From sunil at medhas.org Wed Apr 4 12:14:08 2018 From: sunil at medhas.org (Sunil Mohan Adapa) Date: Wed, 4 Apr 2018 15:44:08 +0530 Subject: [mod_gnutls-devel] Certificate expired on https://mod.gnutls.org/ Message-ID: <324d4095-2408-9c81-12a6-977369f6c838@medhas.org> Hello, TLS Certificate on mod.gnutls.org seems to have expired yesterday. Fetching source code for Debian packaging is failing because of this. -- Sunil From sunil at medhas.org Wed Apr 4 12:49:58 2018 From: sunil at medhas.org (Sunil Mohan Adapa) Date: Wed, 4 Apr 2018 16:19:58 +0530 Subject: [mod_gnutls-devel] Reverse proxy tests fail with latest Apache Message-ID: <3a7ae2d8-e462-3faa-dbaa-bb395496fb5f@medhas.org> Hello, I am investigating a serious regression on all FreedomBoxes with reverse proxying TLS connections. I found that the following tests fail with Apache 2.4.33-1 (Debian): FAIL: test-19_TLS_reverse_proxy.bash FAIL: test-20_TLS_reverse_proxy_client_auth.bash FAIL: test-21_TLS_reverse_proxy_wrong_cert.bash FAIL: test-22_TLS_reverse_proxy_crl_revoke.bash FAIL: test-23_TLS_reverse_proxy_mismatched_priorities.bash Can someone please confirm. Thank you, -- Sunil -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 858 bytes Desc: OpenPGP digital signature URL: From thomas2.klute at uni-dortmund.de Mon Apr 9 09:04:25 2018 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Mon, 9 Apr 2018 09:04:25 +0200 Subject: [mod_gnutls-devel] Reverse proxy tests fail with latest Apache In-Reply-To: <3a7ae2d8-e462-3faa-dbaa-bb395496fb5f@medhas.org> References: <3a7ae2d8-e462-3faa-dbaa-bb395496fb5f@medhas.org> Message-ID: <203d00d7-ee05-dabc-5c72-013cd3e03b3a@uni-dortmund.de> Am 04.04.2018 um 12:49 schrieb Sunil Mohan Adapa: > I am investigating a serious regression on all FreedomBoxes with reverse > proxying TLS connections. I found that the following tests fail with > Apache 2.4.33-1 (Debian): > > FAIL: test-19_TLS_reverse_proxy.bash > FAIL: test-20_TLS_reverse_proxy_client_auth.bash > FAIL: test-21_TLS_reverse_proxy_wrong_cert.bash > FAIL: test-22_TLS_reverse_proxy_crl_revoke.bash > FAIL: test-23_TLS_reverse_proxy_mismatched_priorities.bash > > Can someone please confirm. This seems to be a result of Apache changing the API used by mod_proxy to set up its client connections, in particular introducing the "ssl_engine_set" function. Please try the attached patch and let me know if it fixes the issue. -------------- next part -------------- A non-text attachment was scrubbed... Name: proxy-fix-2.4.33.diff Type: text/x-patch Size: 7895 bytes Desc: not available URL: From sunil at medhas.org Wed Apr 11 14:19:21 2018 From: sunil at medhas.org (Sunil Mohan Adapa) Date: Wed, 11 Apr 2018 17:49:21 +0530 Subject: [mod_gnutls-devel] Reverse proxy tests fail with latest Apache In-Reply-To: <203d00d7-ee05-dabc-5c72-013cd3e03b3a@uni-dortmund.de> References: <3a7ae2d8-e462-3faa-dbaa-bb395496fb5f@medhas.org> <203d00d7-ee05-dabc-5c72-013cd3e03b3a@uni-dortmund.de> Message-ID: On Monday 09 April 2018 12:34 PM, Thomas Klute wrote: > Am 04.04.2018 um 12:49 schrieb Sunil Mohan Adapa: >> I am investigating a serious regression on all FreedomBoxes with reverse >> proxying TLS connections. I found that the following tests fail with >> Apache 2.4.33-1 (Debian): >> >> FAIL: test-19_TLS_reverse_proxy.bash >> FAIL: test-20_TLS_reverse_proxy_client_auth.bash >> FAIL: test-21_TLS_reverse_proxy_wrong_cert.bash >> FAIL: test-22_TLS_reverse_proxy_crl_revoke.bash >> FAIL: test-23_TLS_reverse_proxy_mismatched_priorities.bash >> >> Can someone please confirm. > > This seems to be a result of Apache changing the API used by mod_proxy > to set up its client connections, in particular introducing the > "ssl_engine_set" function. > > Please try the attached patch and let me know if it fixes the issue. > I confirm that the patch fixes the issue. I did the following: - I build a .deb with the patch applied on top of mod-gnutls_0.8.2-3 inside cowbuilder. All tests have passed while they were failing without the patch. - I installed the built .deb on FreedomBox machine and confirmed that the original problem with reverse proxying has been fixed. Thank you very much for a prompt fix. Now, if we could have a release with the fix sneak into Debian... :) -- Sunil -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 858 bytes Desc: OpenPGP digital signature URL: From thomas2.klute at uni-dortmund.de Fri Apr 13 22:30:36 2018 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Fri, 13 Apr 2018 22:30:36 +0200 Subject: [mod_gnutls-devel] Personal announcement Message-ID: <4b71a4f5-eb45-ff2e-b301-a54cc8791e84@uni-dortmund.de> Hi everyone, a quick personal announcement I want to get out before the mod_gnutls 0.8.4 release: I'm transgender and will be going by Fiona from now on. I'll be using the key with the following ID to sign upcoming releases (full public key below): Fiona Klute /EEA726CE21235A58 Fingerprint: E4D3 138F E2D9 F2FA 8152 FD91 EEA7 26CE 2123 5A58 I'm sending this mail from my previous mail address and signed with the matching key to confirm that identity before I use it. Best regards, Fiona -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFrLsicBEADA7Px5KipL9zM7AVkZ6/U4QaWQyxhqim6MX88TxZ6KnqFiTSme vecEWblsppqPES8FiSl+M00Xe5icsLsi4mkBujgbuSDiugjNyqeOH5iqtg69xTd/ r5DRMqt0K93GzmIj7ipWA+fomAMyX9FK3cHLBgoSLeb+Qj28W1cH94NGmpKtBxCk KfT+mjWvYUEwVdviMymdCAJjIabr/QJ3KVZ7UPWr29IJ9Dv+SwW7VRjhXVQ5IwSB