From django at nausch.org Fri Jan 2 16:19:36 2015 From: django at nausch.org (django at nausch.org) Date: Fri, 02 Jan 2015 16:19:36 +0100 Subject: [mod_gnutls-devel] mod_gnutls-6.0 in combination with mod_proxy Message-ID: <20150102161936.Horde.7ViLFaZnf5-5JL0QVWXQ3w4@horde.sec-mail.guru> Hello, does someone hev news about developing status of mod_gnuls? mod_gnutls is working on my CentOS 7 host very well. O.K. exactly it works fine, id I use mod_proxy on my local testhost. If I try to seut up my test-host as a https-proxy-host (terminating the TLS-connection) and send it the requests to the remote system http-reote-host, those requests are running to "/dev/null" ... :/ So I'll ask, if someone have news 'bout updates? ttyl Django From thomas2.klute at uni-dortmund.de Tue Jan 13 17:30:08 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Tue, 13 Jan 2015 17:30:08 +0100 Subject: [mod_gnutls-devel] Fix for Segfault with mod_gnutls in reverse proxy Message-ID: <54B54810.1050405@uni-dortmund.de> Hi everyone, I had some trouble with a virtual host as TLS endpoint using mod_gnutls. Certain URLs should be handled by mod_proxy with a reverse proxy configuration. I found that requests for files on the host worked just fine, but requests on the reverse proxy URLs led to segfaults in the worker thread. I've located the problem in ssl_engine_disable: The function tries to remove filters from the connection but does not check if those filters are NULL before removing them. The Apache filter removal functions apparently don't check either, which leads to the segfault. After adding checks to ssl_engine_disable, the reverse proxy configuration works as expected. :-) My fix is available on Github (pull request below): https://github.com/airtower-luna/mod_gnutls/tree/proxy-segfault-fix Best regards, Thomas Klute The following changes since commit c32240fe453de3ce9c48887f2ecd649a5555340f: switch from --long-arg=foo to --long-arg foo for certtool in test suite (2014-09-24 13:01:57 -0400) are available in the git repository at: https://github.com/airtower-luna/mod_gnutls.git proxy-segfault-fix for you to fetch changes up to 3d361b8e5d7c4c971d344658728979fe978dc759: Check if filters exist before removing them in ssl_engine_disable (2015-01-13 17:04:38 +0100) ---------------------------------------------------------------- Thomas Klute (2): Use proper GNUTLS_ENABLED_* macros in SSL proxy functions Check if filters exist before removing them in ssl_engine_disable src/mod_gnutls.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) From thomas2.klute at uni-dortmund.de Tue Jan 20 17:26:26 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Tue, 20 Jan 2015 17:26:26 +0100 Subject: [mod_gnutls-devel] [pull-request] Enable/disable TLS per connection in ssl_engine_disable to make proxy work Message-ID: <54BE81B2.60503@uni-dortmund.de> Hi everyone, I've fixed another bug that occurred when using mod_gnutls with mod_proxy. ssl_engine_disable disabled TLS server wide, so further client connections using TLS failed. I've solved the problem by adding a connection specific "enable" variable [1]. The pull request below includes the segfault fix I sent earlier this month [2], and you can take a look at my changes on Github [3]. Kind regards, Thomas Klute [1] https://github.com/airtower-luna/mod_gnutls/commit/e8acf058857eae21cde2fca0f4e97338075f5f60 [2] http://lists.gnupg.org/pipermail/mod_gnutls-devel/2015-January/000112.html [3] https://github.com/airtower-luna/mod_gnutls/tree/proxy-segfault-fix The following changes since commit c32240fe453de3ce9c48887f2ecd649a5555340f: switch from --long-arg=foo to --long-arg foo for certtool in test suite (2014-09-24 13:01:57 -0400) are available in the git repository at: https://github.com/airtower-luna/mod_gnutls.git proxy-segfault-fix for you to fetch changes up to e8acf058857eae21cde2fca0f4e97338075f5f60: Enable/disable TLS per connection in ssl_engine_disable (2015-01-20 16:45:39 +0100) ---------------------------------------------------------------- Thomas Klute (4): Use proper GNUTLS_ENABLED_* macros in SSL proxy functions Check if filters exist before removing them in ssl_engine_disable Check error codes during GnuTLS connection init Enable/disable TLS per connection in ssl_engine_disable include/mod_gnutls.h.in | 2 ++ src/gnutls_hooks.c | 62 ++++++++++++++++++++++++++++++++----------------- src/mod_gnutls.c | 33 +++++++++++++++++++------- 3 files changed, 68 insertions(+), 29 deletions(-) From thomas2.klute at uni-dortmund.de Wed Jan 21 11:13:17 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Wed, 21 Jan 2015 11:13:17 +0100 Subject: [mod_gnutls-devel] [pull-request] Fix use-after-free, reverse proxy should work now Message-ID: <54BF7BBD.9020509@uni-dortmund.de> Hi everyone, I've fixed another problem with mod_gnutls in a reverse proxy configuration. After running >1000 test requests, I'm fairly confident that reverse proxy (HTTP back end only) works properly now. ssl_engine_disable called mgs_cleanup_pre_config on the connection pool before returning. However, mgs_cleanup_pre_config deinitializes the global GnuTLS data structures. Trying to use those deinitialized data structures led to segmentation faults during TLS handshake (stack trace attached). Since there is no need to globally deinitialize GnuTLS when disabling TLS for one specific connection, the fix is to remove the call to mgs_cleanup_pre_config from ssl_engine_disable [1]. Pull request below, including my previous fixes. Kind regards, Thomas Klute [1] https://github.com/airtower-luna/mod_gnutls/commit/c782c1f12c0ed4d5048eb52fd3ef51037c53f426 The following changes since commit c32240fe453de3ce9c48887f2ecd649a5555340f: switch from --long-arg=foo to --long-arg foo for certtool in test suite (2014-09-24 13:01:57 -0400) are available in the git repository at: https://github.com/airtower-luna/mod_gnutls.git proxy-segfault-fix for you to fetch changes up to c4ba9722083c4eadbdd1a77aab4ab71f0a1081f8: Add myself to list of contributors (2015-01-21 10:36:42 +0100) ---------------------------------------------------------------- Thomas Klute (6): Use proper GNUTLS_ENABLED_* macros in SSL proxy functions Check if filters exist before removing them in ssl_engine_disable Check error codes during GnuTLS connection init Enable/disable TLS per connection in ssl_engine_disable Don't do global deinit when disabling TLS for a proxy back end connection Add myself to list of contributors README | 1 + include/mod_gnutls.h.in | 2 ++ src/gnutls_hooks.c | 62 ++++++++++++++++++++++++++++++++----------------- src/mod_gnutls.c | 35 +++++++++++++++++++++------- 4 files changed, 70 insertions(+), 30 deletions(-) -------------- next part -------------- A non-text attachment was scrubbed... Name: segfault_bt.log Type: text/x-log Size: 6576 bytes Desc: not available URL: