This message bounced back to me with some error about invalid characters
in the subject line, so I chopped out the +OptRenegotiate part...
hopefully this will work now. :)
---------- Forwarded message ----------
Date: Mon, 27 Oct 2003 13:41:41 -0500 (EST)
From: Cliff Woolley <[EMAIL PROTECTED]>
To: Matt Stevenson <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: SIGBUS after upgrading to mod_ssl-2.8.15-1.3.28 and using
+OptRenegotiate
On Mon, 27 Oct 2003, Matt Stevenson wrote:
> Is the cert being freed already by the
> sk_X509_pop_free on line 999 (after being place on the
> stack in previous code)?
>
> 997 if (SSL_get_peer_cert_chain(ssl) !=
> certstack) {
> 998 /* created by us, so free it */
> 999 sk_X509_pop_free(certstack,
> X509_free);
> 1000 }
> 1001 X509_free(cert);
> }
I'd have to look more carefully at your version of mod_ssl, but the
mod_ssl for Apache 2.x doesn't have that extra X509_free() call at line
1001, so I would guess that removing it might indeed be a correct change.
You can see where the corresponding lines were added to mod_ssl for Apache
2.x here:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c.diff?r1=1.72&r2=1.73
The log message that went along with that commit was:
'SSLOptions +OptRengotiate' will use client cert in from the ssl
session cache when there is no cert chain in the cache. prior to
the fix this situation would result in a FORBIDDEN response and
error message "Cannot find peer certificate chain"
Hope this helps,
Cliff
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
