[Issues] [mod_gnutls 0000095]: use of mod_gnutls creates maximum POST limit in Firefox
Mantis Bug Tracker
issues at outoforder.cc
Thu Sep 17 14:32:55 EDT 2009
A NOTE has been added to this issue.
======================================================================
http://issues.outoforder.cc/view.php?id=95
======================================================================
Reported By: nitro322
Assigned To:
======================================================================
Project: mod_gnutls
Issue ID: 95
Category: Other
Reproducibility: always
Severity: major
Priority: normal
Status: new
Apache Version: 2.2.10
======================================================================
Date Submitted: 2009-03-22 12:38 EDT
Last Modified: 2009-09-17 14:32 EDT
======================================================================
Summary: use of mod_gnutls creates maximum POST limit in
Firefox
Description:
Note: This is using version 0.5.4 of mod_gnutls, but there wasn't a choice
for that in the Product Version list.
I've come across a problem with mod_gnutls and Firefox that's rather
difficult to explain. After switching to mod_gnutls (from openssl), I
found that I could no longer edit any of "long" posts on my Drupal site.
When clicking the submit button, firefox would try to send the POST about
6 times, then give up and return a completely blank page.
Only edits over https were affected; edits over http worked fine. Other
browsers (Konqueror and Opera) also worked fine. It took a while to
troubleshoot, but I was able to narrow it down to a combination of
mod_gnutls and Firefox.
======================================================================
Total Sponsorship = US$ 5
2009-05-18 18:59: ZyanKLee (US$ 5)
======================================================================
----------------------------------------------------------------------
(0000142) nitro322 (reporter) - 2009-04-01 23:48
http://issues.outoforder.cc/view.php?id=95#c142
----------------------------------------------------------------------
This issue caused too many problems on my site, so I had to switch back to
mod_ssl. As a result, the test page I posted will no longer show the
problem (this issue doesn't exist with mod_ssl).
I'm going to have to stick with mod_ssl until this problem is resolved, as
I need to be able to POST data to my website. If I can do anything to help
troubleshoot this, feel free to ask; I'm very interested in this project,
and I've left my mod_gnutls configuration commented out in the hope that I
can switch over to it again some day.
----------------------------------------------------------------------
(0000143) jeff42 (reporter) - 2009-04-28 06:38
http://issues.outoforder.cc/view.php?id=95#c143
----------------------------------------------------------------------
I can semi-confirm this bug:
Only when I send large POST data with xulrunner based browsers on Debian I
encounter this bug,
Neither firefox on Windows nor Firefox on Linux (downloaded from
Mozilla.com) seem to fail.
But also switching back to mod_ssl everything works fine, so there must
also be a problem in mod_gnutls
Addition: I was wrong about firefox on linux from Mozilla, this also fails
----------------------------------------------------------------------
(0000145) ZyanKLee (reporter) - 2009-05-18 18:57
http://issues.outoforder.cc/view.php?id=95#c145
----------------------------------------------------------------------
I can confirm this problem.
At my side its not a drupal, but a wordpress, but I guess this is less
important.
When I use mod_gnutls with apache2 and firefox3 I get with big posts and
edits the same behaviour as nitro322 described. After reverting to mod_ssl
everything works fine.
So I needed to stay with mod_ssl.
Some facts for reproducing:
SERVER x86:
# apache2 -version
Server version: Apache/2.2.11 (Unix)
# php --version
PHP 5.2.9-pl2-gentoo with Suhosin-Patch 0.9.7 (cli) (built: May 18 2009
21:06:41)
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
# gnutls-cli --version
gnutls-cli (GnuTLS) 2.6.6
# qlist -I -v | grep mod_gnutls
www-apache/mod_gnutls-0.5.3
CLIENT amd64:
Firefox:
Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.0.10) Gecko/2009051307
Gentoo Firefox/3.0.10
$ openssl version
OpenSSL 0.9.8k 25 Mar 2009
$ gnutls-cli --version
gnutls-cli (GnuTLS) 2.6.6
Hope this helps.
----------------------------------------------------------------------
(0000146) marlowe (reporter) - 2009-06-07 18:11
http://issues.outoforder.cc/view.php?id=95#c146
----------------------------------------------------------------------
I can also confirm this bug. When attempting to send POST messages to
squirrelmail through mod_gnutls, the page returned is blank. This error
does not occur when connecting through IE. The error disappears when
using a non-Firefox browser, sending to http rather than https or using
mod_ssl rather than mod_gnutls.
