Hello! I use Squid www.squid-cache.org many years in accelerator mode, but last weeks it was start crash(every day - sigcrash 6, restart) after SSL error 1408F10B. I have tried different versions Squid, OpenSSL, Linux distrib(Squid 3.3.8, 3.1.23; OpenSSL 1.0.1e, 1.0.1c; OpenSuSe 12.3(i586) ...) - crash is present(before no problems with Ssl error 1408F10B):
OpenSuse 12.3(i586), OpenSsl 1.0.1e orig with debug information: squid[21936]: Squid Parent: child process 21938 exited due to signal 6 with status 0 clientNegotiateSSL: Error negotiating SSL connection on FD 352: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (1/-1) FATAL: Received Segment Violation...dying. ... Core was generated by `(squid)'. Program terminated with signal 6, Aborted. #0 0xb725f245 in raise () from /lib/libc.so.6 (gdb) where #0 0xb725f245 in raise () from /lib/libc.so.6 #1 0xb7260ac3 in abort () from /lib/libc.so.6 #2 0x081881fe in death (sig=11) at tools.cc:398 #3 <signal handler called> #4 0xb75ef305 in EVP_DigestFinal_ex (ctx=0xbfb47674, md=0xbfb475f4 "", size=0xbfb4768c) at digest.c:271 #5 0xb771f662 in tls1_final_finish_mac (s=0x366e8d20, str=0xb77434e9 "client finished", slen=15, out=0x3f962510 "") at t1_enc.c:926 #6 0xb7713d6a in ssl3_do_change_cipher_spec (s=0x366e8d20) at s3_pkt.c:1462 #7 0xb771390d in ssl3_read_bytes (s=0x366e8d20, type=22, buf=0x3f2d8150 "\020", len=4, peek=0) at s3_pkt.c:1306 #8 0xb7714b44 in ssl3_get_message (s=0x366e8d20, st1=8608, stn=8609, mt=-1, max=516, ok=0xbfb47874) at s3_both.c:451 #9 0xb7704ef6 in ssl3_get_cert_verify (s=0x366e8d20) at s3_srvr.c:2924 #10 0xb7700abc in ssl3_accept (s=0x366e8d20) at s3_srvr.c:677 #11 0xb7712e58 in ssl3_read_bytes (s=0x366e8d20, type=23, buf=0xbfb47a91 "\305\070\240\301\324v\222", len=65535, peek=0) at s3_pkt.c:985 #12 0xb770f8d9 in ssl3_read_internal (s=0x366e8d20, buf=0xbfb47a91, len=65535, peek=0) at s3_lib.c:4207 #13 0xb770f984 in ssl3_read (s=0x366e8d20, buf=0xbfb47a91, len=65535) at s3_lib.c:4227 #14 0xb772e83f in SSL_read (s=0x366e8d20, buf=0xbfb47a91, num=65535) at ssl_lib.c:970 #15 0x08168ee1 in ssl_read_method (fd=181, buf=0xbfb47a91 "\305\070\240\301\324v\222", len=65535) at ssl_support.cc:1021 #16 0x0819a7ee in comm_empty_os_read_buffers (fd=fd@entry=181) at comm.cc:382 #17 0x081a3ab0 in _comm_close (fd=181, file=0x8203705 "client_side.cc", line=3263) at comm.cc:1639 #18 0x080da921 in clientNegotiateSSL (fd=181, data=0x381e14d8) at client_side.cc:3263 #19 0x080f2f4d in comm_select (msec=<optimized out>) at comm_epoll.cc:307 #20 0x081a424b in CommSelectEngine::checkEvents (this=0xbfb57d30, timeout=600) at comm.cc:2692 #21 0x080ff985 in EventLoop::checkEngine (this=0xbfb57d50, engine=0xbfb57d30, primary=true) at EventLoop.cc:50 #22 0x080ffc00 in EventLoop::runOnce (this=this@entry=0xbfb57d50) at EventLoop.cc:124 #23 0x080ffce0 in EventLoop::run (this=0xbfb57d50) at EventLoop.cc:94 #24 0x0814ddb4 in SquidMain (argc=argc@entry=1, argv=argv@entry=0xbfb57f24) at main.cc:1418 #25 0x080b7e6d in SquidMainSafe (argv=0xbfb57f24, argc=1) at main.cc:1176 #26 main (argc=1, argv=0xbfb57f24) at main.cc:1168 This looks like an OpenSSL bug, reads something which is not normal SSL data, and segfault while trying to process them...: OpenSsl return error 1408F10B and Squid try to empty socket buffer before closing it - calling Ssl_read() and then OpenSsl lib crash. From squid:comm.cc for comm_empty_os_read_buffers(): /** * Empty the read buffers * * This is a magical routine that empties the read buffers. * Under some platforms (Linux) if a buffer has data in it before * you call close(), the socket will hang and take quite a while * to timeout. */ I have discussed this situation with some Squid developers and we decided - after SSL error 1408F10B calling standard/raw read() instead of SSL_read() for empty socket buffer and this patch stopped crash Squid. But the question remains - why crashed, what happened in OpenSSL lib? Maybe you help more understanding, i would be very grateful to you. Thanks! ____________________ Best regards, Dmytro ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
