Hi, > Le 10 févr. 2017 à 10:07, Jarno Huuskonen <[email protected]> a écrit : > > Hi, > > On Wed, Feb 08, Jarno Huuskonen wrote: >> On Tue, Feb 07, Emmanuel Hocdet wrote: >>> I'm not able to reproduce this crash with current 1.8dev and openssl 1.0.2j. >> >> OK, thanks for checking. I'll try to compile openssl-1.0.2/openssl-1.1.0 and >> test with those to see if it's specific to openssl that comes w/centos7. > > I just tested with 1.0.1u / 1.1.0c (compiled from source) -> no crash. > >> Do you have access to a centos7 vm (are you able to reproduce with >> openssl that comes w/centos7) ? > > I still get a crash with openssl that comes with centos7. haproxy -vv > reports version as: > Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > > Is commit 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a boringssl specific ? >
No, it’s a cleanup for current openssl versions: using API instead change internal states. I doubt that the problem is directly related to this commit. Manu > -Jarno > >>> Manu >>> >>>> Le 5 févr. 2017 à 20:04, Jarno Huuskonen <[email protected]> a écrit : >>>> >>>> Hi, >>>> >>>> Commit 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a >>>> (BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL) is causing >>>> trouble (with centos7 + openssl-1.0.1e-60.el7.x86_64). >>>> >>>> If I have a backend server with ssl and httpchk enabled I get a crash: >>>> (gdb) bt >>>> #0 0x00007ffff7218419 in sk_free () from /lib64/libcrypto.so.10 >>>> #1 0x00007ffff719f199 in int_free_ex_data () from /lib64/libcrypto.so.10 >>>> #2 0x00007ffff75641fd in SSL_free () from /lib64/libssl.so.10 >>>> #3 0x000000000040e332 in ssl_sock_close (conn=0x723ac0) at >>>> src/ssl_sock.c:4012 >>>> #4 0x000000000045d1b6 in conn_force_close (conn=0x723ac0) >>>> at include/proto/connection.h:151 >>>> #5 wake_srv_chk (conn=0x723ac0) at src/checks.c:1406 >>>> #6 0x000000000049b6e6 in conn_fd_handler (fd=<optimized out>) >>>> at src/connection.c:141 >>>> #7 0x00000000004a7304 in fd_process_cached_events () at src/fd.c:223 >>>> #8 0x0000000000409d7d in run_poll_loop () at src/haproxy.c:1598 >>>> #9 main (argc=4, argv=0x7fffffffdc78) at src/haproxy.c:1957 >>>> >>>> This is fairly minimal config that fails for me: >>>> global >>>> log /dev/log local2 info >>>> stats socket /tmp/stats level admin >>>> >>>> defaults >>>> mode http >>>> >>>> frontend test4 >>>> bind [email protected]:8083 >>>> default_backend test_be2 >>>> >>>> backend test_be2 >>>> option httpchk GET /crashme\ HTTP/1.1\r\nHost:\ >>>> some.example.org\r\nConnection:\ close >>>> server srv1 some.ip.with.ssl:443 id 1 check ssl verify none > > -- > Jarno Huuskonen >
