The Apache Haus Forum

Forum Topics => News & General Discussion => Topic started by: Gregg on February 09, 2011, 12:24:42 AM

Title: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 09, 2011, 12:24:42 AM
Update packages for Apache 2.2.17 to OpenSSL 1.0.0d are available at the Download Page (http://www.apachehaus.com/cgi-bin/download.plx). These packages include all files needed to upgrade your Apache 2.2.17 server. OpenSSL 1.0.0d is a bug fix update and it is recommended you upgrade to 1.0.0d as soon as possible.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: perindu on February 22, 2011, 05:37:51 AM
any chance you will compiled it with vc6? i'm using standard apache download from apache main site  ;D
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 22, 2011, 09:26:11 AM
Hi Perindu,

I've thought about this every time there's a OpenSSL update between Apache versions. It goes against what this site is about though since we are suppliers of an alternative, a vc9 alternative. The one time I felt there was a big critical need to do it, the ASF put out a new 2.2 version of Apache to go with it on their own and we didn't have to.

What I don't want to do is have us create a precedent of doing this, I'd rather convert you and anyone else to vc9 ;D If the ASF will not do this and you want an Apache that's as up to date as we are allowed to supply you with, go Apache Haus. If it is the 1.0.0 versions of OpenSSL you want with Apache 2.2, go Apache Haus. I'm not sure if anyone has actually asked the ASF to switch to OpenSSL 1.0.0 in their Windows binaries.

I'm curious though, have you thought about moving to a vc9 build?
If you have, what is stopping you from doing it? If you have not, why not consider it?

This stuff I like to hear because it will help me understand what we should be doing to make switching an easier choice for you and others to make.



Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: perindu on February 23, 2011, 06:11:45 AM
Hi Gregg,

Thans for your info.

The only reason i still using vc6 because of it portability i'm using on XP SP2. and i don't want to make my windows crowsed with unneeded vc9 ( once i installed it copy some file at c:\ ) also it's hard to copy between machine ( i'm using webserver based on uniform server with some tweak )

I also try not to use many resource as i can ( ok u can laugh i run my private webserver on win xp sp2 - mercury mail hehe )  ;D

So i try to save as many memory/resource i can :)

*notes*
( if only theres a way like vc6 before .. example copy only needed dll to same directory maybe i'll change to vc9 - example msvbm60.dll )

thanks a lot and sorry my english is not so good :)

- seems loading forum is a bit slow today?
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 23, 2011, 06:37:15 AM
*notes*
( if only theres a way like vc6 before .. example copy only needed dll to same directory maybe i'll change to vc9 - example msvbm60.dll )

There is, you drop the msvcr90.dll in Apache's /bin folder and go.

The reason I'm actually trying to convert people is that vc6 builds of PHP are going to disappear soon, or so the word I've been hearing is. ASF has clearly stated that they will not be moving to VC9 or vc10 in 2.2.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50813 see comment 1

So you'll have to either use mod_fcgid, or move to VC9 Apache if you want to use the module.
oh, and check your personal messages inbox here.

Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: perindu on February 23, 2011, 07:11:45 AM

oh, and check your personal messages inbox here.



Sorry, you can't read your personal messages. ( but i got your message through email. Thanks  ;D )

i see your reason now... so if i copy msvcr90.dll in Apache's /bin folder it will work? it's goes to module also such as mod security?  nice.. i'll try it later... ( hope it will work :) )

Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 23, 2011, 09:17:17 AM
Yes, at least that module and most others. PHP itself might be problematic. The redistributable is not that big, only a couple megs. Installing it would be the preferred way but there may be a requirement for SP3 on Windows, not sure, I bet Mario or Sob knows off the top of their head.

With vc9, the binaries are smaller, they are more efficient as well. Let's look at Apache's bin folder;
VC9 = 6.39 MB total for all binary files required for Apache + SSL + zlib in bin and the iconv folder
VC6 = 8.89 MB for the same files. 2.5MB more.

I personally love vc6. I can build Apache 3 times in the time it takes vc9 to do it once. Or OpenSSL, once the configure stage of OpenSSL is complete, the actual compile itself takes ~65 seconds. I wish VC9 was that fast at building, it's about 6 minutes on the very same computer. I hate to leave vc6 behind, I'll keep it for a few more years anyway.

