sts-sponsors team mailing list archive

Thread
Date
[Bug 1846138] Please test proposed package

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Łukasz Zemczak <1846138@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Oct 2019 21:53:46 -0000
Reply-to: Bug 1846138 <1846138@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hello Jesse, or anyone else affected,

Accepted apache2 into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu3.14 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1846138

Title:
  backport mod_reqtimeout with handshake support

Status in apache2 package in Ubuntu:
  Fix Released
Status in apache2 source package in Xenial:
  Fix Committed
Status in apache2 source package in Bionic:
  Fix Released
Status in apache2 source package in Disco:
  Fix Released

Bug description:
  [Impact]

  When running TCP Defensics suite which sends corrupt packages towards
  vip__public port 443, the suite is hanging after the half suite
  because there are no free connections. The connections will be in
  state "established" ~ 2 hours.

  1.2. Detailed trouble description
  # ip netns exec haproxy netstat -npea | grep XXX.XXX.XXX.XXX | grep -i establish | grep 443
  tcp 0 0 XXX.XXX.XXX.XXX:443 YYY.YY.YYY.YY:2940 ESTABLISHED 115 81148003 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:24979 ESTABLISHED 115 81802005 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:19394 ESTABLISHED 115 81782263 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:13931 ESTABLISHED 115 81752052 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:12668 ESTABLISHED 115 81743719 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:2961 ESTABLISHED 115 81139548 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:8918 ESTABLISHED 115 81738132 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:2957 ESTABLISHED 115 81148041 29817/haproxy
  tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:10552 ESTABLISHED 115 81744903 29817/haproxy

  This issue can be resolved by enabling the parameter(mod_reqtimeout).
  This parameter is available in apache 2.4.39 (released on 2019-04-01).

  [Test Case]

  This test case has been brought to my attention by an impacted user:
  "
  You must have an apache2 server, with an haproxy in front of it, and you initiate SSL connections with "nc" between 50 and 8000 connections and because the SSL connection process is never finished all those connections get stucked and never timeout.
  "

  [Regression Potential]

  * The backport already exist in Bionic/Disco (done by security team
  via the security channel)

  * It is also backported upstream into 2.4 (branch : 2.4.x)

  * It was tested pre-release by an impacted user, and the outcome was
  positive:

  "I have tested the below packages for enabling handshake
  parameter(mod_reqtimeout) in apache. Looks the package is working
  fine. "

  * Local autopkgtest inside qemu, revealed no issues:
  autopkgtest [12:09:48]: @@@@@@@@@@@@@@@@@@@@ summary
  duplicate-module-load PASS
  htcacheclean         PASS
  ssl-passphrase       PASS
  chroot               PASS

  
  [Other Info]

  [Original description]
  Backport the handshake feature in mod_reqtimeout (in Apache 2.4.39) to Apache 2.4.18.

  Lack of this feature was exhausting free connections when sent
  corrupted packets.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1846138/+subscriptions