Nsopenssl
An AOLserver socket driver module which implements SSL/TLS encryption on incomming sockets, and also adds an https client API.
See: SF CVS: nsopenssl/
Author: Scott Goodwin
Dossy's debugging notes:
SourceForge Bug: empty HTTPS request causes null ptr deref. Interim patches available for download attached to the bug.
Testing with:
$ openssl version OpenSSL 0.9.7d 17 Mar 2004
$ openssl s_client -connect panoptic.com:443 -showcerts -msg -ssl2 $ openssl s_client -connect panoptic.com:443 -showcerts -msg -ssl3 $ openssl s_client -connect panoptic.com:443 -showcerts -msg -tls1
1. If the certificate and key .pem files aren't in the modules/nsopenssl dir, the server will still start up (and logs an error) and will accept SSL connections, but causes the server to spin with the following error:
[12/Aug/2004:16:41:49][5459.1088261040][-nsopenssl:reader-] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 199; total = 0; rc = -1 [12/Aug/2004:16:41:49][5459.1088261040][-nsopenssl:reader-] Error: nsopenssl (server1): SSL error on reading data
Is it ever possible to service a SSL request if you don't have the server certificate loaded? If we can't load the cert, perhaps we shouldn't open the socket for listening and accept connections on it.
2. The example nsd.tcl that's provided in the nsopenssl specifies "SSLv3, TLSv1" for the server protocols. An SSLv2 client connection causes a similar SSL error as above. Adding "SSLv2" to the list seems to make SSLv2 requests work just fine.
3. "maxinput" for nsopenssl is configured differently than it is for nssock -- see TIP: configuring "maxinput" for nsopenssl which I'll include a copy of here:
In recent versions of AOLserver 4.0, there's a new config parameter for
socket drivers (nssock, nsopenssl) called "maxinput" that limits the
size of the HTTP request, defaulting to 1,024,000 bytes. For most
sites, this may be a suitable default to prevent resource-starvation
style Denial of Service attacks. However, if your application allows
for large HTTP requests (such as file uploads that exceed 1MB in size),
you will need to crank the knob on the "maxinput" parameter suitably
high for your needs.
For nssock, this is pretty straightforward:
ns_section "ns/server/${servername}/module/nssock"
ns_param maxinput [expr 1024 * 1024 * 100]
This would set "maxinput" to 100MB. However, if you're using nsopenssl,
you may think that a similar config section like this should work:
ns_section "ns/server/${servername}/module/nsopenssl"
ns_param maxinput [expr 1024 * 1024 * 100]
But, it doesn't! (Ross Simpson and I found this out the hard way, with
two hours of much gnarly debugging and head-scratching.) So, how DO you
set "maxinput" for nsopenssl?
Well, nsopenssl has a "ssldrivers" config section, that might look like
the following:
ns_section "ns/server/${servername}/module/nsopenssl/ssldrivers"
ns_param example "an example server"
That defines the ssldriver named "example". You set parameters for it
(like you do for nssock) in this config section:
ns_section "ns/server/${servername}/module/nsopenssl/ssldriver/example"
ns_param sslcontext example_ctx
ns_param port 443
# ... etc ...
ns_param maxinput [expr 1024 * 1024 * 100]
Yes, you define parameters like "maxinput" and "recvwait" and other
socket-related settings in THIS section! Yes, this is where those
settings belong.
Interesting bug: in at least nsopenssl (and perhaps nssock), if maxinput
is reached, the server seems to sleep or simply spin, instead of
returnig some kind of error ("400 Bad Request / request exceeds
maxinput" or somesuch). So, the diagnostic behavior is if you're
uploading a large file that exceeds maxinput, the browser just appears
to be still sending the file and it never finishes (until "recvwait"
seconds elapse, I believe).
Here's an issue that Bruno Mattarollo is experiencing on MacOS X 10.3.5 using the latest AOLserver and nsopenssl 3.0 beta code. See this gdb backtrace and look at Thread #4. Infinite loop that spins the CPU to 100%.
Here's a simple ADP page used to reproduce the nsopenssl-related hanging:
<% ns_sleep 10 %> test
http://listserv.aol.com/cgi-bin/wa?A2=ind0408&L=aolserver&P=32616
On 2004.08.24, Noah Robin <sitz@AOL.NET> wrote: [...] > > FWIW, there's a file descriptor leak in beta 17. On Solaris, it > manifests as an ever-increasing number of connections in the BOUND > state, as reported by netstat. I know, 'cause I reported it to Scott, > who fixed it shortly thereafter. =)
