SSL not working with Dir
- From:
- Loic d'Anterroches
- Date:
- 2011-07-12 @ 08:18
Hello,
on current develop, SSL is not working on a Dir route. To reproduce:
- setup SSL and check that it works for your normal handler.
$ mkdir certs && cd certs
$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
-keyout SERVER-UUID.key -out SERVER-UUID.crt
Edit your mongrel2 conf and add "use_ssl=1" as Server setting:
main = Server(
use_ssl=1,
uuid="SERVER-UUID",
...
)
and the path to the certs in the "settings"
settings = {
"certdir": "certs/",
...
}
Reload the database with the new config and restart Mongrel2.
- Access an handle route, it works.
- Access a Dir route, it fails with a zero length document when using
Firefox.
Comment use_ssl=1, reload the db and restart Mongrel2.
- it works for both routes.
The failure with wget is interesting:
$ wget -v https://localhost/tests/error.log --no-check-certificate
--2011-07-12 10:11:22-- https://localhost/tests/error.log
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:443... failed: Connection refused.
Connecting to localhost|127.0.0.1|:443... connected.
WARNING: cannot verify localhost's certificate, issued by
`/C=GB/ST=Great Britain/O=Ceondo Ltd/CN=localhost':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 9420 (9,2K) [text/plain]
Saving to: `error.log.1'
0% [
] 0 --.-K/s in 0s
2011-07-12 10:11:22 (0,00 B/s) - Connection closed at byte 0. Retrying.
--2011-07-12 10:11:23-- (try: 2) https://localhost/tests/error.log
Connecting to localhost|127.0.0.1|:443... connected.
WARNING: cannot verify localhost's certificate, issued by
`/C=GB/ST=Great Britain/O=Ceondo Ltd/CN=localhost':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 9420 (9,2K) [text/plain]
error.log.1 has sprung into existence.
Retrying.
--2011-07-12 10:11:25-- (try: 3) https://localhost/tests/error.log
Connecting to localhost|127.0.0.1|:443... connected.
WARNING: cannot verify localhost's certificate, issued by
`/C=GB/ST=Great Britain/O=Ceondo Ltd/CN=localhost':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 9420 (9,2K) [text/plain]
error.log.1 has sprung into existence.
Retrying.
^C
Here is the log when doing 3 retries in a dev build:
$ m2sh start -every[INFO] (src/mime.c:49) MAX limits.mime_ext_len=128
[INFO] (src/host.c:72) MAX limits.url_path=256, limits.host_name=256
DEBUG src/handler.c:334: Creating handler
tcp://127.0.0.1:9997:45f7406f-3e9b-4f90-be02-6eea01e6d819
[INFO] (src/handler.c:338) MAX limits.handler_stack=102400
[INFO] (src/config/config.c:84) Loaded handler
1:tcp://127.0.0.1:9997:45f7406f-3e9b-4f90-be02-6eea01e6d819:tcp://127.0.0.1:9996:
DEBUG src/host.c:110: ADDING ROUTE TO HOST 0x98ef478: /demo/
DEBUG src/routing.c:92: ADDING prefix: /demo/, pattern: /demo/
[INFO] (src/config/config.c:226) Loaded route 1:/demo/:handler for host
1:localhost
DEBUG src/handler.c:334: Creating handler
tcp://127.0.0.1:9997:45f7406f-3e9b-4f90-be02-6eea01e6d819
[INFO] (src/config/config.c:84) Loaded handler
1:tcp://127.0.0.1:9997:45f7406f-3e9b-4f90-be02-6eea01e6d819:tcp://127.0.0.1:9996:
DEBUG src/host.c:110: ADDING ROUTE TO HOST 0x98ef478: @toto
DEBUG src/routing.c:92: ADDING prefix: @toto, pattern: @toto
[INFO] (src/config/config.c:226) Loaded route 2:@toto:handler for host
1:localhost
[INFO] (src/dir.c:175) MAX limits.dir_send_buffer=16384,
limits.dir_max_path=256
[INFO] (src/config/config.c:135) Loaded directory 1:logs/:error.log
DEBUG src/host.c:110: ADDING ROUTE TO HOST 0x98ef478: /tests/
DEBUG src/routing.c:92: ADDING prefix: /tests/, pattern: /tests/
[INFO] (src/config/config.c:226) Loaded route 3:/tests/:dir for host
1:localhost
DEBUG src/routing.c:92: ADDING prefix: tsohlacol, pattern: localhost
[INFO] (src/config/config.c:274) Loaded 1 hosts for server
1:e8e03321-bcb7-427f-bb21-bad7450eda3d
DEBUG src/task/net.c:141: Attempting netgetsocket: 1, 0.0.0.0:6767,
active: 0
DEBUG src/task/net.c:156: Enumerating targets...
DEBUG src/task/net.c:161: Trying target: 0.0.0.0:6767, af 2, prot 6
DEBUG src/task/net.c:53: Binding to 0.0.0.0:6767!
