httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Felt <mamf...@gmail.com>
Subject Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
Date Fri, 17 Jul 2015 11:09:35 GMT
On 2015-07-17 12:39 PM, Yann Ylavic wrote:
> Michael Felt wrote:
>> Yann Ylavic wrote:
>>> So if RC4 was the culprit, the tests (pr12355 and pr43738) should pass
>>> now.
>> I'll pull ApacheTest and check.
> I assume the attached logs_pr12355_LibreSSL.zip was with the latest
> framework (including r1691419), so the RC4 =>  AES changes did not
> work...
Yes, that was with the latest framework (svn checkout) - as I showed in 
the ciphers list - it is still there.
>> so if I look through the VirtualHost definitions made by ApacheTest I should
>> see some "Location CipherSuite" declarations?
> Yes, t/conf/ssl/ssl.conf.in has a VirtualHost SSLCipherSuite
> "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" which is
> overridden for some<Location>s (/require-aes{128,256}-cgi and
> /modules/ssl/aes{128,256}/) with SSLCipherSuite "AES{128,256}-SHA".
>
>>>> [Thu Jul 16 11:47:12.052157 2015] [ssl:info] [pid 389322:tid 772]
>>>>    SSL Library Error: error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected
message
>>> That's not an alert (a close?).
>>> Maybe a higher LogLevel (trace5?) would help, and/or a pcap...
>> So, an attachment again, with both binary and text of iptrace during run of
>> test pr12355. I guess (rather hope) you can read what is going on here.
> Ouch, quite hard to read TLS in the matrix :)
> Maybe "tcpdump -i lo -w dump.pcap -s0 tcp port 8532"?
> (dump.pcap would then be readable in wireshark).
I would expect wireshark can also read iptrace date (the .iptrc file in 
the bz2 attachment)
> But possibly "LogLevel trace5" in httpd.conf (or
> t/conf/ssl/ssl.conf.in 's VirtualHost) would be enough to see what's
> going on.
Easiest for testing to just set it in /etc/httpd/httpd.conf and run make 
test again. This server is only for testing anyway.
> Since the "error" (interruption) seems to be on the client side
> though, it may also be interesting to start httpd with a configuration
> like the framework's generated t/conf/ssl/ssl.conf file, and then use
> openssl s_client (or libressl s_client? dunno the name of that binary
> in libreSSL...) with -state and -debug to have the client's POV...
libressl is the name of the package. the commands, etc. are the same. 
So, if you can be more explicit about what you are thinking/needing I 
shall comply.

Mime
View raw message