Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by Harley Puthuf » Wed, 05 Jun 2002 10:58:48



I used to use Apache 1.3.19 and Apache SSL without any problem. After
installing Apache v.2, though, I get sporadic 'hangs' when a client switches
from an http page to an https page. I see in the ssl_engine_log that mutex
is mentioned a lot. I've tried different options for the SSLMutex directive,
but it doesn't seem to make the warning go away.

This is what I'm using now:

SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_gcache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog      /usr/local/apache2/logs/ssl_engine_log
SSLLogLevel info

And this is an example of what happens according to the SSL log. The first
connection succeeded, the second one hung up:

[03/Jun/2002 18:37:03 03630] [info]  Connection to child 19 established
(server www.astdgoldengate.org:443, client 12.236.195.38)
[03/Jun/2002 18:37:03 03630] [info]  Seeding PRNG with 136 bytes of entropy
[03/Jun/2002 18:37:03 03630] [warn]  Failed to acquire global mutex lock
[03/Jun/2002 18:37:03 03630] [warn]  Failed to release global mutex lock
[03/Jun/2002 18:37:03 03630] [info]  Connection: Client IP: 12.236.195.38,
Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[03/Jun/2002 18:37:03 03630] [info]  Initial (No.1) HTTPS request received
for child 19 (server www.astdgoldengate.org:443)
[03/Jun/2002 18:37:19 03630] [info]  Connection to child 19 closed with
standard shutdown(server www.astdgoldengate.org:443, client 12.236.195.38)
[03/Jun/2002 18:40:49 03642] [info]  Connection to child 25 established
(server www.astdgoldengate.org:443, client 12.236.195.38)
[03/Jun/2002 18:40:49 03642] [info]  Seeding PRNG with 136 bytes of entropy
[03/Jun/2002 18:40:49 03642] [warn]  Failed to acquire global mutex lock
[03/Jun/2002 18:40:49 03642] [warn]  Failed to release global mutex lock

I'd appreciate any input anyone has with a similar scenario.

Thanks,

/s/ Harley Puthuff

 
 
 

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by Jan P. Sorense » Wed, 05 Jun 2002 13:18:58


Well known error at least om Mandrake 8.2

Try: SSLMutex none

Jan


> I used to use Apache 1.3.19 and Apache SSL without any problem. After
> installing Apache v.2, though, I get sporadic 'hangs' when a client switches
> from an http page to an https page. I see in the ssl_engine_log that mutex
> is mentioned a lot. I've tried different options for the SSLMutex directive,
> but it doesn't seem to make the warning go away.

> This is what I'm using now:

> SSLPassPhraseDialog  builtin
> SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_gcache
> SSLSessionCacheTimeout  300
> SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLLog      /usr/local/apache2/logs/ssl_engine_log
> SSLLogLevel info

> And this is an example of what happens according to the SSL log. The first
> connection succeeded, the second one hung up:

> [03/Jun/2002 18:37:03 03630] [info]  Connection to child 19 established
> (server www.astdgoldengate.org:443, client 12.236.195.38)
> [03/Jun/2002 18:37:03 03630] [info]  Seeding PRNG with 136 bytes of entropy
> [03/Jun/2002 18:37:03 03630] [warn]  Failed to acquire global mutex lock
> [03/Jun/2002 18:37:03 03630] [warn]  Failed to release global mutex lock
> [03/Jun/2002 18:37:03 03630] [info]  Connection: Client IP: 12.236.195.38,
> Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
> [03/Jun/2002 18:37:03 03630] [info]  Initial (No.1) HTTPS request received
> for child 19 (server www.astdgoldengate.org:443)
> [03/Jun/2002 18:37:19 03630] [info]  Connection to child 19 closed with
> standard shutdown(server www.astdgoldengate.org:443, client 12.236.195.38)
> [03/Jun/2002 18:40:49 03642] [info]  Connection to child 25 established
> (server www.astdgoldengate.org:443, client 12.236.195.38)
> [03/Jun/2002 18:40:49 03642] [info]  Seeding PRNG with 136 bytes of entropy
> [03/Jun/2002 18:40:49 03642] [warn]  Failed to acquire global mutex lock
> [03/Jun/2002 18:40:49 03642] [warn]  Failed to release global mutex lock

> I'd appreciate any input anyone has with a similar scenario.

