[Issues] [mod_gnutls 0000095]: use of mod_gnutls creates maximum POST limit in Firefox

Mantis Bug Tracker issues at outoforder.cc
Mon Mar 15 17:43:24 EDT 2010


A NOTE has been added to this issue. 
====================================================================== 
http://issues.outoforder.cc/view.php?id=95 
====================================================================== 
Reported By:                nitro322
Assigned To:                
====================================================================== 
Project:                    mod_gnutls
Issue ID:                   95
Category:                   Other
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Apache Version:             2.2.10 
====================================================================== 
Date Submitted:             2009-03-22 12:38 EDT
Last Modified:              2010-03-15 17:43 EDT
====================================================================== 
Summary:                    use of mod_gnutls creates maximum POST limit in
Firefox
Description: 
Note:  This is using version 0.5.4 of mod_gnutls, but there wasn't a choice
for that in the Product Version list.

I've come across a problem with mod_gnutls and Firefox that's rather
difficult to explain.  After switching to mod_gnutls (from openssl), I
found that I could no longer edit any of "long" posts on my Drupal site. 
When clicking the submit button, firefox would try to send the POST about
6 times, then give up and return a completely blank page.

Only edits over https were affected; edits over http worked fine.  Other
browsers (Konqueror and Opera) also worked fine.  It took a while to
troubleshoot, but I was able to narrow it down to a combination of
mod_gnutls and Firefox.
====================================================================== 
Total Sponsorship = US$ 5

2009-05-18 18:59: ZyanKLee (US$ 5) 
====================================================================== 

---------------------------------------------------------------------- 
 (0000142) nitro322 (reporter) - 2009-04-01 23:48
 http://issues.outoforder.cc/view.php?id=95#c142 
---------------------------------------------------------------------- 
This issue caused too many problems on my site, so I had to switch back to
mod_ssl.  As a result, the test page I posted will no longer show the
problem (this issue doesn't exist with mod_ssl).

I'm going to have to stick with mod_ssl until this problem is resolved, as
I need to be able to POST data to my website.  If I can do anything to help
troubleshoot this, feel free to ask; I'm very interested in this project,
and I've left my mod_gnutls configuration commented out in the hope that I
can switch over to it again some day. 

---------------------------------------------------------------------- 
 (0000143) jeff42 (reporter) - 2009-04-28 06:38
 http://issues.outoforder.cc/view.php?id=95#c143 
---------------------------------------------------------------------- 
I can semi-confirm this bug:
Only when I send large POST data with xulrunner based browsers on Debian I
encounter this  bug,
Neither firefox on Windows nor Firefox on Linux (downloaded from
Mozilla.com) seem to fail.

But also switching back to mod_ssl everything works fine, so there must
also be a problem in mod_gnutls

Addition: I was wrong about firefox on linux from Mozilla, this also fails

 

---------------------------------------------------------------------- 
 (0000145) ZyanKLee (reporter) - 2009-05-18 18:57
 http://issues.outoforder.cc/view.php?id=95#c145 
---------------------------------------------------------------------- 
I can confirm this problem.
At my side its not a drupal, but a wordpress, but I guess this is less
important.

When I use mod_gnutls with apache2 and firefox3 I get with big posts and
edits the same behaviour as nitro322 described. After reverting to mod_ssl
everything works fine.

So I needed to stay with mod_ssl.



Some facts for reproducing:


SERVER x86:

# apache2 -version
Server version: Apache/2.2.11 (Unix)

# php --version
PHP 5.2.9-pl2-gentoo with Suhosin-Patch 0.9.7 (cli) (built: May 18 2009
21:06:41)
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

# gnutls-cli --version
gnutls-cli (GnuTLS) 2.6.6

# qlist -I -v | grep mod_gnutls
www-apache/mod_gnutls-0.5.3



CLIENT amd64:

Firefox:
Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.0.10) Gecko/2009051307
Gentoo Firefox/3.0.10

$ openssl version
OpenSSL 0.9.8k 25 Mar 2009

$ gnutls-cli --version
gnutls-cli (GnuTLS) 2.6.6




Hope this helps.

