Re: Apache gets SIGSEGV in ssl3_finish_mac()

To: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Subject: Re: Apache gets SIGSEGV in ssl3_finish_mac()
From: matthew sporleder <msporleder%gmail.com@localhost>
Date: Sat, 21 Nov 2009 12:16:23 -0500

On Sat, Nov 21, 2009 at 11:50 AM, Emmanuel Dreyfus <manu%netbsd.org@localhost> 
wrote:
> Hello
>
> I have a NetBSD box running apache that regulary dumps a core, always
> with a SIGSEGV in SSL code:
>
> #0 0xbbb37b54 in ssl3_finish_mac () from /usr/lib/libssl.so.6
> #1 0xbbb343b2 in ssl3_do_write () from /usr/lib/libssl.so.6
> #2 0xbbb2435e in ssl3_send_server_hello () from /usr/lib/libssl.so.6
> #3 0xbbb2674f in ssl3_accept () from /usr/lib/libssl.so.6
> #4 0xbbb3b7bd in SSL_accept () from /usr/lib/libssl.so.6
> #5 0xbbb19bcb in ssl23_get_client_hello () from /usr/lib/libssl.so.6
> #6 0xbbb1a356 in ssl23_accept () from /usr/lib/libssl.so.6
> #7 0xbbb3b7bd in SSL_accept () from /usr/lib/libssl.so.6
>
> The machine runs NetBSD 5.0_STABLE as of 200908010000Z, with
> apache-2.2.14 built from pkgsrc (as of today).
>
> httpd is linked with /usr/lib/libssl.so.6, from built-in OpenSSL.
> openssl version says "OpenSSL 0.9.9-dev 09 May 2008"
>
> I have this in httpd.conf. It was copied from some place I don't really
> remeber. I have no idea whether it's good or if it would be better to
> remove the line (hint welcome):
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> It seems that Firefox 3.6 beta have a much higher chance of triggering
> the problem. Any idea of what can be wrong?
>

Your SSLCipherSuite is a little different from the default of:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

It looks like you're attempting to explicitly exclude EXPORT56 which
gives me an error when I try to see what's included in that list:
fester$ openssl ciphers -v 'EXPORT56'
Error in cipher list
3148069380:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher 
match:/home/builds/ab/netbsd-5-0-1-RELEASE/src/crypto/dist/openssl/ssl/ssl_lib.c:1252:

I don't know why (!) excluding a list would cause an issue not caught
at server start, but I would try getting rid of EXPORT56 (or just
using the default SSLCipherSuite) and seeing if that helps.  If that
works I think it counts as a mod_ssl bug to not validate the
configured SSLCipherSuites.

Follow-Ups:
- Re: Apache gets SIGSEGV in ssl3_finish_mac()
  - From: Emmanuel Dreyfus

References:
- Apache gets SIGSEGV in ssl3_finish_mac()
  - From: Emmanuel Dreyfus

Prev by Date: Re: Apache gets SIGSEGV in ssl3_finish_mac()
Next by Date: Re: Apache gets SIGSEGV in ssl3_finish_mac()
Previous by Thread: Re: Apache gets SIGSEGV in ssl3_finish_mac()
Next by Thread: Re: Apache gets SIGSEGV in ssl3_finish_mac()
Indexes:

Home | Main Index | Thread Index | Old Index