httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <flaf...@charter.net>
Subject Re: [users@httpd] Runtime failure in compiled Apache 2.0.63/Openssl 0.9.8g
Date Wed, 21 May 2008 18:19:37 GMT
Figured this one out: the third-party module was hacked by a previous colleague who was oh
so kind to not document it, so the issue was not related to anything Apache/mod_ssl/openssl
related. 

Thanks,

Flaffer

---- flaffer@charter.net wrote: 
> Compiling Apache 2.0.63 as DSO with OpenSSL 0.9.8g (among other modules. Compiling completes
sucessfully, but the runtime fails. This is being compiled on solaris. Interestingly enough,
we do not have the
> same issue with AIX.
> 
> Here is the output of the error_log with the failure:
> 
> [Tue May 20 15:08:11 2008] [info] mod_unique_id: using ip addr XXX.XXX.XXX.XXX
> [Tue May 20 15:08:11 2008] [notice] httplog/2.1.2 XX configured -- resuming normal operations
> [Tue May 20 15:08:12 2008] [info] ################################
> [Tue May 20 15:08:12 2008] [info] Initializing the hardware engine
> [Tue May 20 15:08:12 2008] [info] ################################
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(311):
> Initializing the engine (I've done this 1 times)
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(314): Getting engine by id.
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(323): Getting control context -
setting forkcheck.
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(328): Setting default with ENGINE_set_default...
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(336): I should not have gotten here....
help?
> [Tue May 20 15:08:12 2008] [info] Hardware engine initialization complete
> [Tue May 20 15:08:12 2008] [info] Init: Initializing OpenSSL library
> [Tue May 20 15:08:12 2008] [info] Init: Seeding PRNG with 136 bytes of entropy
> [Tue May 20 15:08:12 2008] [info] Loading certificate & private key of SSL-aware
server
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private
key - pass phrase not required
> [Tue May 20 15:08:12 2008] [info] Init: Generating temporary RSA private keys (512/1024
bits)
> [Tue May 20 15:08:12 2008] [info] Init: Generating temporary DH parameters (512/1024
bits)
> [Tue May 20 15:08:12 2008] [debug] ssl_scache_dbm.c(406): Inter-Process Session Cache
(DBM) Expiry: old: 0, new: 0, removed: 0
> [Tue May 20 15:08:12 2008] [info] Init: Initializing (virtual) servers for SSL
> [Tue May 20 15:08:12 2008] [info] Configuring server for SSL protocol
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(397): Creating new SSL context (protocols:
SSLv2, SSLv3, TLSv1)
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(580): Configuring permitted SSL
ciphers
> [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(664): Configuring server certificate
chain (4 CA certificates)
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(708): Configuring RSA server certificate
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(747): Configuring RSA server private
key
> [Tue May 20 15:08:12 2008] [debug] ssl_engine_init.c(397): Creating new SSL context (protocols:
SSLv2, SSLv3, TLSv1)
> [Tue May 20 15:08:12 2008] [info] mod_ssl/2.0.63 compiled against Server: Apache/2.0.63,
Library: OpenSSL/0.9.8g
> [Tue May 20 15:08:12 2008] [notice] httplog: SIGTERM received.
> Flushing buffers and exiting
> [Tue May 20 15:08:12 2008] [notice] httplog/2.1.2 XX configured --
> resuming normal operations
> [Tue May 20 15:08:12 2008] [info] mod_unique_id: using ip addr 10.157.246.214
> [Tue May 20 15:08:13 2008] [info] ################################
> [Tue May 20 15:08:13 2008] [info] Initializing the hardware engine
> [Tue May 20 15:08:13 2008] [info] ################################
> [Tue May 20 15:08:13 2008] [debug] ssl_engine_init.c(311): Initializing the engine (I've
done this 1 times)
> [Tue May 20 15:08:13 2008] [debug] ssl_engine_init.c(314): Getting engine by id.
> [Tue May 20 15:08:13 2008] [debug] ssl_engine_init.c(323): Getting control context -
setting forkcheck.
> [Tue May 20 15:08:13 2008] [debug] ssl_engine_init.c(328): Setting default with ENGINE_set_default...
> [Tue May 20 15:08:13 2008] [error] Init: Failed to enable Crypto Device API `chil'
> [Tue May 20 15:08:13 2008] [error] SSL Library Error: 2164682852 error:81067064:CHIL
engine:HWCRHK_INIT:already loaded
> [Tue May 20 15:08:13 2008] [error] SSL Library Error: 638287981 error:260B806D:engine
routines:ENGINE_TABLE_REGISTER:init failed
> 
> The issue seems to be that OpenSSL hooks into the HWCRHK_INIT twice.
> Mod_ssl initializes a hardware engine through the ssl_init_Engine
> function. This is found only in ssl_init_Module of
> modules/ssl/ssl_engine_init.c in the apache source tree.
> The ssl_init_Engine function IS being called twice, therefore the
> ssl_init_Module is being called twice
> mod_ssl.c registers hooks for ssl_init_Module as a post-config
> action... it seems those hooks are being processed twice causing the
> dual-kickoff of the ssl_init_Module function. This is nothing new...
> this performed this way all the way back in 2.0.55.
> 
> We have gotten this same error with different versions of 2.0.x with
> 0.9.8g, so it seems there is something in the build scripts that may
> be causing this.
> 
> One other note: we are including a third-party .so specific the to
> hardware key device we utilize and that is the where HWCRHK_INIT method comes from.
> 
> Any ideas? Pointers?
> 
> 
> --------------
> 
> I use my cat's name for a password: he is called zo4W*!@n32G+ and I change his name every
60 days
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message