[INFO] (src/server.c:443) LOADING Handler tcp://127.0.0.1:9997
DEBUG src/superpoll.c:270: Attempting to force NOFILE limit to 10240
[INFO] (src/superpoll.c:279) Could not force NOFILE higher, you'll need
to run as root: Operation not permitted
[INFO] (src/superpoll.c:285) MAX open file descriptors is 1024 now.
[ERROR] (src/unixy.c:99: errno: No such file or directory) Failed to
open PID file .//run/mongrel2.pid for reading.
[INFO] (src/unixy.c:138) No previous Mongrel2 running, continuing on.
[ERROR] (src/unixy.c:55: errno: Operation not permitted) Can't chroot to
./, rerun as root if this is what you want.
[WARN] (src/mongrel2.c:242: errno: None) Couldn't chroot too ./,
assuming running in test mode.
[INFO] (src/server.c:269) Starting 0MQ with 1 threads.
[INFO] (src/request.c:57) MAX limits.header_count=1280
[INFO] (src/connection.c:806) MAX limits.content_length=2097152000,
limits.buffer_size=4096, limits.connection_stack_size=32768,
limits.client_read_retries=20000
[INFO] (src/connection.c:812) MAX limits.proxy_read_retries=20000,
limits.proxy_read_retry_warn=10
[INFO] (src/task/fd.c:151) MAX limits.fdtask_stack=102400
DEBUG src/superpoll.c:382: Building up slots for 768 sockets in idle.
Could take a minute.
[INFO] (src/superpoll.c:102) Allowing for 256 hot and 768 idle file
descriptors (dividend was 4)
[INFO] (src/handler.c:209) MAX allowing limits.handler_targets=128
[INFO] (src/handler.c:285) Binding handler PUSH socket
tcp://127.0.0.1:9997 with identity: 45f7406f-3e9b-4f90-be02-6eea01e6d819
[INFO] (src/handler.c:311) Binding listener SUB socket
tcp://127.0.0.1:9996 subscribed to:
[INFO] (src/control.c:402) Setting up control socket in at ipc://run/control
DEBUG src/mongrel2.c:205: No connections timed out.
DEBUG src/mongrel2.c:205: No connections timed out.
DEBUG src/mongrel2.c:205: No connections timed out.
DEBUG src/state.rl:53: --> parse(OPEN:107) State_exec:53
DEBUG src/connection.c:743: HTTP 1.0 request coming in from 127.0.0.1
DEBUG src/state.rl:54: --> register_request(REQ_RECV:110) State_exec:54
DEBUG src/connection.c:525: HTTP MESSAGE
DEBUG src/state.rl:57: --> route_request(HTTP_REQ:105) State_exec:57
DEBUG src/server.c:359: Looking for target host: localhost
DEBUG src/routing.c:200: Found simple suffix: localhost
DEBUG src/host.c:140: MATCHING BACKEND IN HOST 0x98ef478 AGAINST
/tests/error.log in ROUTES: 0x9871b00
DEBUG src/routing.c:215: Searching for route: /tests/error.log in map:
0x9871b00
DEBUG src/routing.c:219: Found simple prefix: /tests/
DEBUG src/host.c:145: Found backend at /tests/
DEBUG src/state.rl:63: --> http_to_directory(DIRECTORY:102) State_exec:63
DEBUG src/dir.c:275: Lazy normalized base path logs/ into
/home/loa/Projects/baregit/app/mongrel2/logs
DEBUG src/dir.c:331: Building target from base:
/home/loa/Projects/baregit/app/mongrel2/logs prefix: /tests/ path:
/tests/error.log index_file: error.log
DEBUG src/dir.c:423: TESTING WITH: if_match: (null), if_none_match:
(null), if_unmodified_since: 0, if_modified_since: 0
DEBUG src/dir.c:153: Failed to write header to socket.
DEBUG src/dir.c:487: Didn't send all of the file, sent -1 of
/tests/error.log.
DEBUG src/connection.c:300: Failed to serve file: /tests/error.log
DEBUG src/state.rl:52: --> close(CLOSE:100) State_exec:52
DEBUG src/io.c:221: polarssl: src/polarssl/ssl_tls.c(0968):
ssl_flush_output() returned -1 (0xffffffff)
DEBUG src/io.c:221: polarssl: src/polarssl/ssl_tls.c(2092):
ssl_write_record() returned -1 (0xffffffff)
DEBUG src/task/task.c:227: FREEING TASK: 0x99445b0
DEBUG src/state.rl:53: --> parse(OPEN:107) State_exec:53
DEBUG src/connection.c:743: HTTP 1.0 request coming in from 127.0.0.1
DEBUG src/state.rl:54: --> register_request(REQ_RECV:110) State_exec:54
DEBUG src/connection.c:525: HTTP MESSAGE
DEBUG src/state.rl:57: --> route_request(HTTP_REQ:105) State_exec:57
DEBUG src/server.c:359: Looking for target host: localhost
DEBUG src/routing.c:200: Found simple suffix: localhost
DEBUG src/host.c:140: MATCHING BACKEND IN HOST 0x98ef478 AGAINST
/tests/error.log in ROUTES: 0x9871b00
DEBUG src/routing.c:215: Searching for route: /tests/error.log in map:
0x9871b00
DEBUG src/routing.c:219: Found simple prefix: /tests/
DEBUG src/host.c:145: Found backend at /tests/
DEBUG src/state.rl:63: --> http_to_directory(DIRECTORY:102) State_exec:63
DEBUG src/dir.c:423: TESTING WITH: if_match: (null), if_none_match:
(null), if_unmodified_since: 0, if_modified_since: 0
DEBUG src/dir.c:153: Failed to write header to socket.
