[mod_gnutls-devel] New Release: mod_gnutls 0.7.1

Tue Oct 20 04:49:19 CEST 2015

Hi Thomas--

On Mon 2015-10-19 12:04:49 -0400, Thomas Klute wrote:

> I'm happy to announce the release of mod_gnutls 0.7.1. This is a
> maintenance release with a change to the GnuTLSP11Module option and a
> few general improvements. The change to GnuTLSP11Module only affects
> configurations using multiple PKCS #11 modules.
>
> Nikos Mavrogiannopoulos pointed out that loading PKCS #11 modules from
> both system configuration and GnuTLSP11Module can have unexpected side
> effects, in particular if multiple versions of the same module are
> installed on the system, and provided a patch to load only the module
> specified using GnuTLSP11Module if the option is set [1]. I've build on
> that patch to allow loading multiple modules using multiple occurrences
> of GnuTLSP11Module. If you use a configuration with more than one PKCS
> #11 module, please ensure that you use either the system-wide p11-kit
> configuration, or specify GnuTLSP11Module multiple times in the Apache
> configuration (once for each module).
>
> Changelog since mod_gnutls 0.7:
>
> - Improved handling of PKCS #11 modules: mod_gnutls now loads either
>   modules specified using GnuTLSP11Module, or the system defaults, but
>   not both. Thanks to Nikos Mavrogiannopoulos for the report and
>   initial patch!
> - Initialize variables to safe defaults during client certificate
>   verification. Certain error code paths did not set them, but they
>   should never be hit due to config validation. This adds another line
>   of defense.
> - Enable C99 support via autoconf
> - Test suite improvements. Most importantly, automake now handles
>   environment setup without any external make calls. Rules to build
>   the certificates are included from the old test makefile. Note that
>   the dependency on GNU make is not new (the test makefile always used
>   GNU make syntax), it just wasn't listed explicitly.

Thanks for these fixes!  I'm noticing that now that we're looking for
apache2 or httpd in the $PATH for the test suite, that's not working
when testing as a non-privileged user on debian, since apache2 is in
/usr/sbin, but the normal non-privileged user doesn't have /sbin or
/usr/sbin in their $PATH.

In particular, ./configure outputs:

configure: WARNING: Neither apache2 nor httpd found in 		     PATH. Test suite will fail.

This can be fixed with:

diff --git a/configure.ac b/configure.ac
index 8977aab..65c0684 100644
--- a/configure.ac
+++ b/configure.ac
@@ -98,7 +98,7 @@ AM_CONDITIONAL([USE_PDFLATEX], [test "$PANDOC" != "no" && \
 			       test "$PDFLATEX" != "no"])
 
 # Check for Apache binary
-AC_PATH_PROGS([APACHE2], [apache2 httpd], [no])
+AC_PATH_PROGS([APACHE2], [apache2 httpd], [no], [$PATH:/usr/sbin])
 if test "${APACHE2}" = "no"; then
 	AC_MSG_WARN([Neither apache2 nor httpd found in \
 		     PATH. Test suite will fail.])



However, i'm now seeing apache hanging during the tests -- it has port
9932 open, and is listening, but gnutls-cli hangs in TCP_SYN state when
connecting to it.

any ideas what i should try for debugging it?

    --dkg

