[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: [NOTICE] Intent to T&R 2.4.37 - about 12:00 GMT tomorrow
From:       Daniel Ruggeri <druggeri () primary ! net>
Date:       2018-10-18 14:31:58
Message-ID: 0ea4c28e543d6324bad2831a7fe200af () primary ! net
[Download RAW message or body]

On 2018-10-18 07:12, Rainer Jung wrote:
> Am 17.10.2018 um 13:41 schrieb Daniel Ruggeri:
> > Hi, all;
> > With the fix for detected OpenSSL 1.1.1 issues now backported to 
> > 2.4.x, I would like to tag the next version of our venerable server 
> > soon.
> > 
> > I have already successfully completed the test suite against my 
> > "latest sources" docker environment and am watching for any smoke 
> > detected in [1]. Feeling good about this one :-)
> > 
> > How about roughly 24 hours from now?
> > 
> > [1] 
> > https://lists.apache.org/thread.html/48de97bd66ceabcf84a3719b36cd69274cb8c4b64d68c46696beb906@<dev.httpd.apache.org>
> > 
> 
> In the meantime most of my tests finished. The two small mod_ssl
> patches applied this morning were not part of the testing but seem
> simple enough to understand and should pose no risk.
> 
> My testing showed:
> 
> - t/ssl/ocsp.t fails in test 2 and 3 (lines 43 and 49) when the server
> is build using OpenSSL 0.9.8zh:
> Can't connect to localhost:8535 (SSL connect attempt failed because of
> handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> alert handshake failure)
> SSL connect attempt failed because of handshake problems
> error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure at
> /shared/build/dev/httpd/install/Bundle-ApacheTest/20180911-0.9.8zh-1/rhel7.x86_64/lib/perl5/LWP/Protocol/http.pm \
> line 50. 
> I don't know whether that is expected for old OpenSSL, so can not
> judge on criticality.
> 
> - t/modules/http2.t fails when the server is build using OpenSSL
> 0.9.8zh with the "Bad plan.  You planned 52 tests..." message
> indicating, that h2 using TLS does not work. It happens on all
> platforms, but not if the client also uses OpenSSL 0.9.8zh.
> 
> I don't know whether that is expected for old OpenSSL, so can not
> judge on criticality.
> 
> - only once out of 68 runs on Solaris failure in t/modules/cgi.t test
> 54 in line 232. There log contents are checked and the file system is
> on NFS. Might be, that this is a timing issue in the test. Not a
> show-stopper for me.
> 
> - only once out of 68 runs on Solaris failure in t/ssl/proxy.t test
> 106 in line 131. /eat_post responds with a proxy error (502) instead
> of 200 with the posted content length as the response body. Need to
> investigate but would also say not a show-stopper, because only on
> Solaris and only once.
> 
> - some crashes on Solaris when building the server statically linked.
> Only with event MPM and looks like always at the end of a process
> lifetime, typically during shutdown. Maybe a problem with duplicate
> OpenSSL unloading/cleanup (apr-util plus mod_ssl). I think its a known
> problem, but no fix yet available. Since it should not happen to
> processes which are in use I would say it is more of an annoyance and
> not a show-stopper.
> 
> Regards,
> 
> Rainer

Thank you so much for the thorough testing. I see that the H2 failure 
case makes sense based on feedback. I also suspect there is a strong 
lead on the ocsp case. I'm also pleased to see the backports have 
already made it into 2.4.x so I think we're good to go.

-- 
Daniel Ruggeri


[prev in list] [next in list] [prev in thread] [next in thread]