DEBUG src/dir.c:487: Didn't send all of the file, sent -1 of
/tests/error.log.
DEBUG src/connection.c:300: Failed to serve file: /tests/error.log
DEBUG src/state.rl:52: --> close(CLOSE:100) State_exec:52
DEBUG src/io.c:221: polarssl: src/polarssl/ssl_tls.c(0968):
ssl_flush_output() returned -1 (0xffffffff)
DEBUG src/io.c:221: polarssl: src/polarssl/ssl_tls.c(2092):
ssl_write_record() returned -1 (0xffffffff)
DEBUG src/task/task.c:227: FREEING TASK: 0x99445b0
DEBUG src/state.rl:53: --> parse(OPEN:107) State_exec:53
DEBUG src/connection.c:743: HTTP 1.0 request coming in from 127.0.0.1
DEBUG src/state.rl:54: --> register_request(REQ_RECV:110) State_exec:54
DEBUG src/connection.c:525: HTTP MESSAGE
DEBUG src/state.rl:57: --> route_request(HTTP_REQ:105) State_exec:57
DEBUG src/server.c:359: Looking for target host: localhost
DEBUG src/routing.c:200: Found simple suffix: localhost
DEBUG src/host.c:140: MATCHING BACKEND IN HOST 0x98ef478 AGAINST
/tests/error.log in ROUTES: 0x9871b00
DEBUG src/routing.c:215: Searching for route: /tests/error.log in map:
0x9871b00
DEBUG src/routing.c:219: Found simple prefix: /tests/
DEBUG src/host.c:145: Found backend at /tests/
DEBUG src/state.rl:63: --> http_to_directory(DIRECTORY:102) State_exec:63
DEBUG src/dir.c:423: TESTING WITH: if_match: (null), if_none_match:
(null), if_unmodified_since: 0, if_modified_since: 0
DEBUG src/dir.c:153: Failed to write header to socket.
DEBUG src/dir.c:487: Didn't send all of the file, sent -1 of
/tests/error.log.
DEBUG src/connection.c:300: Failed to serve file: /tests/error.log
DEBUG src/state.rl:52: --> close(CLOSE:100) State_exec:52
DEBUG src/io.c:221: polarssl: src/polarssl/ssl_tls.c(0968):
ssl_flush_output() returned -1 (0xffffffff)
DEBUG src/io.c:221: polarssl: src/polarssl/ssl_tls.c(2092):
ssl_write_record() returned -1 (0xffffffff)
DEBUG src/task/task.c:227: FREEING TASK: 0x99445b0
DEBUG src/mongrel2.c:205: No connections timed out.
DEBUG src/mongrel2.c:205: No connections timed out.
DEBUG src/mongrel2.c:205: No connections timed out.
I hope this can help debug/reproduce the issue.
loïc
Re: [mongrel2] SSL not working with Dir
- From:
- Zed A. Shaw
- Date:
- 2011-07-13 @ 17:18
On Tue, Jul 12, 2011 at 10:18:54AM +0200, Loic d'Anterroches wrote:
> Hello,
>
> on current develop, SSL is not working on a Dir route. To reproduce:
Can you pull again? There was a bug in some code Tordek pushed that I
just fixed. I've been thrashing the Dir and Handlers with it this
morning and it works.
--
Zed A. Shaw
http://zedshaw.com/
Re: [mongrel2] SSL not working with Dir
- From:
- Tordek
- Date:
- 2011-07-12 @ 18:21
On 12/07/11 05:18, Loic d'Anterroches wrote:
> Hello,
>
> on current develop, SSL is not working on a Dir route. To reproduce:
> I hope this can help debug/reproduce the issue.
I cannot reproduce; both Dir and Handlers work fine on my side.
Can I request you to change
src/io.c:220: if(level < 2) {
to a higher value, to get more detailed debug info from polarssl?
>
> loïc
>
>
--
Guillermo O. «Tordek» Freschi. Programador, Escritor, Genio Maligno.
http://tordek.com.ar :: http://twitter.com/tordek
http://www.arcanopedia.com.ar - Juegos de Rol en Argentina