[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #23 from Ruediger Pluem --- (In reply to mark from comment #22) > Could this patch have interfered with the SSLProxyMachineCertificateFile > Directive? > > We are seeing errors like this, even though we are certain we have > configured a client certificate for the proxying. > You mean with 2.4.39 containing the patch? What is your configuration? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #22 from m...@blackmans.org --- Could this patch have interfered with the SSLProxyMachineCertificateFile Directive? We are seeing errors like this, even though we are certain we have configured a client certificate for the proxying. [Mon May 13 15:58:54.788592 2019] [ssl:debug] [pid 200828:tid 140673599665920] ssl_engine_kernel.c(1943): AH02267: Proxy client certificate callback: (dw25136:11719) entered [Mon May 13 15:58:54.788606 2019] [ssl:warn] [pid 200828:tid 140673599665920] AH02268: Proxy client certificate callback: (dw25136:11719) downstream server wanted client certificate but none are configured [Mon May 13 15:58:54.795112 2019] [ssl:info] [pid 200828:tid 140673599665920] [remote 10.223.2.110:443] AH02003: SSL Proxy connect failed [Mon May 13 15:58:54.795171 2019] [ssl:info] [pid 200828:tid 140673599665920] SSL Library Error: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate (SSL alert number 42) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 Yann Ylavic changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #21 from Yann Ylavic --- Backported to 2.4.39 (r1855918). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #20 from martin.l.schett...@leidos.com --- (In reply to Yann Ylavic from comment #18) > Created attachment 36488 [details] > mod_proxy to reset SSL dir config on connection reuse > > I think that the issue is the scope of sslconn->dc, when it's based off > r->per_dir_config it's also destroyed with the request, so we need to reset > it on connection reuse in mod_proxy. > > Does this patch work for you Martin? Yes, this patch fixes my issue. Thanks!! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #19 from Yann Ylavic --- (In reply to Joe Orton from comment #17) > r being NULL in the callback looks significant possibly? The app data has > not been set up properly for the client-side SSL * in the proxy? Yes r is NULL in the proxy case (which r anyway?), but it should not really matter for the proxy case in ssl_callback_SSLVerify() because c->base_server == r->server (c == mod_proxy backend here). So provided sslconn->dc is right we should be good no? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #18 from Yann Ylavic --- Created attachment 36488 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36488=edit mod_proxy to reset SSL dir config on connection reuse I think that the issue is the scope of sslconn->dc, when it's based off r->per_dir_config it's also destroyed with the request, so we need to reset it on connection reuse in mod_proxy. Does this patch work for you Martin? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #17 from Joe Orton --- r being NULL in the callback looks significant possibly? The app data has not been set up properly for the client-side SSL * in the proxy? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #16 from martin.l.schett...@leidos.com --- (In reply to Ruediger Pluem from comment #13) > Trying to get further puzzle pieces: > > Can you please move the > > SSLVerifyClient require > > on the backend out of the LocationMatch and up to the virtual host level and > retry? Aha! When I moved "SSLVerifyClient require" up out of the LocationMatch the crash no longer occurs. That gives me a -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #15 from martin.l.schett...@leidos.com --- (In reply to Yann Ylavic from comment #8) > Created attachment 36484 [details] > ylavic's conf > > I'm using this proxy configuration, the backend being my debian's httpd on > which I added SSLVerifyClient things (same caRoot.pem). I tried your proxy config, just swapping names and certs as appropriate and still experience the crash. Must be backend related. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #14 from Ruediger Pluem --- (In reply to martin.l.schettler from comment #4) > certainly: > > > (gdb) print *dc > $2 = {bSSLRequired = 1098320484, aRequirement = 0x3267467279536471, nOptions > = 1179988074, nOptionsAdd = 1952085090, nOptionsDel = 1937327430, > szCipherSuite = 0x496a785151673356 bounds>, nVerifyClient = 1798713165, nVerifyDepth = 1769035589, > szUserName = 0x7947556f32414856 bounds>, nRenegBufferSize = 5285087886881221241, proxy = 0x577769544c0a435a, > proxy_enabled = 726675534, proxy_post_config = 1716021612} > > (gdb) print *sslconn > $3 = {ssl = 0x7f942002b9f0, client_dn = 0x0, client_cert = 0x0, > shutdown_type = SSL_SHUTDOWN_TYPE_UNSET, verify_info = 0x0, verify_error = > 0x0, verify_depth = -1, is_proxy = 1, disabled = 0, > non_ssl_request = NON_SSL_OK, reneg_state = RENEG_REJECT, server = > 0x197b4c8, dc = 0x7f942001a838, cipher_suite = 0x0, service_unavailable = 0} > (gdb) Thanks. The address of dc looks valid, but its contents seems to be completely messed up, not just the proxy field which becomes mctx locally. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #13 from Ruediger Pluem --- Trying to get further puzzle pieces: Can you please move the SSLVerifyClient require on the backend out of the LocationMatch and up to the virtual host level and retry? You said, that it works when you remove +ExportCertData from SSLOptions. Where do you remove it? On the reverse proxy or on the backend? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #12 from Yann Ylavic --- Tried with some openssl 1.0.1s I had compiled somewhere, and it also works. One difference may be the depth of your client certificate chain (thus calls to ssl_callback_SSLVerify), mine is of depth 1 (my test's certs are all signed by the same "rootCA.key"). Could you try with a simple chain, or possibly provide yours if it's built for testing only? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #10 from Yann Ylavic --- (In reply to martin.l.schettler from comment #7) > I'm building on CentOS 6.10 > and using the system's openssl. Which openssl is that? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #11 from martin.l.schett...@leidos.com --- My openssl is: openssl-1.0.1e-57.el6.x86_64 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #9 from Yann Ylavic --- My client is simply: $ while true; do curl -k -v --cert /home/ylavic/src/apache/install/httpd/certs/client.pem --key /home/ylavic/src/apache/install/httpd/certs/client.key https://localhost:8443/host01/bob/bob; sleep 1; done -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #8 from Yann Ylavic --- Created attachment 36484 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36484=edit ylavic's conf I'm using this proxy configuration, the backend being my debian's httpd on which I added SSLVerifyClient things (same caRoot.pem). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #7 from martin.l.schett...@leidos.com --- Bummer! I'm definitely using the same openssl. I'm building on CentOS 6.10 and using the system's openssl. The proxy server reliably crashes about every third call. Can you please send me your configs that failed to reproduce so I can make sure that I didn't leave anything important out? Thanks! Marty -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #6 from Yann Ylavic --- Same with 2.4.38, working as expected. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #5 from Yann Ylavic --- I tried your configuration with latest 2.4.x, openssl 1.1.0j and 1.1.1b, but could not reproduce (SSL_CLIENT_* are sent to the backend). Will retry with 2.4.38. Can you please double check that the openssl version linked to httpd (runtime) is the same that the one used at build time? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #4 from martin.l.schett...@leidos.com --- certainly: (gdb) print *dc $2 = {bSSLRequired = 1098320484, aRequirement = 0x3267467279536471, nOptions = 1179988074, nOptionsAdd = 1952085090, nOptionsDel = 1937327430, szCipherSuite = 0x496a785151673356 , nVerifyClient = 1798713165, nVerifyDepth = 1769035589, szUserName = 0x7947556f32414856 , nRenegBufferSize = 5285087886881221241, proxy = 0x577769544c0a435a, proxy_enabled = 726675534, proxy_post_config = 1716021612} (gdb) print *sslconn $3 = {ssl = 0x7f942002b9f0, client_dn = 0x0, client_cert = 0x0, shutdown_type = SSL_SHUTDOWN_TYPE_UNSET, verify_info = 0x0, verify_error = 0x0, verify_depth = -1, is_proxy = 1, disabled = 0, non_ssl_request = NON_SSL_OK, reneg_state = RENEG_REJECT, server = 0x197b4c8, dc = 0x7f942001a838, cipher_suite = 0x0, service_unavailable = 0} (gdb) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #3 from Ruediger Pluem --- Can you please do print *dc print *sslconn -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #2 from martin.l.schett...@leidos.com --- here is the full stack trace: #0 0x7f943d057c1b in ssl_callback_SSLVerify (ok=0, ctx=0x7f943a1900b0) at ssl_engine_kernel.c:1727 ssl = 0x7f942002b9f0 conn = 0x7f9420026e48 r = 0x0 s = 0x197b4c8 sc = 0x197f8b8 sslconn = 0x7f9420027190 dc = 0x7f942001a838 mctx = 0x577769544c0a435a crl_check_mode = 32660 errnum = 1 errdepth = 0 depth = 469800880 verify = 32660 #1 0x003c90521730 in X509_verify_cert () from /usr/lib64/libcrypto.so.10 No symbol table info available. #2 0x003c93c46d88 in ssl_verify_cert_chain () from /usr/lib64/libssl.so.10 No symbol table info available. #3 0x003c93c2569c in ssl3_get_server_certificate () from /usr/lib64/libssl.so.10 No symbol table info available. #4 0x003c93c27d62 in ssl3_connect () from /usr/lib64/libssl.so.10 No symbol table info available. #5 0x003c93c2cbe3 in ssl3_read_bytes () from /usr/lib64/libssl.so.10 No symbol table info available. #6 0x003c93c28260 in ?? () from /usr/lib64/libssl.so.10 No symbol table info available. #7 0x7f943d04b683 in ssl_io_input_read (inctx=0x7f942002eea8, buf=0x7f942002eef0 "This is host01\n 12 Mar 2019 20:53:03 GMT\r\nServer: Apache/2.4.38 (Unix) OpenSSL/1.0.1e-fips\r\nLast-Modified: Tue, 26 Feb 2019 20:17:09 GMT\r\nETag: \"1b-582d1bdec225c\"\r\nAccept-Ranges: bytes\r\nCo"..., len=0x7f943a190490) at ssl_engine_io.c:669 wanted = 8192 bytes = 0 rc = 537031056 #8 0x7f943d04bc58 in ssl_io_input_getline (inctx=0x7f942002eea8, buf=0x7f942002eef0 "This is host01\n 12 Mar 2019 20:53:03 GMT\r\nServer: Apache/2.4.38 (Unix) OpenSSL/1.0.1e-fips\r\nLast-Modified: Tue, 26 Feb 2019 20:17:09 GMT\r\nETag: \"1b-582d1bdec225c\"\r\nAccept-Ranges: bytes\r\nCo"..., len=0x7f943a190500) at ssl_engine_io.c:798 pos = 0x0 status = 2129812 tmplen = 0 buflen = 8192 offset = 0 #9 0x7f943d04f2e8 in ssl_io_filter_input (f=0x7f9420030ef8, bb=0x7f9420026e08, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at ssl_engine_io.c:1559 pos = 0x3834362e34303a33 status = 0 inctx = 0x7f942002eea8 start = 0x7f942002eef0 "This is host01\n 12 Mar 2019 20:53:03 GMT\r\nServer: Apache/2.4.38 (Unix) OpenSSL/1.0.1e-fips\r\nLast-Modified: Tue, 26 Feb 2019 20:17:09 GMT\r\nETag: \"1b-582d1bdec225c\"\r\nAccept-Ranges: bytes\r\nCo"... len = 0 is_init = 0 bucket = 0x7f943ecffb25 #10 0x0043b6da in ap_get_brigade (next=0x7f9420030ef8, bb=0x7f9420026e08, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at util_filter.c:553 No locals. #11 0x0043e450 in ap_rgetline_core (s=0x7f943a1906e0, n=8192, read=0x7f943a1906f0, r=0x7f942005bf00, flags=0, bb=0x7f9420026e08) at protocol.c:246 rv = 32660 e = 0x7f943ed06558 bytes_handled = 0 current_alloc = 0 pos = 0x300018 last_char = 0x7f943a1907a0 "" do_alloc = 0 saw_eos = 0 fold = 0 crlf = 0 nospc_eol = 0 saw_eol = 0 saw_nospc = 0 #12 0x7f943d281d60 in ap_proxygetline (bb=0x7f9420026e08, s=0x7f943a1907a0 "", n=8192, r=0x7f942005bf00, flags=0, read=0x7f943a19079c) at mod_proxy_http.c:1161 rv = 32660 len = 140273631887480 #13 0x7f943d2821fe in ap_proxy_http_process_response (p=0x7f9420018278, r=0x7f94200182f0, backend_ptr=0x7f943a192958, worker=0x193f430, conf=0x193bcb8, server_portstr=0x7f943a192960 "") at mod_proxy_http.c:1279 rc = 32660 c = 0x7f94340398a8 buffer = 0x7f943a1907a0 "" fixed_buffer = "\000\a\031:\224\177\000\000\264\030\320>\224\177\000\000\240\301\217\001\000\000\000\000\240\301\217\001\000\000\000\000\260\t\031:\224\177\000\000\261\000\000\000\000\000\000\000\000\b\031:\224\177\000\000\355\230F\000\000\000\000\000 \t\031:\224\177\000\000P\b\031:\224\177\000\000\261\000\000\000\000\000\000\000\240\b\031:\224\177\000\000\000)\031:\224\177\000\000r\241F\000\000\000\000\000`)\031:\224\177\000\000\277\000\000\000\000\000\000\000ȴ\227\001\000\000\000\000\000\000\000\000\a\000\000\000\016\000\000\000\340\004\000\000U\316j=\224\177\000\000\277\000\000\000\000\000\000\000\261\000\000\000\200\000\000\000ȴ\227\001\000\000\000\000\250\230\003\064\224\177\000\000\360\202\001 \224\177\000\000\360\202\001 \224\177\000\000\000\000\000\000\000\000\000\000U\316j=\224\177\000\000\340\004\000\000\016\000\000\000\a", '\000' , "H\322j=\224\177"... buf = 0x0 keepchar = 0 '\000' e = 0x7f942002a4f8 bb = 0x7f9420021058 pass_bb = 0x7f9420021078 len = 0 backasswards = 974727392 interim_response = 0 response_field_size = 8192 pread_len = 0 save_table = 0x0 backend_broke = 0 hop_by_hop_hdrs =
[Bug 63256] mod_ssl segmentation fault after 2.4.29
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256 --- Comment #1 from Ruediger Pluem --- Can you please compile your httpd with debug symbols (probably you already did because you told us the line where the crash happened) and deliver a bt full info locals from the thread that crashed? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org