From thomas2.klute at uni-dortmund.de  Mon Oct 19 18:04:49 2015
From: thomas2.klute at uni-dortmund.de (Thomas Klute)
Date: Mon, 19 Oct 2015 18:04:49 +0200
Subject: [mod_gnutls-devel] New Release: mod_gnutls 0.7.1
Message-ID: <562514A1.30404@uni-dortmund.de>

Hello everyone,

I'm happy to announce the release of mod_gnutls 0.7.1. This is a
maintenance release with a change to the GnuTLSP11Module option and a
few general improvements. The change to GnuTLSP11Module only affects
configurations using multiple PKCS #11 modules.

Nikos Mavrogiannopoulos pointed out that loading PKCS #11 modules from
both system configuration and GnuTLSP11Module can have unexpected side
effects, in particular if multiple versions of the same module are
installed on the system, and provided a patch to load only the module
specified using GnuTLSP11Module if the option is set [1]. I've build on
that patch to allow loading multiple modules using multiple occurrences
of GnuTLSP11Module. If you use a configuration with more than one PKCS
#11 module, please ensure that you use either the system-wide p11-kit
configuration, or specify GnuTLSP11Module multiple times in the Apache
configuration (once for each module).

Changelog since mod_gnutls 0.7:

- Improved handling of PKCS #11 modules: mod_gnutls now loads either
  modules specified using GnuTLSP11Module, or the system defaults, but
  not both. Thanks to Nikos Mavrogiannopoulos for the report and
  initial patch!
- Initialize variables to safe defaults during client certificate
  verification. Certain error code paths did not set them, but they
  should never be hit due to config validation. This adds another line
  of defense.
- Enable C99 support via autoconf
- Test suite improvements. Most importantly, automake now handles
  environment setup without any external make calls. Rules to build
  the certificates are included from the old test makefile. Note that
  the dependency on GNU make is not new (the test makefile always used
  GNU make syntax), it just wasn't listed explicitly.

You can download the release archive and detached PGP signature from

  https://mod.gnutls.org/downloads/

or check out the signed tag "mod_gnutls/0.7.1" from the mod_gnutls git
repository [2] or my personal repository on Github [3].

Kind regards,
Thomas Klute

[1]
https://github.com/airtower-luna/mod_gnutls/commit/f21d2a6dba6378b18d015dde88193fcad70d8728
[2] https://mod.gnutls.org/git/mod_gnutls
[3] https://github.com/airtower-luna/mod_gnutls


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151019/56619f0d/attachment-0001.sig>

From dkg at fifthhorseman.net  Tue Oct 20 04:49:19 2015
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 19 Oct 2015 22:49:19 -0400
Subject: [mod_gnutls-devel] New Release: mod_gnutls 0.7.1
In-Reply-To: <562514A1.30404@uni-dortmund.de>
References: <562514A1.30404@uni-dortmund.de>
Message-ID: <87r3kqjlu8.fsf@alice.fifthhorseman.net>

Hi Thomas--

On Mon 2015-10-19 12:04:49 -0400, Thomas Klute wrote:

> I'm happy to announce the release of mod_gnutls 0.7.1. This is a
> maintenance release with a change to the GnuTLSP11Module option and a
> few general improvements. The change to GnuTLSP11Module only affects
> configurations using multiple PKCS #11 modules.
>
> Nikos Mavrogiannopoulos pointed out that loading PKCS #11 modules from
> both system configuration and GnuTLSP11Module can have unexpected side
> effects, in particular if multiple versions of the same module are
> installed on the system, and provided a patch to load only the module
> specified using GnuTLSP11Module if the option is set [1]. I've build on
> that patch to allow loading multiple modules using multiple occurrences
> of GnuTLSP11Module. If you use a configuration with more than one PKCS
> #11 module, please ensure that you use either the system-wide p11-kit
> configuration, or specify GnuTLSP11Module multiple times in the Apache
> configuration (once for each module).
>
> Changelog since mod_gnutls 0.7:
>
> - Improved handling of PKCS #11 modules: mod_gnutls now loads either
>   modules specified using GnuTLSP11Module, or the system defaults, but
>   not both. Thanks to Nikos Mavrogiannopoulos for the report and
>   initial patch!
> - Initialize variables to safe defaults during client certificate
>   verification. Certain error code paths did not set them, but they
>   should never be hit due to config validation. This adds another line
>   of defense.
> - Enable C99 support via autoconf
> - Test suite improvements. Most importantly, automake now handles
>   environment setup without any external make calls. Rules to build
>   the certificates are included from the old test makefile. Note that
>   the dependency on GNU make is not new (the test makefile always used
>   GNU make syntax), it just wasn't listed explicitly.