> Thanks,

> /s/ Harley Puthuff


 
 
 

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by Ken Rose » Thu, 06 Jun 2002 04:21:43


I also am experiencing the same problem as Harley on my Redhat 7.3 box.
 I tried updating from OpenSSL 9.6b to 9.6d to fix it but that didn't work.

Jan's fix of  "SSLMutex none" does solve the problem for me but I'd like
to learn more about the consequences of eliminating the mutexes.  Can
someone provide more detail on this issue?


>Well known error at least om Mandrake 8.2

>Try: SSLMutex none

>Jan


>>I used to use Apache 1.3.19 and Apache SSL without any problem. After
>>installing Apache v.2, though, I get sporadic 'hangs' when a client switches
>>from an http page to an https page. I see in the ssl_engine_log that mutex
>>is mentioned a lot. I've tried different options for the SSLMutex directive,
>>but it doesn't seem to make the warning go away.

>>This is what I'm using now:

>>SSLPassPhraseDialog  builtin
>>SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_gcache
>>SSLSessionCacheTimeout  300
>>SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
>>SSLRandomSeed startup builtin
>>SSLRandomSeed connect builtin
>>SSLLog      /usr/local/apache2/logs/ssl_engine_log
>>SSLLogLevel info

>>And this is an example of what happens according to the SSL log. The first
>>connection succeeded, the second one hung up:

>>[03/Jun/2002 18:37:03 03630] [info]  Connection to child 19 established
>>(server www.astdgoldengate.org:443, client 12.236.195.38)
>>[03/Jun/2002 18:37:03 03630] [info]  Seeding PRNG with 136 bytes of entropy
>>[03/Jun/2002 18:37:03 03630] [warn]  Failed to acquire global mutex lock
>>[03/Jun/2002 18:37:03 03630] [warn]  Failed to release global mutex lock
>>[03/Jun/2002 18:37:03 03630] [info]  Connection: Client IP: 12.236.195.38,
>>Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
>>[03/Jun/2002 18:37:03 03630] [info]  Initial (No.1) HTTPS request received
>>for child 19 (server www.astdgoldengate.org:443)
>>[03/Jun/2002 18:37:19 03630] [info]  Connection to child 19 closed with
>>standard shutdown(server www.astdgoldengate.org:443, client 12.236.195.38)
>>[03/Jun/2002 18:40:49 03642] [info]  Connection to child 25 established
>>(server www.astdgoldengate.org:443, client 12.236.195.38)
>>[03/Jun/2002 18:40:49 03642] [info]  Seeding PRNG with 136 bytes of entropy
>>[03/Jun/2002 18:40:49 03642] [warn]  Failed to acquire global mutex lock
>>[03/Jun/2002 18:40:49 03642] [warn]  Failed to release global mutex lock

>>I'd appreciate any input anyone has with a similar scenario.

>>Thanks,

>>/s/ Harley Puthuff

 
 
 

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by Thomas Gagn » Thu, 06 Jun 2002 04:48:36


I'm having a similar problem with hangs using 2.0.36, but
didn't know it may have been caused by going from http: to
https:.  Regardless, I noticed my SSLMutex setting was
file:logs/ssl_mutex.  The documentation doesn't say the file
must exist, and on my system it didn't exist before
'startssl' and it didn't exist after 'startssl'.  I'm
curious if anyone else noticed that.

Also, if "SSLMutex none" fixes it, I wonder if "SSLMutex
sem" could similarly fix it.  Is it just a problem with file:?