As far as moving to a vc9 Apache build, I'm going to have to bite the bullet and do it myself as I still run a vc6 build of 2.2. I hate moving upThe 2.3 snapshot of a week or two ago I'm running is vc9.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: mario on February 23, 2011, 11:08:35 AM
Installing it would be the preferred way but there may be a requirement for SP3 on Windows

it works also with SP2. In one of the large companies I work the SP3 rollout was in July 2010  ;) And even before it worked with installing the M$ package. I haven't tried it before just to use the runtime dll's but I guess it should work as with vc5 and vc6. I remember win98 xD
Good thing about vc6 is that the binaries run without installing M$ package. I wonder why still under server 2008 R2 I had to install the vc9 package. It's a bit anoying.

it would be a good how to in the readme file about putting the vc files into apache bin folder.

I personally love vc6. I can build Apache 3 times in the time it takes vc9 to do it once. Or OpenSSL, once the configure stage of OpenSSL is complete, the actual compile itself takes ~65 seconds. I wish VC9 was that fast at building, it's about 6 minutes on the very same computer. I hate to leave vc6 behind, I'll keep it for a few more years anyway.
I also dislike the long compiling times. Guess we need a 3.5GHz Quadcore for AH Compiling ;-)
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Sob on February 23, 2011, 03:43:40 PM
VC9 redistributable supports even Win2000 (SP4). And personally, I'd rather install it in supported way. The whole package has 4MB, it won't eat up much more when installed. Easy portability might be the reason against it. But the chances are, other software will need it too. And if you want to have secure machine, you should install at least some updates anyway, so one more package makes no difference. And even that SP3 might not be such a bad idea. I know, "when it works, don't try to fix it". But on the other hand, SP2 is no longer supported and it means no more bugfixes. And sometimes it's important stuff (like yet another SMB hole :).
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Sob on February 23, 2011, 06:54:50 PM
If you really want to have portable Apache without installing redistributables, it's possible, I just tested it. But it's not as easy as putting dlls to bin directory.

You also need manifest file named Microsoft.VC90.CRT.manifest and it must be in the same directory as executable or in Microsoft.VC90.CRT subdirectory. Then you need msvcm90.dll, msvcp90.dll and msvcr90.dll in the same directory as manifest. But I wasn't able to get it running when it was only in bin directory. I had to put duplicate copies also in modules directory.

And I'm quite afraid what it will do, if you mix modules compiled by different compilers, e.g. VC++ 2008 with and without SP1.

As for the content of Microsoft.VC90.CRT.manifest I'm not exactly sure what's right. The one I found in redistributables directory in VC install didn't work. I found the following in installation directory of some application that also includes own copy of msvc dlls and it works:
Code: [Select]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation.  All rights reserved. -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <noInheritable/>
    <assemblyIdentity
        type="win32"
        name="Microsoft.VC90.CRT"
        version="9.0.21022.8"
        processorArchitecture="x86"
        publicKeyToken="1fc8b3b9a1e18e3b"
    />
    <file name="msvcr90.dll" /> <file name="msvcp90.dll" /> <file name="msvcm90.dll" />
</assembly>

Any additional info from some manifest expert is welcome. :)
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: perindu on February 24, 2011, 06:33:49 AM

Good thing about vc6 is that the binaries run without installing M$ package. I wonder why still under server 2008 R2 I had to install the vc9 package. It's a bit anoying.

it would be a good how to in the readme file about putting the vc files into apache bin folder.
I also dislike the long compiling times. Guess we need a 3.5GHz Quadcore for AH Compiling ;-)


This is one reason i still use vc6 as it dont install bloated package :)

i second on that also want to know how to set up it :) ( portability and stable  is my priority )

VC9 redistributable supports even Win2000 (SP4). And personally, I'd rather install it in supported way. The whole package has 4MB, it won't eat up much more when installed. Easy portability might be the reason against it. But the chances are, other software will need it too. And if you want to have secure machine, you should install at least some updates anyway, so one more package makes no difference. And even that SP3 might not be such a bad idea. I know, "when it works, don't try to fix it". But on the other hand, SP2 is no longer supported and it means no more bugfixes. And sometimes it's important stuff (like yet another SMB hole :).

for this i totally agree with you.. but for some reason sp3 have some problem with kernel ( i'm not sure about it )

security is important, for that i disable most of the services that not related based on black viper tweak.

i also install firewall which block port others than http, mailserver, vnc.

i also install latest MSE 2.0 ( atleast it work on sp2 :) ) and windows defender.

to harden it im using harden-it and patch tcp ( using tcp patch unofficially )

at least i dont get any problem with it

For apache mod security is nice :)

anyway thanks for advice ( smb 445 is really nasty port  ;D i got virus before which separate all network lucky my boss buy a new pc with 7 pro - LUA do help  ;D )

If you really want to have portable Apache without installing redistributables, it's possible, I just tested it. But it's not as easy as putting dlls to bin directory.

