Remember the CHIL engine cleanup was fixed to prevent a dangling cleanup function pointer... I forget which OpenSSL version got that fix but in any case RH only recently backported it.
I'm sure I didn't test with any proxy config at the time. S. -- Sander Temme [email protected] Sent from my phone On Feb 3, 2012, at 1:27 PM, Dr Stephen Henson <[email protected]> wrote: > On 03/02/2012 17:45, Daniel Ruggeri wrote: >> On 2/2/2012 1:02 PM, Daniel Ruggeri wrote: >>> Since this happens with every attempt to start, I suspect it has nothing >>> to do with the new directive and more to do with something I did on the >>> openssl build. >> >> I was, indeed, doing something stupid. A build with openssl 1.0.0g >> replicates the behavior of 0.9.8g in that it fails when >> SSLProxyMachineCertificateChainFile is enabled. The annoying part is >> that (due to the error I get when running in dbx) I can get no useful >> information in a debug session from Solaris. >> >> ... so I've switched to RHEL and gdb and have interesting information. >> Under Linux, I get this error on init: >> [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device >> API `chil' >> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852 >> error:81067064:CHIL engine:HWCRHK_INIT:already loaded >> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981 >> error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed >> >> This only happens when SSLProxyMachineCertificateChainFile is set.... >> With some quick debugging I see that the hwcrhk_finish DOES NOT get >> called during ssl_cleanup_pre_config... but DOES get called when the >> directive has been removed. To me, it looks like httpd has not >> registered the engine for cleanup, but that certainly shouldn't be >> impacted by this patch. It seems something in the process of loading the >> store is complicating things. >> >> I'll continue poking around, but pointers are certainly appreciated. >> > > Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist > which > make use of it. > > So there is a possibility that the some chain verification leaves a reference > to > an RSA key which prevents the ENGINE from closing down completely. > > In engines/e_chil.c try commenting out the line containing > ERR_load_HWCRHK_strings(). > > Only side effect of doing that is you will only get numerical error codes and > not error strings. > > Steve. > -- > Dr Stephen Henson. OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > +1 877-673-6775 > [email protected]
