64.236.128.14: fix literal brackets

2005-12-20T01:05:44Z

fix literal brackets

WikiSysop: imported from WiKit id 166

2005-03-30T06:07:02Z

imported from WiKit id 166

New page

An AOLserver [[socket driver]] module which implements SSL/TLS encryption
on incomming sockets, and also adds an https client API.

See: [http://aolserver.com/sf/cvs/nsopenssl SF CVS: nsopenssl/]

Author: [[Scott Goodwin]]

See also: [[nsnss]], [[nsssl]]

----

'''Dossy's debugging notes:'''

SourceForge Bug: [http://aolserver.com/sf/bug/1012892 empty HTTPS request causes null ptr deref]. Interim patches available for download attached to the bug.

Testing with:

$ openssl version
OpenSSL 0.9.7d 17 Mar 2004

$ openssl s_client -connect panoptic.com:443 -showcerts -msg -ssl2
$ openssl s_client -connect panoptic.com:443 -showcerts -msg -ssl3
$ openssl s_client -connect panoptic.com:443 -showcerts -msg -tls1

1. If the certificate and key .pem files aren't in the modules/nsopenssl dir, the server will still start up (and logs an error) and will accept SSL connections, but causes the server to spin with the following error:

[[12/Aug/2004:16:41:49]][[5459.1088261040]][[-nsopenssl:reader-]] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 199; total = 0; rc = -1
[[12/Aug/2004:16:41:49]][[5459.1088261040]][[-nsopenssl:reader-]] Error: nsopenssl (server1): SSL error on reading data

Is it ever possible to service a SSL request if you don't have the server certificate loaded? If we can't load the cert, perhaps we shouldn't open the socket for listening and accept connections on it.

2. The example nsd.tcl that's provided in the nsopenssl specifies "SSLv3, TLSv1" for the server protocols. An SSLv2 client connection causes a similar SSL error as above. Adding "SSLv2" to the list seems to make SSLv2 requests work just fine.

3. "maxinput" for nsopenssl is configured differently than it is for nssock -- see [http://www.mail-archive.com/aolserver@listserv.aol.com/msg07365.html TIP: configuring "maxinput" for nsopenssl] which I'll include a copy of here:

In recent versions of AOLserver 4.0, there's a new config parameter for
socket drivers (nssock, nsopenssl) called "maxinput" that limits the
size of the HTTP request, defaulting to 1,024,000 bytes. For most
sites, this may be a suitable default to prevent resource-starvation
style Denial of Service attacks. However, if your application allows
for large HTTP requests (such as file uploads that exceed 1MB in size),
you will need to crank the knob on the "maxinput" parameter suitably
high for your needs.

For nssock, this is pretty straightforward:

ns_section "ns/server/${servername}/module/nssock"
ns_param maxinput [[expr 1024 * 1024 * 100]]

This would set "maxinput" to 100MB. However, if you're using nsopenssl,
you may think that a similar config section like this should work:

ns_section "ns/server/${servername}/module/nsopenssl"
ns_param maxinput [[expr 1024 * 1024 * 100]]

But, it doesn't! (Ross Simpson and I found this out the hard way, with
two hours of much gnarly debugging and head-scratching.) So, how DO you
set "maxinput" for nsopenssl?

Well, nsopenssl has a "ssldrivers" config section, that might look like
the following:

ns_section "ns/server/${servername}/module/nsopenssl/ssldrivers"
ns_param example "an example server"

That defines the ssldriver named "example". You set parameters for it
(like you do for nssock) in this config section:

ns_section "ns/server/${servername}/module/nsopenssl/ssldriver/example"
ns_param sslcontext example_ctx
ns_param port 443
# ... etc ...

ns_param maxinput [[expr 1024 * 1024 * 100]]

Yes, you define parameters like "maxinput" and "recvwait" and other
socket-related settings in THIS section! Yes, this is where those
settings belong.

Interesting bug: in at least nsopenssl (and perhaps nssock), if maxinput
is reached, the server seems to sleep or simply spin, instead of
returnig some kind of error ("400 Bad Request / request exceeds
maxinput" or somesuch). So, the diagnostic behavior is if you're
uploading a large file that exceeds maxinput, the browser just appears
to be still sending the file and it never finishes (until "recvwait"
seconds elapse, I believe).

----

Here's an issue that [[Bruno Mattarollo]] is experiencing on MacOS X 10.3.5 using the latest AOLserver and nsopenssl 3.0 beta code. See this [http://www.pastebin.com/95006 gdb backtrace] and look at Thread #4. Infinite loop that spins the CPU to 100%.

----

Here's a simple ADP page used to reproduce the nsopenssl-related hanging:

<% ns_sleep 10 %>
test

----

http://listserv.aol.com/cgi-bin/wa?A2=ind0408&L=aolserver&P=32616

On 2004.08.24, Noah Robin <sitz@AOL.NET> wrote:
[[...]]
>
> FWIW, there's a file descriptor leak in beta 17. On Solaris, it
> manifests as an ever-increasing number of connections in the BOUND
> state, as reported by netstat. I know, 'cause I reported it to Scott,
> who fixed it shortly thereafter. =)

----

[[Category Documentation]]

@@ Line 25: / Line 25: @@
 .  If the certificate and key .pem files aren't in the modules/nsopenssl dir, the server will still start up (and logs an error) and will accept SSL connections, but causes the server to spin with the following error:
-   [[12/Aug/2004:16:41:49]][[5459.1088261040]][[-nsopenssl:reader-]] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 199; total = 0; rc = -1
+   [12/Aug/2004:16:41:49][5459.1088261040][-nsopenssl:reader-] Debug: SSLOp(19-0): SSL_ERROR_SSL: bytes = 199; total = 0; rc = -1
-   [[12/Aug/2004:16:41:49]][[5459.1088261040]][[-nsopenssl:reader-]] Error: nsopenssl (server1): SSL error on reading data
+   [12/Aug/2004:16:41:49][5459.1088261040][-nsopenssl:reader-] Error: nsopenssl (server1): SSL error on reading data
 Is it ever possible to service a SSL request if you don't have the server certificate loaded?  If we can't load the cert, perhaps we shouldn't open the socket for listening and accept connections on it.
@@ Line 46: / Line 46: @@
          ns_section "ns/server/${servername}/module/nssock"
-         ns_param   maxinput              [[expr 1024 * 1024 * 100]]
+         ns_param   maxinput              [expr 1024 * 1024 * 100]
      This would set "maxinput" to 100MB.  However, if you're using nsopenssl,
@@ Line 52: / Line 52: @@
          ns_section "ns/server/${servername}/module/nsopenssl"
-         ns_param   maxinput              [[expr 1024 * 1024 * 100]]
+         ns_param   maxinput              [expr 1024 * 1024 * 100]
      But, it doesn't!  (Ross Simpson and I found this out the hard way, with
@@ Line 72: / Line 72: @@
          # ... etc ...
-         ns_param   maxinput              [[expr 1024 * 1024 * 100]]
+         ns_param   maxinput              [expr 1024 * 1024 * 100]
      Yes, you define parameters like "maxinput" and "recvwait" and other
@@ Line 102: / Line 102: @@
      On 2004.08.24, Noah Robin <sitz@AOL.NET> wrote:
-     [[...]]
+     [...]
+     >
      > FWIW, there's a file descriptor leak in beta 17. On Solaris, it
@@ Line 111: / Line 111: @@
 ----
-[[Category Documentation]]
+[[Category:Documentation]]

Nsopenssl - Revision history

64.236.128.14: fix literal brackets

WikiSysop: imported from WiKit id 166