MDaTnzDOUILTxnHptB9ojn7t6bFhub9wxWXJQCsNkp+nUDESRwBeNLm4G5D3NFYV Tg4qOQYLI/k/H1N3NEgaDuZ81NfhQJTIFVx+h0eTpjuQ4vATShJWea6N7ilLlyw7 K81uuQoFB6VcG5hlAQWMejuHI4UBb+35r7fIFsy95ZwjxKqEQVS8P7lBKoihXpjc xRZiynx/Gm2nXm9ZmY3fG0fuLp9PQK9SpM9gQr/nbqguBoRoiBzONM9Hpnxibwqg skVKzunZOXZeqyPNTC63wYcQXhidWxB9s+pBHP9FR+qht//8ivI29aTukrj3WWSU Q2S9ejpSyELLhPT9/gbeDzP0dYdSBiQjfd5AYHcMYQ0fSG9Tb1GyMsvh4OhTY7Qw Dz+1zT3xEzB0I1wpKu6m20C7nriWnJTCwXE6XMX7xViv6h8ev+uUHLoMEwARAQAB tCBGaW9uYSBLbHV0ZSA8ZmlvbmEua2x1dGVAZ214LmRlPokCPQQTAQgAJwUCWsuy JwIbIwUJCWYBgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDupybOISNaWCFo EACempPzb74rjbfMC4vOUxejTE/3IEgKAVnW8qQs70ZXygOxuntAVeItsV6eSegE gLhtF4yzo4ciGdu6Bis8uZzyUDR/lX6wtjBxZ8bssjChlMPh1SHHm/7/7O25Sxkf TWXm3qi0/rSnO9d9qznHc8DTlMKl7qcD7UxkLZZX+ckznHS5i/CqI+xMMgGf3U7x F+fLqZHJQKKsci4pDsDGtRgPBfj0m0LnnK8rvBysyGQyIzl7s6DF5Sx77kQNNQRo SZknKd1rjqJHizXrqUDZBSXo4dCCntpaiV31yxBkU8GPKDC9Rruj46NWTHvctXdc H6FBkZTu2mViirN9krUiqKYHDsNGNJEYdqNKiZzVZJoJUDW1WsfmI/44ez6Uam6O r94AS+zw741MsIc6RJBIoLIceb3vMS1NdO866Y3gnq0kbM+rpvhgCms6gaL2dQF2 6xh5uEsrZl7bzZv1v/j1Vcg0MNe/9QXJUU47bsRdv7hA2fMgUIkekLuPWEPqiY+F bCXs42l4ts4NUZnMHsaQz7i/VqN5cNZgrb/6dsKFrKzezGxWmgZzx+Nkkl57RorG Pxq6UzJDFKpWNkodLcwlR3Nyj8GInrHlS2XOZJQCDiPDO9CC0q5c+5VKQi/yh58o a5xoGyGgyn/pUtcArrlf6iy2s4By0Znr6VCjU9LIzslyyLkCDQRay7InARAAsoF8 Kwip/tQp9dztkCJ2w/ThrDIjDX7oVoQpIDqTgam43VaipSI9yM0NfCWQ8C98Hdip /3f0OWBVI76oT3IxAtmcSnl1dyR8+ggthsUtT2pNvhMGOS24ab9DUNsXIqg0JGZ/ 4Q/qBrShuEuvhiW6O5xGDZJTJ8uoQDkO7KfYLmi8tOg42HnYIGv0qSNCD4tCToCI kTwOGmAlQEk1WIODVSivNwfsq6MZaE2X69Fa+BiyxOc47EURp9YYoHIXn2DEUltj 1lOfb2Ttko01ouWITWmaQWvseXSL17oO4wZHYR2HyJcxp+p8yr96IlaBKbzf8q/5 l4I7pAtySwfz8PUY2bdMoKutg4e+moVFjtoWUOr6Z0mFwcfLO/OELbInHpQpSkP7 Gd9kolF6TCcuUAZXsK3JxBb4aiRanmtIDxfMvpohFPVKSLNa1MLvs6N4hy+M/+6h vVpXh9VdhTvBCgQKZ07Yz9sgqzEB7eou3vN/a1LENWop1/dHRVZATNz6fF7b9ypV sTzvratE3TNf2/7ELxheUy+cbtVrHQB1AM3qzt3/iWq4/gC6V5TNUnc5XDprPU7s ByxvU8J3i9khh6/VqjHrmhwBVHPyGUSWQuR43jUC3ntQn4mtWswHQMIcQ7hzEgus k8wOI2CnCfUN1B8l/NqhP7haloXV41qfMjWzmmcAEQEAAYkCJQQYAQgADwUCWsuy JwIbDAUJCWYBgAAKCRDupybOISNaWNA8D/9ghh/YeFM4NbmgAotTaR7slNdtsTgy gdwKC92IJfIpfHioBEIaZCasWnglZlNrVaVTtDjTn0iPX0kvQTty3dp/wZS8SjpK 0W8LXHOLR8aRvKKPmRhOat8z9x4svvEeONDaEVBeeP6DTGJhh43iKHkwUqWRXv3i gE5GmgicE4r3dhFaMRhY+NZ56e9+881GjQ1Nzq55LyNqvJsq8gr5BBTvStgcNfdG D5wrMmz3MB+MoRCnXa8Ac+pQ2Rlvu6iVUFOMYlMry0r+GSFROomR/Y3N0QXjLhbZ Nj52RUr+kq+Hti3SVHB/g7GTNifDkbyswvxzFbEtAzj2c9dlMYFYft+NNArwKSmA 2AokaJBH7/7qVHqawbS/lQqSTs8xhp28XL/IpFu8FZ5lz7TAQPUX/jvjQI1llWrD dnv00zMXZ2Ze4okjyAIlaw9nWmCBUESWuRfOcWT20EpfzpQawaYOU9ZXJ4Y9P7e1 FQ/JoWK0mSZH7Zq7iTS296XqutbE7iJDpAkL6V/ssDHlWp6mV2dzxrpObPUiYeRe c0kvPwJ7omd/qnqB8DWAWSCmfjQziE/CELCIEqBaQx3PJHy1yKgVyGWvU0x0YW55 