 

---------------------------------------------------------------------- 
 (0000146) marlowe (reporter) - 2009-06-07 18:11
 http://issues.outoforder.cc/view.php?id=95#c146 
---------------------------------------------------------------------- 
I can also confirm this bug.  When attempting to send POST messages to
squirrelmail through mod_gnutls, the page returned is blank.  This error
does not occur when connecting through IE.  The error disappears when
using a non-Firefox browser, sending to http rather than https or using
mod_ssl rather than mod_gnutls. 

---------------------------------------------------------------------- 
 (0000149) ZyanKLee (reporter) - 2009-06-22 08:47
 http://issues.outoforder.cc/view.php?id=95#c149 
---------------------------------------------------------------------- 
Also reported at debian bugzilla:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513249

and in mozilla bugtracker:
https://bugzilla.mozilla.org/show_bug.cgi?id=490442

 

---------------------------------------------------------------------- 
 (0000152) nmav (manager) - 2009-06-30 13:57
 http://issues.outoforder.cc/view.php?id=95#c152 
---------------------------------------------------------------------- 
Could I have a capture of wireshark of the data transferred when this error
happens? Also compiling mod_gnutls with MOD_GNUTLS_DEBUG equal to 1 (change
mod_gnutls.h) will create /tmp/gnutls_debug that contains useful
information. Please send that to me or attach it here. 

---------------------------------------------------------------------- 
 (0000166) marlowe (reporter) - 2009-07-14 10:41
 http://issues.outoforder.cc/view.php?id=95#c166 
---------------------------------------------------------------------- 
I should be able to get this to you by the end of the week.  Sorry I can't
get it to you sooner, but I am on the road the next couple of days. 

---------------------------------------------------------------------- 
 (0000178) speed47 (reporter) - 2009-08-30 17:40
 http://issues.outoforder.cc/view.php?id=95#c178 
---------------------------------------------------------------------- 
I'm having the same issue for a while, it took some time to track it down
to modgnutls ! :)

I just grabbed the latest modgnutls stable version (0.5.5) and compiled it
against Apache 2.2.11, GnuTLS 2.6.6, with SRP auth disabled.
I have also set MOD_GNUTLS_DEBUG to 1 before compiling.

The first HTTP POST has been done with Firefox 3.5.2 (plain Fedora 11
version), with just enough data in the POST to make the described issue
happen (blank page, POST fail). The resulting Wireshark capture and
/tmp/gnutls_debug are:

modgnutls_firefox_bigpost_doesntwork.cap
modgnutls_firefox_bigpost_doesntwork.txt

The second HTTP POST has been done with Konqueror 4.3, with exactly the
same data as the previous one (with Firefox). This one worked correctly.
The files are:

modgnutls_konqueror_bigpost_works.cap
modgnutls_konqueror_bigpost_works.txt

The last HTTP POST has been done with Firefox, but lowering a bit the
amount of data transmitted over the HTTP POST, preventing the issue to
arise. The files are:

modgnutls_firefox_littlepost_works.cap
modgnutls_firefox_littlepost_works.txt

If any other test case could be of any use, just ask.

Hope you will successfully track down this bug! :) 

---------------------------------------------------------------------- 
 (0000181) nmav (manager) - 2009-09-13 04:36
 http://issues.outoforder.cc/view.php?id=95#c181 
---------------------------------------------------------------------- 
I cannot really get the reason of failure. It seems firefox is resuming
session with gnutls and doesn't like something in the data exchange (sends
an alert). However it has closed the socket before and thus gnutls doesn't
decode the alert. Is something being printed by firefox? Alternatively
could you send me the certificates/keys used for this session (if they are
real could you do it again with dummy ones?).


btw. Does this occur the same way with libgnutls 2.8.3? 

---------------------------------------------------------------------- 
 (0000183) speed47 (reporter) - 2009-09-13 07:16
 http://issues.outoforder.cc/view.php?id=95#c183 
---------------------------------------------------------------------- 
Thanks for taking the time to look into this weird issue.

When this happens, nothing is being printed by Firefox, it just displays a
blank page (as in "about:blank"). By the way, I'm now using the 3.5.3
Firefox version, but the behavior is still the same.

The .pem/.crt I used for the capture were indeed dummy ones, I'll attach
them to this bug.

And for libgnutls 2.8.3, I recompiled mod_gnutls against it, the issue
unfortunately still occurs. 

