On Wed, 2011-11-23 at 16:15 -0500, Kevin Falcone wrote: > On Wed, Nov 23, 2011 at 02:20:14PM -0600, Karl Boyken wrote: > > From the LDAP server logs, it looks like a TLS negotiation failure. > > So, how does upgrading to 4.0.4 break RT::ExternalAuth TLS > > negotiation? I'm using the same settings for 4.0.4 as I do for > > 4.0.2. I reverted to 4.0.2, and LDAP works. > > There have been some weird interaction with the crypt/ssl libs under > mod_perl and the gnupg libs. It's possible that there is also > something going on with Net::LDAP's ssl settings, but that's pure > speculation. It'd be interesting to know your apache config.
Being the same bug would require that you be running Apache with SSL support, RT be running under mod_perl, and GPG be enabled. If it _is_ the same bug, the following patch might help, as might switching to FastCGI or disabling RT's GPG support. - Alex --------------------8<----------------------- >From e96831cf8f457b1601dc778cc336d43105f7a38b Mon Sep 17 00:00:00 2001 From: Alex Vandiver <[email protected]> Date: Wed, 9 Nov 2011 02:35:34 -0500 Subject: [PATCH] Restore database disconnection state after successful safe_run_child RT::Util's safe_run_child sets its database handles to not disconnect themselves if they are destroyed, before calling the provided function which may fork and exec. It explicitly re-enables those bits prior to die'ing if the exec fails, to ensure that the database handle is torn down correctly during the global destruction that would shortly ensue. However, it fails to re-instate those bits after a _successful_ call. This leaves the main database handle in a state where it does not tear down the connection during global destruction. This is particularly destructive in the case where: (a) RT uses PostgreSQL as its backend database (b) The database connection to PostgreSQL uses SSL, as is the default if the server supports it (c) The RT server is embedded into the Apache server using mod_perl (c) Apache has also loaded the SSL libraries for HTTPS support This causes libcrypto.so to be used in two places in the Apache process, by both Perl's binary PostgreSQL driver as well as core Apache's; they thus share some internal state. The lack of orderly teardown of the SSL-enabled database connection causes corruption in the SSL engine's internal state during the Apache shutdown process, which could lead to segmentation faults in Apache. Resolve this by explicitly re-instating the disconnect-on-destroy flags after a successful safe_run_child. --- lib/RT/Util.pm | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm index d2220c8..70d4625 100644 --- a/lib/RT/Util.pm +++ b/lib/RT/Util.pm @@ -93,6 +93,8 @@ sub safe_run_child (&) { #TODO we need to localize this die 'System Error: ' . $err; }; + $dbh->{'InactiveDestroy'} = 0 if $dbh; + $RT::Handle->{'DisconnectHandleOnDestroy'} = 1; return $want? (@res) : $res[0]; } -------------------->8----------------------- -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 & 29, 2011
