httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <madhusudan_mathiha...@hp.com>
Subject RE: [BUG] mod_ssl
Date Fri, 21 Sep 2001 15:48:38 GMT
It's pretty clear.. The handshake failed, because the SSL_do_handshake
return code is not verified (ssl_engine_kernel.c - ssl_hook_Access()).. The
renegotiation logic has to be verified if ClientVerify is switched on.. Ralf
has put a note in ssl_hook_Access that some of the logic is not implemented
for Apache 2.0..

I'll investigate by today afternoon, and yes, I'd be interested in having a
debug session.. I haven't verified the following fix, but could you pl.
include code to verify the return state of SSL_do_handshake in
ssl_engine_kernel.c (line 744) - something like 

    if (((rc = SSL_do_handshake(ssl)) < 0) || !ssl)
	return DECLINED;

Ofcourse, this is not the fix, but this should eliminate the core dump
atleast..

Thanks
-Madhu

-----Original Message-----
From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
Sent: Friday, September 21, 2001 6:52 AM
To: dev@httpd.apache.org
Subject: Re: [BUG] mod_ssl


From: "Sander Striker" <striker@apache.org>
Sent: Friday, September 21, 2001 4:45 AM


> Sorry to bring this up, but I tripped over a segfault
> in mod_ssl while trying to add client authentication
> to subversion.
> 
> I can't reproduce this with openssl s_client, which
> makes the issue harder.  There probably is a bug somewhere
> in svn or neon (or my usage of that), but that doesn't
> really matter, segfaults should never happen.  I'll try to
> come up with a simple repro recipe, but right now, there isn't
> one without installing subversion and doing mods to that.

There is one of a dozen things going on.  Let's drop a few.

Would you try disabling includes on /error/ documents, then
drop the error documents altogether, and let us know if you
don't die() with an error if things come out alright?

I suspect it's the internal redirct that has lost some state
back from the original connection/request, or worse (and my
fear) that due to the client mis-validation - we've broken the
ssl state or never completed the ssl setup, allowing us to die
with error feedback to the misvalidated client.

Try dropping mod_include and let's see what that accomplishes.

Bill

Mime
View raw message