I have set up an Apache 2.0 reverse proxy that forwards incoming requests over SSL to a back-end web server (also an Apache 2.0). The back-end requires SSL client certificate authentication.
When firing a request, the reverse proxy child process segfaults. The segfault occurs in the ssl_callback_proxy_cert() function (ssl_engine_kernel.c) when calling the modssl_set_cert_info() macro. This macro is defined as follows:
#define modssl_set_cert_info(info, cert, pkey) \
*cert = info->x509; \
X509_reference_inc(*cert); \
*pkey = info->x_pkey->dec_pkey; \
EVP_PKEY_reference_inc(*pkey)When tracing trough the code with gdb the following values are present in the local variables:
(gdb) p info
$4 = (struct X509_info_st *) 0x8236688
(gdb) p cert
No symbol "cert" in current context.
(gdb) p pkey
$5 = (struct evp_pkey_st **) 0xbffff26c
(gdb) p *info
$6 = {x509 = 0x8236bf0, crl = 0x0, x_pkey = 0x0, enc_cipher = {cipher = 0x0,
iv = "�\024/KJh\207�"}, enc_len = 0, enc_data = 0x0, references = 1}
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x08095b9d in ssl_callback_proxy_cert (ssl=0x0, x509=0xbffff268,
pkey=0xbffff26c) at ssl_engine_kernel.c:1592
1592 modssl_set_cert_info(info, x509, pkey);AFAICT, the problem is that the x_pkey field in the info structure is NULL (the third line in the macro tries to access a field in this x_pkey structure).
Has anybody else encountered a similar problem? Any suggestions on how this can be solved?
Relevant part of reverse proxy configuration:
ProxyPass /proxyssl https://backend:444 ProxyPassReverse /proxyssl https://backend:444 SSLProxyEngine on SSLProxyMachineCertificateFile conf/ssl/backend-client.crt
Relevant part of back-end SSL server configuration:
Listen 444
<VirtualHost _default_:444>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
SSLCACertificateFile conf/ssl/ca-bundle.crt
SSLVerifyClient require
</VirtualHost>Relevant part of Apache error_log:
[Thu Oct 16 07:18:41 2003] [debug] ssl_engine_kernel.c(1788): OpenSSL: Loop: SSLv3 read server certificate request A [Thu Oct 16 07:18:41 2003] [debug] ssl_engine_kernel.c(1788): OpenSSL: Loop: SSLv3 read server done A [Thu Oct 16 07:21:13 2003] [debug] ssl_engine_kernel.c(1554): Proxy client certificate callback: (host:80) entered [Thu Oct 16 07:21:55 2003] [debug] ssl_engine_kernel.c(1527): Proxy client certificate callback: (host:80) found acceptable cert, sending /C=BE/ST=... [Thu Oct 16 07:31:44 2003] [notice] child pid 2983 exit signal Segmentation fault (11)
-- ir. Kris Verbeeck Software Engineer
Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium T: +32 16 28 70 64 F: +32 16 28 70 77
Ubizen - We Secure e-business - www.ubizen.com