Thanks for these fixes!  I'm noticing that now that we're looking for
apache2 or httpd in the $PATH for the test suite, that's not working
when testing as a non-privileged user on debian, since apache2 is in
/usr/sbin, but the normal non-privileged user doesn't have /sbin or
/usr/sbin in their $PATH.

In particular, ./configure outputs:

configure: WARNING: Neither apache2 nor httpd found in 		     PATH. Test suite will fail.

This can be fixed with:

diff --git a/configure.ac b/configure.ac
index 8977aab..65c0684 100644
--- a/configure.ac
+++ b/configure.ac
@@ -98,7 +98,7 @@ AM_CONDITIONAL([USE_PDFLATEX], [test "$PANDOC" != "no" && \
 			       test "$PDFLATEX" != "no"])
 
 # Check for Apache binary
-AC_PATH_PROGS([APACHE2], [apache2 httpd], [no])
+AC_PATH_PROGS([APACHE2], [apache2 httpd], [no], [$PATH:/usr/sbin])
 if test "${APACHE2}" = "no"; then
 	AC_MSG_WARN([Neither apache2 nor httpd found in \
 		     PATH. Test suite will fail.])



However, i'm now seeing apache hanging during the tests -- it has port
9932 open, and is listening, but gnutls-cli hangs in TCP_SYN state when
connecting to it.

any ideas what i should try for debugging it?

    --dkg


From thomas2.klute at uni-dortmund.de  Tue Oct 20 15:54:09 2015
From: thomas2.klute at uni-dortmund.de (Thomas Klute)
Date: Tue, 20 Oct 2015 15:54:09 +0200
Subject: [mod_gnutls-devel] New Release: mod_gnutls 0.7.1
In-Reply-To: <87r3kqjlu8.fsf@alice.fifthhorseman.net>
References: <562514A1.30404@uni-dortmund.de>
 <87r3kqjlu8.fsf@alice.fifthhorseman.net>
Message-ID: <56264781.3090206@uni-dortmund.de>

Am 20.10.2015 um 04:49 schrieb Daniel Kahn Gillmor:
> Thanks for these fixes!  I'm noticing that now that we're looking for
> apache2 or httpd in the $PATH for the test suite, that's not working
> when testing as a non-privileged user on debian, since apache2 is in
> /usr/sbin, but the normal non-privileged user doesn't have /sbin or
> /usr/sbin in their $PATH.

Appending /usr/sbin to the search path seems reasonable, I've pushed it
to master (rev 83b39016614370843a98b1b85d4fe5517e4bb7c6, [1]). For the
release version you can just pass an extended path to ./configure:

  PATH="$PATH:/usr/sbin" ./configure"

AC_PATH_PROGS stores the absolute path, so there's no need to change the
PATH for the rest of the build.

> However, i'm now seeing apache hanging during the tests -- it has port
> 9932 open, and is listening, but gnutls-cli hangs in TCP_SYN state when
> connecting to it.
> 
> any ideas what i should try for debugging it?

That is strange. Aside from checking logs (startup messages now go to
the individual test log, e.g. test/test-00_basic.bash.log, access and
error logs to test/logs/ as before), two things come to mind:

* Are test TEST_HOST and TEST_IP correct for your system? Debian's
default /etc/hosts file configures "localhost" as IPv4 only, so I have
to pass either TEST_HOST="ip6-localhost" or TEST_IP="127.0.0.1" to
./configure, otherwise host name and IP don't match.

