On 03/02/2012 17:45, Daniel Ruggeri wrote: > On 2/2/2012 1:02 PM, Daniel Ruggeri wrote: >> Since this happens with every attempt to start, I suspect it has nothing >> to do with the new directive and more to do with something I did on the >> openssl build. > > I was, indeed, doing something stupid. A build with openssl 1.0.0g > replicates the behavior of 0.9.8g in that it fails when > SSLProxyMachineCertificateChainFile is enabled. The annoying part is > that (due to the error I get when running in dbx) I can get no useful > information in a debug session from Solaris. > > ... so I've switched to RHEL and gdb and have interesting information. > Under Linux, I get this error on init: > [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device > API `chil' > [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852 > error:81067064:CHIL engine:HWCRHK_INIT:already loaded > [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981 > error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed > > This only happens when SSLProxyMachineCertificateChainFile is set.... > With some quick debugging I see that the hwcrhk_finish DOES NOT get > called during ssl_cleanup_pre_config... but DOES get called when the > directive has been removed. To me, it looks like httpd has not > registered the engine for cleanup, but that certainly shouldn't be > impacted by this patch. It seems something in the process of loading the > store is complicating things. > > I'll continue poking around, but pointers are certainly appreciated. >
Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which make use of it. So there is a possibility that the some chain verification leaves a reference to an RSA key which prevents the ENGINE from closing down completely. In engines/e_chil.c try commenting out the line containing ERR_load_HWCRHK_strings(). Only side effect of doing that is you will only get numerical error codes and not error strings. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