> I also am experiencing the same problem as Harley on my Redhat 7.3 box.
> I tried updating from OpenSSL 9.6b to 9.6d to fix it but that didn't work.

> Jan's fix of  "SSLMutex none" does solve the problem for me but I'd like
> to learn more about the consequences of eliminating the mutexes.  Can
> someone provide more detail on this issue?


>> Well known error at least om Mandrake 8.2

>> Try: SSLMutex none

>> Jan


>>> I used to use Apache 1.3.19 and Apache SSL without any problem. After
>>> installing Apache v.2, though, I get sporadic 'hangs' when a client
>>> switches
>>> from an http page to an https page. I see in the ssl_engine_log that
>>> mutex
>>> is mentioned a lot. I've tried different options for the SSLMutex
>>> directive,
>>> but it doesn't seem to make the warning go away.

>>> This is what I'm using now:

>>> SSLPassPhraseDialog  builtin
>>> SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_gcache
>>> SSLSessionCacheTimeout  300
>>> SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
>>> SSLRandomSeed startup builtin
>>> SSLRandomSeed connect builtin
>>> SSLLog      /usr/local/apache2/logs/ssl_engine_log
>>> SSLLogLevel info

>>> And this is an example of what happens according to the SSL log. The
>>> first
>>> connection succeeded, the second one hung up:

>>> [03/Jun/2002 18:37:03 03630] [info]  Connection to child 19 established
>>> (server www.astdgoldengate.org:443, client 12.236.195.38)
>>> [03/Jun/2002 18:37:03 03630] [info]  Seeding PRNG with 136 bytes of
>>> entropy
>>> [03/Jun/2002 18:37:03 03630] [warn]  Failed to acquire global mutex lock
>>> [03/Jun/2002 18:37:03 03630] [warn]  Failed to release global mutex lock
>>> [03/Jun/2002 18:37:03 03630] [info]  Connection: Client IP:
>>> 12.236.195.38,
>>> Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
>>> [03/Jun/2002 18:37:03 03630] [info]  Initial (No.1) HTTPS request
>>> received
>>> for child 19 (server www.astdgoldengate.org:443)
>>> [03/Jun/2002 18:37:19 03630] [info]  Connection to child 19 closed with
>>> standard shutdown(server www.astdgoldengate.org:443, client
>>> 12.236.195.38)
>>> [03/Jun/2002 18:40:49 03642] [info]  Connection to child 25 established
>>> (server www.astdgoldengate.org:443, client 12.236.195.38)
>>> [03/Jun/2002 18:40:49 03642] [info]  Seeding PRNG with 136 bytes of
>>> entropy
>>> [03/Jun/2002 18:40:49 03642] [warn]  Failed to acquire global mutex lock
>>> [03/Jun/2002 18:40:49 03642] [warn]  Failed to release global mutex lock

>>> I'd appreciate any input anyone has with a similar scenario.

>>> Thanks,

>>> /s/ Harley Puthuff

--
.tom
 
 
 

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by RE_Admi » Fri, 07 Jun 2002 07:30:26



Quote:> I'm having a similar problem with hangs using 2.0.36, but
> didn't know it may have been caused by going from http: to
> https:.  Regardless, I noticed my SSLMutex setting was
> file:logs/ssl_mutex.  The documentation doesn't say the file
> must exist, and on my system it didn't exist before
> 'startssl' and it didn't exist after 'startssl'.  I'm
> curious if anyone else noticed that.

> Also, if "SSLMutex none" fixes it, I wonder if "SSLMutex
> sem" could similarly fix it.  Is it just a problem with file:?

I was having the same hang problem, and noticed a mutex-related error in my
ssl_engine_log file. I also had no ssl_mutex file, and touching one didn't
help. I just added the SSLMutex none directive to my httpd.conf file.
Hopefully, that will do the trick.

Thanks
-Loren


> > I also am experiencing the same problem as Harley on my Redhat 7.3 box.
> > I tried updating from OpenSSL 9.6b to 9.6d to fix it but that didn't
work.

> > Jan's fix of  "SSLMutex none" does solve the problem for me but I'd like
> > to learn more about the consequences of eliminating the mutexes.  Can
> > someone provide more detail on this issue?


> >> Well known error at least om Mandrake 8.2

> >> Try: SSLMutex none

> >> Jan


> >>> I used to use Apache 1.3.19 and Apache SSL without any problem. After
> >>> installing Apache v.2, though, I get sporadic 'hangs' when a client
> >>> switches
> >>> from an http page to an https page. I see in the ssl_engine_log that
> >>> mutex
> >>> is mentioned a lot. I've tried different options for the SSLMutex
> >>> directive,
> >>> but it doesn't seem to make the warning go away.

> >>> This is what I'm using now:

> >>> SSLPassPhraseDialog  builtin
> >>> SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_gcache
> >>> SSLSessionCacheTimeout  300
> >>> SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
> >>> SSLRandomSeed startup builtin
> >>> SSLRandomSeed connect builtin
> >>> SSLLog      /usr/local/apache2/logs/ssl_engine_log
> >>> SSLLogLevel info

> >>> And this is an example of what happens according to the SSL log. The
> >>> first
> >>> connection succeeded, the second one hung up:

> >>> [03/Jun/2002 18:37:03 03630] [info]  Connection to child 19
established
> >>> (server www.astdgoldengate.org:443, client 12.236.195.38)
> >>> [03/Jun/2002 18:37:03 03630] [info]  Seeding PRNG with 136 bytes of
> >>> entropy
> >>> [03/Jun/2002 18:37:03 03630] [warn]  Failed to acquire global mutex
lock
> >>> [03/Jun/2002 18:37:03 03630] [warn]  Failed to release global mutex
lock
> >>> [03/Jun/2002 18:37:03 03630] [info]  Connection: Client IP:
> >>> 12.236.195.38,
> >>> Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
> >>> [03/Jun/2002 18:37:03 03630] [info]  Initial (No.1) HTTPS request
> >>> received
> >>> for child 19 (server www.astdgoldengate.org:443)
> >>> [03/Jun/2002 18:37:19 03630] [info]  Connection to child 19 closed
with
> >>> standard shutdown(server www.astdgoldengate.org:443, client
> >>> 12.236.195.38)
> >>> [03/Jun/2002 18:40:49 03642] [info]  Connection to child 25
established
> >>> (server www.astdgoldengate.org:443, client 12.236.195.38)
> >>> [03/Jun/2002 18:40:49 03642] [info]  Seeding PRNG with 136 bytes of
> >>> entropy
> >>> [03/Jun/2002 18:40:49 03642] [warn]  Failed to acquire global mutex
lock
> >>> [03/Jun/2002 18:40:49 03642] [warn]  Failed to release global mutex
lock

> >>> I'd appreciate any input anyone has with a similar scenario.

> >>> Thanks,

> >>> /s/ Harley Puthuff

> --
> .tom

 
 
 

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by Harley Puthuf » Sat, 08 Jun 2002 06:53:08


Jan's solution for SSLMutex None worked great for me. I found it interesting
that at least one other administrator experiencing this problem was running
RedHat 7.3, although I don't think it's a problem particular to that
release.

As far as the effect of SSLMutex None, according to the documentation there
is the possibility of getting a scrambled entry in the cache because of the
inability to prevent simultaneous update via the mutex toggle. So far I
haven't seen any evidence of this happening, but it probably would if my
port 443 virtual domains were more active. In that case, I probably would
drop caching as well and live with the slower speed.

/s/ Harley Puthuff

 
 
 

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by Thomas Gagn » Tue, 11 Jun 2002 22:42:53


So if caching is off (as it is on our box) folks should be
fine until a patch is available?  Sounds palatable.


