Maybe sk_X509_NAME_pop_free(ca_list, X509_NAME_free) should be called too before returning NULL in ssl_init_FindCAList() (so to avoid a leak in case of failure).
Regards; Yann. On Fri, Nov 22, 2013 at 4:20 PM, Jeff Trawick <traw...@gmail.com> wrote: > On Wed, Nov 20, 2013 at 5:19 AM, Kaspar Brand <httpd-dev.2...@velox.ch>wrote: > >> On 18.11.2013 14:59, Jeff Trawick wrote: >> > Has anyone looked at making ssl_die() clean up pools on the way out >> > (presumably by calling some function besides exit())? It is rather >> easy to >> > end up with a bunch of stranded IPC objects while debugging your SSL >> config. >> >> Oh yes, a major annoyance I'm also occasionally running into. >> >> > * XXX: The config hooks should return errors instead of calling >> exit(). >> >> Gave it a try, see attachment. Not yet extensively tested (*), so >> perhaps incomplete. But httpd now properly cleans up for me, e.g. when a >> SIGHUPing fails, as shown in this log extract: >> >> > [Wed Nov 20 11:02:14.304528 2013] [mpm_worker:notice] [pid 23918:tid >> 3214934016] AH00298: SIGHUP received. Attempting to restart >> > [Wed Nov 20 11:02:14.544660 2013] [ssl:info] [pid 23918:tid 3214934016] >> AH02200: Loading certificate & private key of SSL-aware server 'server:443' >> > [Wed Nov 20 11:02:14.545137 2013] [ssl:emerg] [pid 23918:tid >> 3214934016] AH02241: Init: Unable to read server certificate from file >> /tmp/snakeoil.pem >> > [Wed Nov 20 11:02:14.545240 2013] [ssl:emerg] [pid 23918:tid >> 3214934016] SSL Library Error: error:0D06B08E:asn1 encoding >> routines:ASN1_D2I_READ_BIO:not enough data >> > [Wed Nov 20 11:02:14.545278 2013] [ssl:emerg] [pid 23918:tid >> 3214934016] AH02312: Fatal error initialising mod_ssl, exiting. >> > [Wed Nov 20 11:02:14.545310 2013] [:emerg] [pid 23918:tid 3214934016] >> AH00020: Configuration Failed, exiting >> >> ("Configuration Failed, exiting" is the key here - this comes from >> main.c and will call destroy_and_exit_process() to clean up.) >> >> Kaspar >> >> (*) The changes related to ssl_read_pkcs7 in particular are fairly >> superficial, but I think we should drop that PKCS#7 stuff from mod_ssl >> anyway. >> > > This is what I found: > > The two calls to ssl_init_ctx() (engine_init) need to be checked for rv != > APR_SUCCESS. > > The various calls to ssl_server_import_cert() in ssl_init_server_certs() > need different rc checking than before. (Now ssl_server_import_cert() can > return a fatal error instead of just a boolean.) > > (same for ssl_server_import_key()) > > The call to ssl_init_server_check() (engine_init) needs to be checked for > rv != APR_SUCCESS. > > call to ssl_init_ctx_protocol() also needs a check > same for ssl_init_ticket_key() > > It looks like some errors in the proxy config that previously were ignored > now cause startup failures... (shrug) > > Not bad for boiling the ocean :) > > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ >