Mailing List Archive

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

Alex Ciobotaru <alex.ciobotaru@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW

--- Comment #2 from Alex Ciobotaru <alex.ciobotaru@gmail.com> ---
> I'm not sure what you mean by "no worker context shall issue a C_Login" - do you mean that is what you observed (nothing did a C_Login)

Correct. Doing reload does not yield any C_Login(), but the new reloaded
context considers the application already initialized/logged and just does the
C_Sing() call yielding CKR_USER_NOT_LOGGED_IN.

So it seems there is a difference between restarting and reloading logic the
httpd service and I'm suspecting it has to do with pkcs#11 engine fork
detection when reloading versus restarting.

From: https://httpd.apache.org/docs/2.4/stopping.html - Graceful Restart
section it seems that the post-reload children forget to C_Login().

For example, starting the httpd as a Type=oneshot service yields the same
result (i.e. CKR_USER_NOT_LOGGED_IN) but as Type=forking it works.

> Interesting. mod_ssl does not speak PKCS#11 directly, OpenSSL handles that
Correct, but a forking NGINX for example handles this correctly.

True. For differential diagnosis I compared the same openssl/libp11
infrastructure with NGINX with SSL/TLS graceful reload mechanism and it works
as expected - re-issue the C_Login()

Is this in the wrong component category?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #3 from Alex Ciobotaru <alex.ciobotaru@gmail.com> ---
To clarify the generic blocks in the pkcs#11 setup:

OpenSSL client (NGINX/HTTPD) ---> OpenSSL ---> OpemnSSL pkcs#11 engine --->
pkcs#11 token

The difference here are the clients on how they behave at graceful reload.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #4 from Joe Orton <jorton@redhat.com> ---
From mod_ssl's perspective there is not any behavioural difference between a
graceful and non-graceful restart (AFAIK anyway), it will do the same
deinit/init in both cases, which makes it interesting that graceful is
different.

What might be different in practice is whether previously forked children keep
handles open to the PKCS#11 token (via an active SSL_CTX) in the graceful case,
which could make a difference somehow.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #5 from Joe Orton <jorton@redhat.com> ---
(In reply to Alex Ciobotaru from comment #2)
> For example, starting the httpd as a Type=oneshot service yields the same
> result (i.e. CKR_USER_NOT_LOGGED_IN) but as Type=forking it works.

Assuming you are talking about systemd service types that, I'm not sure why
that would make any difference to the httpd behaviour either, so that would
need deeper investigation.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

Alex Ciobotaru <alex.ciobotaru@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Component|mod_ssl |Core

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #6 from Alex Ciobotaru <alex.ciobotaru@gmail.com> ---
Assigning to Core since this reproduces with both mpm_prefork or mpm_worker
modules when doing a service reload.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #7 from Yann Ylavic <ylavic.dev@gmail.com> ---
Alex, what do you call a restart (non graceful), is it -k restart or a
stop+start ?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #8 from Alex Ciobotaru <alex.ciobotaru@gmail.com> ---
Hi, below configuration.

----------------------
[Service]
Type=notify
Environment=LANG=C

ExecStart=/usr/sbin/httpd $OPTIONS -k start
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
----------------------

So the issue is seen at `systemctl reload httpd` which invokes the httpd
`graceful` action.

Restart is `systemctl restart httpd`.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #9 from Alex Ciobotaru <alex.ciobotaru@gmail.com> ---
Apologies, it is Type=forking above otherwise it would not work with pkcs#11.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #10 from Yann Ylavic <ylavic.dev@gmail.com> ---
(In reply to Alex Ciobotaru from comment #8)
>
> Restart is `systemctl restart httpd`.

Supposedly this issues a stop+start then? Sorry I'm no systemd expert and don't
see a ExecRestart in your configuration..

What if you replace the "-k graceful" with "-k restart" in ExecReload?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #11 from Yann Ylavic <ylavic.dev@gmail.com> ---
(In reply to Yann Ylavic from comment #10)
>
> What if you replace the "-k graceful" with "-k restart" in ExecReload?

Possibly you'd need to replace SIGWINCH with SIGHUP too, dunno.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #12 from Alex Ciobotaru <alex.ciobotaru@gmail.com> ---
Ignoring systemd here for a bit.

Using the `apachectl` or `/usr/sbin/httpd` apps directly.

The `graceful` option (i.e. signal USR1) which is ideal for minimizing
downtime, does not restart httpd correctly for pkcs#11.

The only workaround for minimizing downtime I found is to issue signal WINCH
(for gracefully ending on-going connections) and starting the server after a
sensible window (a few milliseconds).

Sending signal HUP (i.e. restart now) would kill current connections which
beats the point of the `graceful` feature in the first place.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

Joe Orton <jorton@redhat.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Component|Core |mod_ssl

--- Comment #13 from Joe Orton <jorton@redhat.com> ---
Yes, a "systemctl restart" is just a stop/start so likely this is not unique to
graceful and it's the same with non-graceful and graceful restarts (which makes
far more sense). I will try to reproduce with softokn, are you using a hardware
token in this configuration?

(FWIW let's keep component on mod_ssl for now)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66036

--- Comment #14 from Alex Ciobotaru <alex.ciobotaru@gmail.com> ---
Soft token. The pkcs#11 implementation is validated extensively and as
specified used with other OpenSSL clients (i.e. NGINX) with the same component
stack.

So the steps are:

1. Install stock httpd and mod_ssl. I'm using it with the default mpk_prefork
2. Setup a minimal virtual host entry and populate the SSLCertificateKeyFile
with your pkcs#11 soft token server key URI
3. Issue /usr/sbin/httpd -k start (must start as forking otherwise we run into
the same issue). Alternatively use my systemd [Service] file from above
4. Test curl on your test domain and validate the Apache hello page
5. Issue /usr/sbin/httpd -k graceful (This would trigger in production when you
renew the certificate)
6. Test curl and notice the TLS error
7. Now /usr/sbin/httpd -k restart and notice that it works again

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org