Any additional info from some manifest expert is welcome. :)

I second on that and i wonder if apachehaus would package it in zip format ( without installing it in service ) i think it would help .


Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: mario on February 24, 2011, 11:16:06 AM
You also need manifest file named Microsoft.VC90.CRT.manifest and it must be in the same directory as executable or in Microsoft.VC90.CRT subdirectory.

The binaries from apachehaus include the manifest inside the binaries. If you use a hexeditor you can see it at the very end of the binaries. For that we use MT.exe

e.g.
Code: [Select]
MT -manifest mod_xsendfile.so.manifest -outputresource:mod_xsendfile.so;2
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Sob on February 24, 2011, 03:13:07 PM
Right, the binaries do have manifests embedded. But those provide info about required dependencies. And Windows will look for them somewhere in winsxs directory by default. But if the redistributable is not installed, it won't find them there.
Simply copying msvc*.dll to Apache's bin directory didn't work (tried with clean XP SP2 in VirtualBox), Windows ignored them. It's this additional manifest that tells Windows to use dlls from current directory.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 24, 2011, 06:46:11 PM
I'm sorry Sob but I've done it successfully. I have the one machine with vc6 installed and for whatever reason, it will not allow me to start a vc9 build. It will not run a vc9 build even with the redist installed.

These links go to various builds of vc all running on a box with no redistributables installed and just the single crt for their version in the bin folder. The links on these pages are now outdated so don't bother trying them.

vc10: http://www.glewis.com:20108/
vc9: http://www.glewis.com:20088/
vc6: http://www.glewis.com

I'll keep the vc9 & vc10 builds up for 24 hours.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 24, 2011, 07:26:17 PM
Right, the binaries do have manifests embedded. But those provide info about required dependencies. And Windows will look for them somewhere in winsxs directory by default.

Not so, Windows will look for them in directories in the order you know full well about.

This is the manafest to the vc9 build linked above, look at the single dependency,
Code: [Select]
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
  <dependency>
    <dependentAssembly>
      <assemblyIdentity type='win32' name='Microsoft.VC90.CRT' version='9.0.21022.8' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b' />
    </dependentAssembly>
  </dependency>
</assembly>

I guess I lied, I do not remember doing it but the vc9 redistributable is there, quite possibly it was included with SP3. The vc10 is not however yet it still runs, if I move the vc10 crt out of bin it will not run.

None the less, I'm going to take my guinea pig and put it at a fresh SP2 and give it a try on it with vc9 & no redist.

@Perindu, the compiler is slower and bloated, the resulting binaries are smaller. The only bloat in Apache is Apache's bloat. 2.2 is bloated, 2.4 will be a much different server as so much has been ripped out of the core and placed in loadable modules. If you don't need it, don't load it.

But instead of taking our word for it, give it a try. It only takes a few minutes. Our server comes configured to run in c:\apache22. Put it there, drop the crt dll in the bin folder and give it a try, or wait till I get back with my test of doing the same.

Here's the crt http://www.apachehaus.net/misc/msvcr90.zip

Still, I know I did it a couple years ago on the AMD box that is collecting dust in the garage now. It's how MS tells you to do it as well.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 24, 2011, 10:24:50 PM
I know it did but fresh sp2 and it did not work, so I guess it will not and it's making me a lair.

2010 did just fine however on it.

I don't think it'll hurt you Perindu to install the redistributable. You should actually be able to get better performance from vc9. Testing both with ab.exe should show some difference.

If you do not use php then you'll have no real reason to switch. If you do there is the option of mod_fcgid to run php if you will not switch. Just don't expect vc6 stuff from us. I have some stuff in vc6 but not everything we have here.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Sob on February 25, 2011, 01:08:19 AM
I don't insist on being right, I'm just decribing what I see. :)

I tried it with your httpd-2.2.17-ssl-x86.zip on clean XP SP3. When I try to start httpd.exe from command line, it produces "The system cannot execute the specified program." and quits.

Event log under System lists three errors:
Code: [Select]
SideBySide event 32:
Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

SideBySide event 59:
Resolve Partial Assembly failed for Microsoft.VC90.CRT.
Reference error message: The referenced assembly is not installed on your system.

SideBySide event 59:
Generate Activation Context failed for c:\Apache22\bin\httpd.exe.
Reference error message: The operation completed successfully.

Process Monitor from Sysinternals does not catch any attempt to access msvc?90.dll in any location by any process (I have them in C:\Apache22\bin\).