> Jan's solution for SSLMutex None worked great for me. I found it interesting
> that at least one other administrator experiencing this problem was running
> RedHat 7.3, although I don't think it's a problem particular to that
> release.

> As far as the effect of SSLMutex None, according to the documentation there
> is the possibility of getting a scrambled entry in the cache because of the
> inability to prevent simultaneous update via the mutex toggle. So far I
> haven't seen any evidence of this happening, but it probably would if my
> port 443 virtual domains were more active. In that case, I probably would
> drop caching as well and live with the slower speed.

> /s/ Harley Puthuff

--
.tom
 
 
 

Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d

Post by Kevin Capora » Wed, 19 Jun 2002 05:03:47


-- Hello to all the SSLMutex folks.
I hate to sound like a broken record...
I am using:
   - Apache/2.0.36 (I built the httpd)
   - mod_ssl that came with 2.0.36
   - Platform QNX 6.1
   - OpenSSL/0.9.6a (ported for QNX)

I get the following error in the error_log when running apachectl
sslstart

[error] mod_ssl: Cannot create SSLMutex file `/usr/local/apache
2/logs/ssl_mutex.90001452'
Configuration Failed

while trying to use the directive -->  SSLMutex file:logs/ssl_mutex
I was *also* able to make this error go away by using --> SSLMutext
none

Let me get to my point:
I have read websites, faqs, source code, etc and I find no
relevant explanation as to why this happens.  Has anyone reading this
post
found a solution for using file type mutexes under our scenarios?

Well, I may have found something in the source that deals with a
#DEFINE APR_HAS_THREADS and whether or not it is correctly defined,
but It'll take
more investigation and a few re-compiles before I can accurately tell
if this
is an issue.

Good Luck to all of us and thanks in advance.
$Kevin


> So if caching is off (as it is on our box) folks should be
> fine until a patch is available?  Sounds palatable.


> > Jan's solution for SSLMutex None worked great for me. I found it interesting
> > that at least one other administrator experiencing this problem was running
> > RedHat 7.3, although I don't think it's a problem particular to that
> > release.

> > As far as the effect of SSLMutex None, according to the documentation there
> > is the possibility of getting a scrambled entry in the cache because of the
> > inability to prevent simultaneous update via the mutex toggle. So far I
> > haven't seen any evidence of this happening, but it probably would if my
> > port 443 virtual domains were more active. In that case, I probably would
> > drop caching as well and live with the slower speed.

> > /s/ Harley Puthuff

 
 
 

1. apache 2.0.36 and mod_ssl problems

I'm trying to compile and install apache 2.0.36 with gcc on a solaris
box.  Everything compiles and installs ok.  But when I start it it
fails and the error log says

 [Thu May 30 16:07:05 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key

My httpd.conf file includes ssl.conf, and ssl.conf has

 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin

The documentation at www.apache.org has this to say about
SSLRandomSeed "builtin", which is what I'm using

 This is the always available builtin seeding source. It's usage
 consumes minimum CPU cycles under runtime and hence can be always
 used without drawbacks. The source used for seeding the PRNG contains
 of the current time, the current process id and (when applicable) a
 randomly choosen 1KB extract of the inter-process scoreboard
 structure of Apache.

So what am I doing wrong?

2. Trouble getting actual IP address

3. 2.0.36 vs 2.0.36-0.x

4. make bzlilo or copy kernel

5. QIC-36 tape drive with an Emulex QIC-36-> SCSI board

6. So much for the nazis

7. Apache 1.3.12, mod_ssl 2.6.2, OpenSSL 0.9.5a

8. Linux + Solaris on same hard disk

9. Linksys 10/100 PCI/tulip 0.90/2.0.36 weirdness

10. mod_ssl/2.8.8 OpenSSL/0.9.6b version increments

11. Apache 2.0.36 make install problem in Red Hat 7.2

12. Apache 2.0.36 Performance Problem

13. Apache 2.0.36 +SSL Problem