---------------------------------------------------------------------- 
 (0000184) nmav (manager) - 2009-09-13 08:20
 http://issues.outoforder.cc/view.php?id=95#c184 
---------------------------------------------------------------------- 
Thank you, but it seems wireshark cannot decode resumed sessions. If you
can send me the capture of a session that is not resumed (eg. by disabling
the resumed db file) would be of a help. Do you use a php file to reproduce
it? Could you send it me so I can reproduce it locally? 

---------------------------------------------------------------------- 
 (0000185) speed47 (reporter) - 2009-09-13 09:13
 http://issues.outoforder.cc/view.php?id=95#c185 
---------------------------------------------------------------------- 
Wow. Now there is something new: I just disabled SSL session caching in my
apache config (GnuTLSCache None None), and... the issue disappears. I
tried to raise significantly the amount of POST data, in an attempt to
bump into the bug again, to no avail: it works flawlessly.
When I re-enable session caching, the first POST works (because we don't
have any cached session), but all the subsequents POSTs fail.
So we are now pretty sure it's about session resuming!

Attached is the PHP file I use to reproduce this bug. I've set NB_PADDING
to the lowest number to make the issue happen on my configuration (which
means around 3600 bytes of POST data). I'm not sure the amount of bytes is
the same for every configuration (nitro322 seems to have reported ~3200
bytes), so don't hesitate to tweak it. 

---------------------------------------------------------------------- 
 (0000186) speed47 (reporter) - 2009-09-13 19:12
 http://issues.outoforder.cc/view.php?id=95#c186 
---------------------------------------------------------------------- 
Okay, I'm now bumping again on this problem, even with session caching
entirely disabled (as it was in my previous comment). Not sure what this
means, but it might be more complicated than I thought... 

---------------------------------------------------------------------- 
 (0000191) nmav (manager) - 2009-09-17 14:32
 http://issues.outoforder.cc/view.php?id=95#c191 
---------------------------------------------------------------------- 
Hello, I haven't been able to setup a server to reproduce it due to some
engagements I currently have. However from your description, this looks
like a TLS protocol incompatibility, which I really cannot understand why.
In case you can try before me, what I would like to know is whether there
is a ciphersuite combination where this works, and on which ciphersuites
it doesn't. For example try first enabling only TLS 1.1, then TLS 1.0 and
then SSL 3.0... then continue on ciphers by allowing only ARCFOUR, AES-128
etc etc.... It is really a strange error and quite strange to occur only on
large files. 

---------------------------------------------------------------------- 
 (0000193) filbar (reporter) - 2010-03-15 06:33
 http://issues.outoforder.cc/view.php?id=95#c193 
---------------------------------------------------------------------- 
I have this problem on CentOS 5.4 too. This problem persists even if I use
GnuTLSPriorities NONE 

---------------------------------------------------------------------- 
 (0000194) nmav (manager) - 2010-03-15 07:15
 http://issues.outoforder.cc/view.php?id=95#c194 
---------------------------------------------------------------------- 
None is not really interesting (TLS shouldn't work at all). Please try
the following and write which ones work and which not.

NONE:+3DES-CBC:+MD5:+SHA1:+VERS-SSL3.0:+COMP-NULL:+RSA
NONE:+3DES-CBC:+MD5:+SHA1:+VERS-TLS1.0:+COMP-NULL:+RSA
NONE:+ARCFOUR-128:+MD5:+SHA1:+VERS-SSL3.0:+COMP-NULL:+RSA
NONE:+ARCFOUR-128:+MD5:+SHA1:+VERS-TLS1.0:+COMP-NULL:+RSA 

---------------------------------------------------------------------- 
 (0000195) filbar (reporter) - 2010-03-15 09:20
 http://issues.outoforder.cc/view.php?id=95#c195 
---------------------------------------------------------------------- 
All of these combinations don't work. 
I try this on same page. Sometimes it works, but after cca 3-4 postings of
form I have blank page. After some refreshes of this page with resending
POST data it show me the desired page. 

---------------------------------------------------------------------- 
 (0000196) filbar (reporter) - 2010-03-15 10:03
 http://issues.outoforder.cc/view.php?id=95#c196 
---------------------------------------------------------------------- 
I try old version 0.2.0 of mod_gnutls and this version do it too. 