hqw8XmiqzgiCPrXt6IwePcEBWcSPGHsUz6FhIiqG/XjiCaal+sNwh8H8xgmknOPX u3pdVU2euYjt4g== =k9n6 -----END PGP PUBLIC KEY BLOCK----- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From fiona.klute at gmx.de Fri Apr 13 23:10:44 2018 From: fiona.klute at gmx.de (Fiona Klute) Date: Fri, 13 Apr 2018 23:10:44 +0200 Subject: [mod_gnutls-devel] New release: mod_gnutls 0.8.4 Message-ID: <7091845e-d0b3-54b5-62a6-2cacfebb57b0@gmx.de> Hi everyone, I have just uploaded a new source archive and matching signature to https://mod.gnutls.org/downloads/ as well as the signed mod_gnutls/0.8.4 tag to the git repositories [1, 2]. Version 0.8.4 is a maintenance release with the following changes since 0.8.3: * Support Apache HTTPD 2.4.33 API for proxy TLS connections * Support TLS for HTTP/2 connections with mod_http2. This means mod_gnutls now requires Apache HTTPD 2.4.17 or newer. * Fix configuration of OCSP stapling callback Regards, Fiona [1] https://mod.gnutls.org/git/mod_gnutls [2] https://github.com/airtower-luna/mod_gnutls.git From fiona.klute at gmx.de Sat Apr 14 17:18:40 2018 From: fiona.klute at gmx.de (Fiona Klute) Date: Sat, 14 Apr 2018 17:18:40 +0200 Subject: [mod_gnutls-devel] mod_gnutls: HTTP2 support ? In-Reply-To: References: <408891003.204241166.1512734478996.JavaMail.root@zimbra7-e1> Message-ID: <85780779-e053-4fc3-d6fd-afc621b86e3b@gmx.de> Hi Vince, in case you're still interested in this matter: I've added support for HTTP/2 with mod_gnutls 0.8.4, released yesterday. Regards, Fiona Am 13.12.2017 um 08:23 schrieb Thomas Klute: > Am 08.12.2017 um 13:01 schrieb osg at free.fr: >> dkg told me maybe ALPN support was not implemented. > > That is definitely part of the reason. Adding ALPN is fairly simple, but > apparently not sufficient. > >> Could you tell me if I'm doing something wrong ? >> If not have you some plan to support HTTP2 ? > > Patches are welcome. ;-) The attached WIP patch (on top of master branch > on https://github.com/airtower-luna/mod_gnutls) adds ALPN support and > implements ssl_var_lookup() (which mod_http2 uses to check for TLS > session state). With it protocol negotiation works, but the actual > request does not. I don't know when I'll have time to find out what else > mod_http2 needs, maybe you can find it. > >> PS: version used from GNU/Debian 9, and compiled version: >> Paquet : apache2 >> Version : 2.4.25-3+deb9u3 >> >> Paquet : libapache2-mod-gnutls >> Version : 0.8.2-3 >> >> Source: mod_gnutls-0.8.3.tar.bz2 > > Are you using the Debian packet (0.8.2) or did you build 0.8.3 from source? > > > > _______________________________________________ > mod_gnutls-devel mailing list > mod_gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel >