Hi Joe, good news, after we applied the line "#undef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB" in the config.c and a new compile, we don´t see any segfaults. I´m afraid, but it´s not possible for me to send you all of the x509-Information. But I can tell you that we have 2 EV-SSL´s and two "normal" SSL-Certificates. Do you need some more information or maybe some information than won´t show any company information of the SSL-Certificate ?
Kind Regards fatcharly -------- Original-Nachricht -------- > Datum: Thu, 2 Feb 2012 14:07:12 +0000 > Von: Joe Gooch <[email protected]> > An: "\'[email protected]\'" <[email protected]> > Betreff: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder > Also, perhaps running it with -v, or setting LogFacility -, (or both) will > yield a bigger picture... That'll output all the logs on the console. (so > you'll see debug and info and everything else on the same screen) In your > msg below I'm not seeing the LOG_DEBUG messages from SNI... So maybe syslog > is filtering those out, or saving them elsewhere... > > Joe > > > -----Original Message----- > > From: Joe Gooch > > Sent: Thursday, February 02, 2012 9:00 AM > > To: '[email protected]' > > Subject: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder > > > > It still won't segfault for me. :-/ > > > > "ip" in this context means instruction pointer, not internet protocol. > > http://stackoverflow.com/questions/2549214/interpreting-segfault- > > messages > > > > addr2line -e pound 08051f5c > > /root/download/Pound-2.6f/config.c:808 > > > > Which, is square in the middle of the SNI checking. > > > > At the top of your config.c (say around line 74) can you do #undef > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB > > > > And recompile? That should disable SNI. (Which IIRC you weren't using > > anyway) > > > > And then let me know if you still see segfaults. > > > > Further, could you provide the subject of all the certificates you're > > using? I.e. the output of: > > openssl x509 -noout -in yourpemfile.pem -subject > > > > > > Joe > > > > > > > -----Original Message----- > > > From: [email protected] [mailto:[email protected]] > > > Sent: Thursday, February 02, 2012 7:56 AM > > > To: [email protected] > > > Subject: Re: RE: RE: [Pound Mailing List] Pound 2.6f and > > > SSLHonorCipherOrder > > > > > > Hi Joe, > > > > > > yes we did fix the patchfile. I did some further investigation on > > this > > > and there are some news I have to share. First some answers for your > > > questions: > > > >1) Does this happen on every request for you? Or is it sporadic? > > > no, its much more than just sporadic, some request get answered and > > > some not. > > > >2) 32 or 64 bit? I can whip up a i386 chroot if need be > > > it´s plain 32 bit > > > >3) Looking at the packages below do you see any blatant differences > > > >between my setup and yours > > > no, but I will put my list in a special mail to send it directly with > > > the tar-archive of our pound-directory to you > > > >4 4) Anything else you can think of to help me track this down for > > > you? > > > Yes, I could zero in the problem a bit. First a bit about our setup: > > > The pound is in dmz-A, the webserver is in dmz-B, and the requesting > > > Client comes a) from the internet or b) from the internal network. > > > When we start the pound everything works fine, as long as the > > requests > > > are coming from the internal network and the request is send to an IP > > > of the dmz-A network. So everything worked with this setup for the > > > internal network. But when there are requests from the internet, we > > > get segfaults. The request is received from the firewall which does a > > > NAT to pass the external IP of the website to the internal IP of the > > > dmz-A network. And some requests are working (as I can see in the > > > logfile of > > > pound) and some cause segfaults. We can only test this by switching > > > between the pound and our loadbalancer-appliance (as this one works, > > > we are sure the NAT is not a problem) the productive path. So maybe > > > there is a problem with some IP´s which cause the segfault. The > > > segfaults appear even when there is no SSLHonorCipherOrder enabled. > > > I´m not deep into this segfault thing, but there the word "ip" > > mentioned: > > > Feb 2 11:45:52 pilotpound kernel: pound[28641]: segfault at 4 ip > > > 08051f5c sp b7610ce0 error 4 in pound[8048000+18000] > > > > > > Is there anything else I can do to support you ? > > > > > > Kind Regards > > > > > > fatcharly > > > > > > > > > > > > > -------- Original-Nachricht -------- > > > > Datum: Wed, 1 Feb 2012 21:18:04 +0000 > > > > Von: Joe Gooch <[email protected]> > > > > An: "\'[email protected]\'" <[email protected]> > > > > Betreff: RE: RE: [Pound Mailing List] Pound 2.6f and > > > >SSLHonorCipherOrder > > > > > > > > > > -- > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen > > > Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de > > > > > > -- > > > To unsubscribe send an email with subject unsubscribe to > > > [email protected]. > > > Please contact [email protected] for questions. -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
