httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
Date Fri, 03 Feb 2012 22:57:15 GMT
On 2/3/2012 12:27 PM, Dr Stephen Henson wrote:
> Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which
> make use of it.
> So there is a possibility that the some chain verification leaves a reference to
> an RSA key which prevents the ENGINE from closing down completely.
> In engines/e_chil.c try commenting out the line containing
> ERR_load_HWCRHK_strings().
> Only side effect of doing that is you will only get numerical error codes and
> not error strings.
> Steve.

I will try that on Monday. This is a good tip, though, and gives me an
avenue to explore! Thanks!

On 2/3/2012 1:41 PM, Sander Temme wrote:
> Remember the CHIL engine cleanup was fixed to prevent a dangling cleanup function pointer...
I forget which OpenSSL version got that fix but in any case RH only recently backported it.

> I'm sure I didn't test with any proxy config at the time. 

Correct,sir. I am compiling and packaging for three platforms from the
latest sources available - I do all of my testing with two-way proxy
authentication. This recent test was openssl 1.0.0g but the behavior is
observed also in 0.9.8t. I am certain that this is an issue only when
using SSLProxyMachineCertificateChainFile (currently in trunk and
proposed for backport in 2.2) with an engine.

Daniel Ruggeri

View raw message