* If you want to start the Apache process manually (e.g. with a
Debugger), run "make show-test-env" in the test/ directory, which will
dump the content of AM_TESTS_ENVIRONMENT to stdout, so you can easily
provide the same environment as the test suite.

Regards,
Thomas

[1]
https://mod.gnutls.org/changeset/83b39016614370843a98b1b85d4fe5517e4bb7c6/mod_gnutls


From mwenzel at proheris.de  Mon Oct 26 14:04:33 2015
From: mwenzel at proheris.de (Mike Wenzel)
Date: Mon, 26 Oct 2015 13:04:33 +0000
Subject: [mod_gnutls-devel] Cannot load mod_gnutls.so into server -
 libgnutls.so.26: cannot open shared object file
Message-ID: <DFACCAB6686FFB4E953F18E4EAB3BA4C7B836C97@LFM15.lfm.proheris.de>

Hey everyone,

I just ran into the following problem after I started my VM (openSUSE) today. I didn't changed anything, and it worked fine last Friday. I don't work on the weekend so I don't even had the chance to do something on it.

When I try to start my apache2 using "rcapache2 start" I'm getting:

start_apache2[1801]: httpd2-prefork: Syntax error on line 6 of /etc/apache2/httpd.conf: Syntax error on line 34 of /etc/apache2/sysconfig.d/loadmodule.conf: Cannot load /usr/lib64/apache2/mod_gnutls.so into server: libgnutls.so.26: cannot open shared object file: No such file or directory

Any ideas?

# echo $LD_LIBRARY_PATH
/u01/app/oracle/product/11.2.0/xe/lib:/usr/local/lib:/usr/lib:/usr/lib64

# find / -type f -name mod_gnutls.so
/usr/lib64/apache2/mod_gnutls.so

# find / -type f -name libgnutls.so.26
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151026/f1884f06/attachment.html>

From dkg at fifthhorseman.net  Mon Oct 26 17:13:19 2015
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 26 Oct 2015 12:13:19 -0400
Subject: [mod_gnutls-devel] Cannot load mod_gnutls.so into server -
	libgnutls.so.26: cannot open shared object file
In-Reply-To: <DFACCAB6686FFB4E953F18E4EAB3BA4C7B836C97@LFM15.lfm.proheris.de>
References: <DFACCAB6686FFB4E953F18E4EAB3BA4C7B836C97@LFM15.lfm.proheris.de>
Message-ID: <871tch8v6o.fsf@alice.fifthhorseman.net>

Hi Mike--

(please subscribe to the mailing list so that your messages can go
through without explicit moderation!)

  https://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel

On Mon 2015-10-26 09:04:33 -0400, Mike Wenzel wrote:

> I just ran into the following problem after I started my VM (openSUSE)
> today. I didn't changed anything, and it worked fine last Friday. I
> don't work on the weekend so I don't even had the chance to do
> something on it.
>
> When I try to start my apache2 using "rcapache2 start" I'm getting:
>
> start_apache2[1801]: httpd2-prefork: Syntax error on line 6 of /etc/apache2/httpd.conf: Syntax error on line 34 of /etc/apache2/sysconfig.d/loadmodule.conf: Cannot load /usr/lib64/apache2/mod_gnutls.so into server: libgnutls.so.26: cannot open shared object file: No such file or directory
>
> Any ideas?
>
> # echo $LD_LIBRARY_PATH
> /u01/app/oracle/product/11.2.0/xe/lib:/usr/local/lib:/usr/lib:/usr/lib64
>
> # find / -type f -name mod_gnutls.so
> /usr/lib64/apache2/mod_gnutls.so
>
> # find / -type f -name libgnutls.so.26
> #

this last bit is the issue -- maybe you've got some failed dependency
here?  you should have some library package installed that provides
libgnutls.so.26

alternately, maybe you need to rebuild mod_gnutls.so to have it work
with whatever modern version of libgnutls that is installed.

can you do that last find for 'libgnutls.so.*' and see what turns up?
if it's .so.28 or something else, you should rebuild mod_gnutls against
the newer version.

    --dkg