----------------------------------------------------------------------
(0000149) ZyanKLee (reporter) - 2009-06-22 08:47
http://issues.outoforder.cc/view.php?id=95#c149
----------------------------------------------------------------------
Also reported at debian bugzilla:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513249
and in mozilla bugtracker:
https://bugzilla.mozilla.org/show_bug.cgi?id=490442
----------------------------------------------------------------------
(0000152) nmav (manager) - 2009-06-30 13:57
http://issues.outoforder.cc/view.php?id=95#c152
----------------------------------------------------------------------
Could I have a capture of wireshark of the data transferred when this error
happens? Also compiling mod_gnutls with MOD_GNUTLS_DEBUG equal to 1 (change
mod_gnutls.h) will create /tmp/gnutls_debug that contains useful
information. Please send that to me or attach it here.
----------------------------------------------------------------------
(0000166) marlowe (reporter) - 2009-07-14 10:41
http://issues.outoforder.cc/view.php?id=95#c166
----------------------------------------------------------------------
I should be able to get this to you by the end of the week. Sorry I can't
get it to you sooner, but I am on the road the next couple of days.
----------------------------------------------------------------------
(0000178) speed47 (reporter) - 2009-08-30 17:40
http://issues.outoforder.cc/view.php?id=95#c178
----------------------------------------------------------------------
I'm having the same issue for a while, it took some time to track it down
to modgnutls ! :)
I just grabbed the latest modgnutls stable version (0.5.5) and compiled it
against Apache 2.2.11, GnuTLS 2.6.6, with SRP auth disabled.
I have also set MOD_GNUTLS_DEBUG to 1 before compiling.
The first HTTP POST has been done with Firefox 3.5.2 (plain Fedora 11
version), with just enough data in the POST to make the described issue
happen (blank page, POST fail). The resulting Wireshark capture and
/tmp/gnutls_debug are:
modgnutls_firefox_bigpost_doesntwork.cap
modgnutls_firefox_bigpost_doesntwork.txt
The second HTTP POST has been done with Konqueror 4.3, with exactly the
same data as the previous one (with Firefox). This one worked correctly.
The files are:
modgnutls_konqueror_bigpost_works.cap
modgnutls_konqueror_bigpost_works.txt
The last HTTP POST has been done with Firefox, but lowering a bit the
amount of data transmitted over the HTTP POST, preventing the issue to
arise. The files are:
modgnutls_firefox_littlepost_works.cap
modgnutls_firefox_littlepost_works.txt
If any other test case could be of any use, just ask.
Hope you will successfully track down this bug! :)
----------------------------------------------------------------------
(0000181) nmav (manager) - 2009-09-13 04:36
http://issues.outoforder.cc/view.php?id=95#c181
----------------------------------------------------------------------
I cannot really get the reason of failure. It seems firefox is resuming
session with gnutls and doesn't like something in the data exchange (sends
an alert). However it has closed the socket before and thus gnutls doesn't
decode the alert. Is something being printed by firefox? Alternatively
could you send me the certificates/keys used for this session (if they are
real could you do it again with dummy ones?).
btw. Does this occur the same way with libgnutls 2.8.3?
----------------------------------------------------------------------
(0000183) speed47 (reporter) - 2009-09-13 07:16
http://issues.outoforder.cc/view.php?id=95#c183
----------------------------------------------------------------------
Thanks for taking the time to look into this weird issue.
When this happens, nothing is being printed by Firefox, it just displays a
blank page (as in "about:blank"). By the way, I'm now using the 3.5.3
Firefox version, but the behavior is still the same.
The .pem/.crt I used for the capture were indeed dummy ones, I'll attach
them to this bug.
And for libgnutls 2.8.3, I recompiled mod_gnutls against it, the issue
unfortunately still occurs.
----------------------------------------------------------------------
(0000184) nmav (manager) - 2009-09-13 08:20
http://issues.outoforder.cc/view.php?id=95#c184
----------------------------------------------------------------------
Thank you, but it seems wireshark cannot decode resumed sessions. If you
can send me the capture of a session that is not resumed (eg. by disabling
the resumed db file) would be of a help. Do you use a php file to reproduce
it? Could you send it me so I can reproduce it locally?
----------------------------------------------------------------------
(0000185) speed47 (reporter) - 2009-09-13 09:13
http://issues.outoforder.cc/view.php?id=95#c185
----------------------------------------------------------------------
Wow. Now there is something new: I just disabled SSL session caching in my
apache config (GnuTLSCache None None), and... the issue disappears. I
tried to raise significantly the amount of POST data, in an attempt to
bump into the bug again, to no avail: it works flawlessly.
