1.7 and
-current before 2004/07/21.






[...]

I also have complants that the site is much slower now.

I have too much problems I'll go back to a -current before.

I guess something has changed to the way SSL is set up.
Something in the way SSL sessions are handled or negotiated.

I'll to figure out what excactly.

Just try to connect with an IE on a mac ...
[...][...][...]

[...]

On Friday 23 July 2004 19.28, Thierry Coopman wrote:[...]

Try commenting out line 563 in pound.c:

	SSL_CTX_set_session_cache_mode(ctx[i], SSL_SESS_CACHE_OFF);

this should allow using sessions again. If this fixes your problems then you 
have yet another complaint to make about IE incompatibilities. If you have a 
Microsoft support agreement they may even fix it for you (in due course of 
time, without unreasonable haste, once the technical commission has weighed 
all relevant factors and of course no sooner than 5 minutes after Hell has 
frozen over).

Wishing you all a nice weekend...[...]

> On Friday 23 July 2004 19.28, Thierry Coopman wrote:[...][...]

This fixed the mac IE problem indeed. THANKS (that's my boss, the Apple
fan speaking :)

Now some small questions:
* will this enable huge memory leaks again (or if it's a session cache
fill memory with session but never clean up or expire them nicely)
* Will this fix complains about speed (I imagine using the session cache
will speed up connections)
* Will this be an option in the cfg file in the future, or will it always
be a patch?
* Will pound one day be able to use an external mechanism for session
caches, like mm for mod_ssl?
[...]

I do like the sarcasm here.[...]

same to you, thanks for the quick and helpfull responses.

[...]

Hi all,

I just noticed that this thread was referring to IE on Mac and I wanted to
throw my 2 cents in here.

Microsoft anounced last year that it would no longer be supporting or upgrading
IE on Mac. When I installed Panther on my computer, I was suprised it wasn't
automatically removed. (Apple now favors Safari.)

You will notice that other SSL products don't work well either. Most sites with
chains will not work at all.

It has been our companies' official stance that IE on Mac is no longer
supported and we recommend Mozilla (Safari has issues too).

I mean no offense, just relating my experience.

John D.


********** Original Email *********
** To:   <roseg(at)apsis.ch>
** From: "Thierry Coopman" <thierry(at)keytradebank.com>
** Date: Fri, 23 Jul 2004 21:52:37 +0200 (CEST)
**********
[...][...][...]

This fixed the mac IE problem indeed. THANKS (that's my boss, the Apple
fan speaking :)

Now some small questions:
* will this enable huge memory leaks again (or if it's a session cache
fill memory with session but never clean up or expire them nicely)
* Will this fix complains about speed (I imagine using the session cache
will speed up connections)
* Will this be an option in the cfg file in the future, or will it always
be a patch?
* Will pound one day be able to use an external mechanism for session
caches, like mm for mod_ssl?
[...]

I do like the sarcasm here.[...]

same to you, thanks for the quick and helpfull responses.

[...]

Hi,

I agree with this, IE on mac is totaly absolutly obsolete. But we do have
some users that use it. We have MacOS 9 users and Mac OS X users that use
it. Mozilla isn't available for Mac OS 9, and Safari not before 10.2...

Netscape was a solution.

Sometimes it's hard to explain a user that he needs to change. Their point
is that it worked before and that I have o right in changing the setup so
that their software breaks... Some user can be very shitty about that. In
an ideal world everybody runs tha latest and greatest version of the
software. But in the real world nobody ever upgrades (especially mac
people). Only the technically inclined do so, and with these virusses the
'movement' is comming.



[...]
>>> I also have complants that the site is much slower now.
>>>
>>> I have too much problems I'll go back to a -current before.
>>>
>>> I guess something has changed to the way SSL is set up.
>>> Something in the way SSL sessions are handled or negotiated.
>>>
>>> I'll to figure out what excactly.
>>>
>>> Just try to connect with an IE on a mac
...[...][...][...][...][...][...]

[...]

On Friday 23 July 2004 21.52, Thierry Coopman wrote:[...]

OpenSSL is supposed to deal with this gracefully, so unless they have a bug it 
should not happen.
[...]

Let us know what you observe.
[...]

Neither - this should be in the standard distribution if it works correctly.
[...]

No, and it's not needed: Apache requires it in order to share sessions across 
processes, Pound is multi-threaded so sessions are shared anyway. On the 
other hand Pound avoids writing anything to disk.[...]

Robert Segall wrote:
[...][...][...]
I found in the docs)
[...][...]
could be a 'residu' since people tend to complain because it worked bad 
yesterday, even if it works great today.

I still have issues when there is a rather high connection rate. at 
about 60 connections per second the site seems to stall, taking seconds 
for pages to load. I'll need to look closer at these peak moments (3.30 
pm in our case). Today it looks more like the back end databases were 
having problems, so I won't make conclusions right now.

I might have to look into optimizing Linux TCP/IP stack  for such a high 
connection rate, and maybe process limits. Anybody on the list that can 
share some experience with this?
[...][...]
[...][...]

Ok, right now after a working day I have 2 servers with pound -current 
running. On each server Pound takes about 16-18MB of RES memory, and 
40-60 MB of VIRT memory.
I'll keep an eye on it, but it looks like the memory leak is a lot less 
now.

I have not been able to configure nptl on these machines (blocking 
conficts of linux-headers and linux26-headers) so no news on that 
performance.

I still need to investigate why all of the sudden we block export-grade 
encryption, even though we have a Server Gated Crypto certificate from 
Verisign. I'm not too worried about those though, someof those  people 
still use Windows95 and now we get a change to tell them to upgrade.

Thanks again for this great piece of software


[...]