httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@apache.org>
Subject Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
Date Fri, 03 Feb 2012 19:41:48 GMT
Remember the CHIL engine cleanup was fixed to prevent a dangling cleanup function pointer...
I forget which OpenSSL version got that fix but in any case RH only recently backported it.


I'm sure I didn't test with any proxy config at the time. 

S. 

--
Sander Temme
sander@temme.net

Sent from my phone

On Feb 3, 2012, at 1:27 PM, Dr Stephen Henson <shenson@opensslfoundation.com> wrote:

> On 03/02/2012 17:45, Daniel Ruggeri wrote:
>> On 2/2/2012 1:02 PM, Daniel Ruggeri wrote:
>>> Since this happens with every attempt to start, I suspect it has nothing
>>> to do with the new directive and more to do with something I did on the
>>> openssl build.
>> 
>> I was, indeed, doing something stupid. A build with openssl 1.0.0g
>> replicates the behavior of 0.9.8g in that it fails when
>> SSLProxyMachineCertificateChainFile is enabled. The annoying part is
>> that (due to the error I get when running in dbx) I can get no useful
>> information in a debug session from Solaris.
>> 
>> ... so I've switched to RHEL and gdb and have interesting information.
>> Under Linux, I get this error on init:
>> [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device
>> API `chil'
>> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852
>> error:81067064:CHIL engine:HWCRHK_INIT:already loaded
>> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981
>> error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed
>> 
>> This only happens when SSLProxyMachineCertificateChainFile is set....
>> With some quick debugging I see that the hwcrhk_finish DOES NOT get
>> called during ssl_cleanup_pre_config... but DOES get called when the
>> directive has been removed. To me, it looks like httpd has not
>> registered the engine for cleanup, but that certainly shouldn't be
>> impacted by this patch. It seems something in the process of loading the
>> store is complicating things.
>> 
>> I'll continue poking around, but pointers are certainly appreciated.
>> 
> 
> Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which
> make use of it.
> 
> So there is a possibility that the some chain verification leaves a reference to
> an RSA key which prevents the ENGINE from closing down completely.
> 
> In engines/e_chil.c try commenting out the line containing
> ERR_load_HWCRHK_strings().
> 
> Only side effect of doing that is you will only get numerical error codes and
> not error strings.
> 
> Steve.
> -- 
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shenson@opensslfoundation.com

Mime
View raw message