When I re-enable session caching, the first POST works (because we don't
have any cached session), but all the subsequents POSTs fail.
So we are now pretty sure it's about session resuming!
Attached is the PHP file I use to reproduce this bug. I've set NB_PADDING
to the lowest number to make the issue happen on my configuration (which
means around 3600 bytes of POST data). I'm not sure the amount of bytes is
the same for every configuration (nitro322 seems to have reported ~3200
bytes), so don't hesitate to tweak it.
----------------------------------------------------------------------
(0000186) speed47 (reporter) - 2009-09-13 19:12
http://issues.outoforder.cc/view.php?id=95#c186
----------------------------------------------------------------------
Okay, I'm now bumping again on this problem, even with session caching
entirely disabled (as it was in my previous comment). Not sure what this
means, but it might be more complicated than I thought...
----------------------------------------------------------------------
(0000191) nmav (manager) - 2009-09-17 14:32
http://issues.outoforder.cc/view.php?id=95#c191
----------------------------------------------------------------------
Hello, I haven't been able to setup a server to reproduce it due to some
engagements I currently have. However from your description, this looks
like a TLS protocol incompatibility, which I really cannot understand why.
In case you can try before me, what I would like to know is whether there
is a ciphersuite combination where this works, and on which ciphersuites
it doesn't. For example try first enabling only TLS 1.1, then TLS 1.0 and
then SSL 3.0... then continue on ciphers by allowing only ARCFOUR, AES-128
etc etc.... It is really a strange error and quite strange to occur only on
large files.
Issue History
Date Modified Username Field Change
======================================================================
2009-03-22 12:38 nitro322 New Issue
2009-03-22 12:38 nitro322 Apache Version => 2.2.10
2009-04-01 23:48 nitro322 Note Added: 0000142
2009-04-27 10:11 jeff42 Note Added: 0000143
2009-04-28 06:38 jeff42 Note Edited: 0000143
2009-04-29 02:20 jeff42 Issue Monitored: jeff42
2009-04-29 09:04 urkle version 0.4.0 => 0.5.4
2009-05-18 18:49 ZyanKLee Note Added: 0000145
2009-05-18 18:57 ZyanKLee Note Edited: 0000145
2009-05-18 18:59 ZyanKLee Sponsorship Added ZyanKLee: US$ 5
2009-05-18 18:59 ZyanKLee Sponsorship Total 0 => 5
2009-05-18 18:59 ZyanKLee Issue Monitored: ZyanKLee
2009-06-07 18:11 marlowe Note Added: 0000146
2009-06-22 08:30 ZyanKLee Tag Attached: apache2
2009-06-22 08:30 ZyanKLee Tag Attached: big packages
2009-06-22 08:30 ZyanKLee Tag Attached: error
2009-06-22 08:30 ZyanKLee Tag Attached: firefox
2009-06-22 08:30 ZyanKLee Tag Attached: mod_gnutls
2009-06-22 08:34 ZyanKLee Note Added: 0000149
2009-06-22 08:47 ZyanKLee Note Edited: 0000149
2009-06-30 13:57 nmav Note Added: 0000152
2009-06-30 14:15 nmav Issue Monitored: nmav
2009-07-14 10:41 marlowe Note Added: 0000166
2009-08-30 17:23 speed47 File Added:
modgnutls_firefox_bigpost_doesntwork.cap
2009-08-30 17:23 speed47 File Added:
modgnutls_firefox_bigpost_doesntwork.txt
2009-08-30 17:23 speed47 File Added:
modgnutls_firefox_littlepost_works.cap
2009-08-30 17:24 speed47 File Added:
modgnutls_firefox_littlepost_works.txt
2009-08-30 17:24 speed47 File Added:
modgnutls_konqueror_bigpost_works.cap
2009-08-30 17:24 speed47 File Added:
modgnutls_konqueror_bigpost_works.txt
2009-08-30 17:40 speed47 Note Added: 0000178
2009-08-30 17:43 speed47 Issue Monitored: speed47
2009-09-13 04:36 nmav Note Added: 0000181
2009-09-13 07:16 speed47 Note Added: 0000183
2009-09-13 07:19 speed47 File Added: certificates.zip
2009-09-13 08:20 nmav Note Added: 0000184
2009-09-13 09:13 speed47 Note Added: 0000185
2009-09-13 09:14 speed47 File Added: ffxbug.php
2009-09-13 19:12 speed47 Note Added: 0000186
2009-09-17 14:32 nmav Note Added: 0000191
======================================================================
More information about the Issues
mailing list