But csrss.exe, right after httpd.exe is started, sniffs in following locations:
Code: [Select]
"CreateFile","C:\WINDOWS\WinSxS\Policies\x86_Policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75","NAME NOT FOUND"
"CreateFile","C:\WINDOWS\assembly\GAC\Policy.9.0.Microsoft.VC90.CRT","NAME NOT FOUND"
"QueryOpen","C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.Manifest","NAME NOT FOUND"
"QueryOpen","C:\WINDOWS\assembly\GAC\Microsoft.VC90.CRT\9.0.21022.8__1fc8b3b9a1e18e3b\Microsoft.VC90.CRT.DLL","PATH NOT FOUND"
"QueryOpen","C:\Apache22\bin\Microsoft.VC90.CRT.DLL","NAME NOT FOUND"
"QueryOpen","C:\Apache22\bin\Microsoft.VC90.CRT.MANIFEST","NAME NOT FOUND"
"QueryOpen","C:\Apache22\bin\Microsoft.VC90.CRT\Microsoft.VC90.CRT.DLL","PATH NOT FOUND"
"QueryOpen","C:\Apache22\bin\Microsoft.VC90.CRT\Microsoft.VC90.CRT.MANIFEST","PATH NOT FOUND"
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Sob on February 25, 2011, 01:17:12 AM
Interesting thing happened, when I tried to remove manifests from all Apache binaries (you don't really want to know the details ;) ). It's definitely not the proper way to go, because Apache crashed with some runtime error. But when I also removed msvc?90.dll from bin directory, I received an old fashioned "This application has failed to start because MSVCR90.dll was not found." while starting Apache. And Process Monitor clearly showed the dll being searched for in usual places.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 25, 2011, 03:47:17 AM
I didn't mean to imply you did insist. I thought I'd gotten it to work on the old AMD but maybe it had sp3 on it as well. "The system cannot execute the specified program" is also what I got. This is also what I got on the vc6 computer.

Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: perindu on February 25, 2011, 04:35:28 AM
@gregg yes i'll try vc9 apache soon :) actually i just want to use software without installing additional things :)

@sob i got the same problem before.. it make me headache before i realized that the reason is mod security compiled using vc9 he he

here is some example of portable vc9 ( i found it in geeteedee portable )

first make folder Microsoft.VC90.CRT

then copy

 this file
Microsoft.VC90.CRT.manifest
msvcm90.dll
msvcp90.dll
msvcr90.dll


contain of Microsoft.VC90.CRT.manifest

Code: [Select]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <noInheritable></noInheritable>
    <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
    <file name="msvcr90.dll" hashalg="SHA1" hash="98e8006e0a4542e69f1a3555b927758bd76ca07d"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>+CXED+6HzJlSphyMNOn27ujadC0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcp90.dll" hashalg="SHA1" hash="3aec3be680024a46813dee891a753bd58b3f3b12"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>MyKED+9DyS+1XcMeaC0Zlw2vFZ0=</dsig:DigestValue></asmv2:hash></file> <file name="msvcm90.dll" hashalg="SHA1" hash="0195dd0896d74b62531e4f3c771904a3d996450e"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>EeyDE7og6WoPd2oBhYbMEnpFHhY=</dsig:DigestValue></asmv2:hash></file>
</assembly>



*notes* im not testing it yet i hope it will work ( i will testing when i get to home.. i don't know if geeteedee developer point it right that but when i test in sandbox at home before it work smoothly )
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: perindu on February 25, 2011, 07:18:27 AM
@sob

i found interesting article while surfing about portable vc2008 dll

http://sites.google.com/site/jozsefbekes/Home/windows-programming/visual-c-manifest-hell

http://blog.kalmbach-software.de/2009/05/27/deployment-of-vc2008-apps-without-installing-anything/

hope it will help you :)

@gregg

if i use vc9 apache i must use vc9 php also?
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Gregg on February 25, 2011, 09:17:54 AM
if you load php5apache2_2.dll in Apache yes. If you run php through mod_fcgid then no.
Title: Re: OpenSSL 1.0.0d update for Apache 2.2.17 available
Post by: Sob on February 25, 2011, 12:02:06 PM
Those links were helpful. According to another page linked from there (http://blog.kalmbach-software.de/2009/05/18/breaking-changes-in-vs2010-beta/), VC10 no longer links to CRT dlls using manifests. So while VC9 binaries require Microsoft.VC90.CRT.manifest for using local msvc*.dll copies, VC10 ones do not. It also explains why there are several msvc?90.dll versions in winsxs, while msvc?100.dll are back to just one copy in system32 (ok, two, 32 and 64-bit).