---------------------------------------------------------------------- 
 (0000197) nmav (manager) - 2010-03-15 16:18
 http://issues.outoforder.cc/view.php?id=95#c197 
---------------------------------------------------------------------- 
Does the attached patch.txt solve the issue for you? 

---------------------------------------------------------------------- 
 (0000198) filbar (reporter) - 2010-03-15 17:43
 http://issues.outoforder.cc/view.php?id=95#c198 
---------------------------------------------------------------------- 
Yes, this patch solve this issue, SSL works now. I try all four
combinations from your post and all works well. Thanks for this patch. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-03-22 12:38 nitro322       New Issue                                    
2009-03-22 12:38 nitro322       Apache Version            => 2.2.10          
2009-04-01 23:48 nitro322       Note Added: 0000142                          
2009-04-27 10:11 jeff42         Note Added: 0000143                          
2009-04-28 06:38 jeff42         Note Edited: 0000143                         
2009-04-29 02:20 jeff42         Issue Monitored: jeff42                      
2009-04-29 09:04 urkle          version                  0.4.0 => 0.5.4      
2009-05-18 18:49 ZyanKLee       Note Added: 0000145                          
2009-05-18 18:57 ZyanKLee       Note Edited: 0000145                         
2009-05-18 18:59 ZyanKLee       Sponsorship Added        ZyanKLee: US$ 5     
2009-05-18 18:59 ZyanKLee       Sponsorship Total        0 => 5              
2009-05-18 18:59 ZyanKLee       Issue Monitored: ZyanKLee                    
2009-06-07 18:11 marlowe        Note Added: 0000146                          
2009-06-22 08:30 ZyanKLee       Tag Attached: apache2                        
2009-06-22 08:30 ZyanKLee       Tag Attached: big packages                    
2009-06-22 08:30 ZyanKLee       Tag Attached: error                          
2009-06-22 08:30 ZyanKLee       Tag Attached: firefox                        
2009-06-22 08:30 ZyanKLee       Tag Attached: mod_gnutls                     
2009-06-22 08:34 ZyanKLee       Note Added: 0000149                          
2009-06-22 08:47 ZyanKLee       Note Edited: 0000149                         
2009-06-30 13:57 nmav           Note Added: 0000152                          
2009-06-30 14:15 nmav           Issue Monitored: nmav                        
2009-07-14 10:41 marlowe        Note Added: 0000166                          
2009-08-30 17:23 speed47        File Added:
modgnutls_firefox_bigpost_doesntwork.cap                    
2009-08-30 17:23 speed47        File Added:
modgnutls_firefox_bigpost_doesntwork.txt                    
2009-08-30 17:23 speed47        File Added:
modgnutls_firefox_littlepost_works.cap                    
2009-08-30 17:24 speed47        File Added:
modgnutls_firefox_littlepost_works.txt                    
2009-08-30 17:24 speed47        File Added:
modgnutls_konqueror_bigpost_works.cap                    
2009-08-30 17:24 speed47        File Added:
modgnutls_konqueror_bigpost_works.txt                    
2009-08-30 17:40 speed47        Note Added: 0000178                          
2009-08-30 17:43 speed47        Issue Monitored: speed47                     
2009-09-13 04:36 nmav           Note Added: 0000181                          
2009-09-13 07:16 speed47        Note Added: 0000183                          
2009-09-13 07:19 speed47        File Added: certificates.zip                    
2009-09-13 08:20 nmav           Note Added: 0000184                          
2009-09-13 09:13 speed47        Note Added: 0000185                          
2009-09-13 09:14 speed47        File Added: ffxbug.php                       
2009-09-13 19:12 speed47        Note Added: 0000186                          
2009-09-17 14:32 nmav           Note Added: 0000191                          
2010-03-15 06:33 filbar         Note Added: 0000193                          
2010-03-15 06:34 filbar         Issue Monitored: filbar                      
2010-03-15 07:15 nmav           Note Added: 0000194                          
2010-03-15 09:20 filbar         Note Added: 0000195                          
2010-03-15 10:03 filbar         Note Added: 0000196                          
2010-03-15 16:18 nmav           File Added: patch.txt                        
2010-03-15 16:18 nmav           Note Added: 0000197                          
2010-03-15 17:43 filbar         Note Added: 0000198                          
======================================================================




More information about the Issues mailing list