On Fri, Feb 10, 2017 at 10:54:46AM +0100, Emmanuel Hocdet wrote:
> On Wed, Feb 08, Jarno Huuskonen wrote:
> > I still get a crash with openssl that comes with centos7. haproxy -vv
> > reports version as:
> > Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
> > Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
> >
> > Is commit 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a boringssl specific ?
> >
>
> No, it's a cleanup for current openssl versions: using API instead change
> internal states.
> I doubt that the problem is directly related to this commit.
Well, openssl is so crappy sometimes that anything is possible. Jarno,
do you confirm that if you simply revert this patch the issue is gone
for you ? If so, could you try applying the follow patch and see if it
fixes the issue ?
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 232a497..27b1b74 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4184,6 +4184,7 @@ static void ssl_sock_shutw(struct connection *conn, int cl
ssl_sock_dump_errors(conn);
ERR_clear_error();
}
+ SSL_set_shutdown(conn->xprt_ctx, SSL_get_shutdown(conn->xprt_ctx) |
SSL_SENT_SHUTDOWN);
}
Willy
