NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Apache gets SIGSEGV in ssl3_finish_mac()
On Sat, Nov 21, 2009 at 11:50 AM, Emmanuel Dreyfus <manu%netbsd.org@localhost>
wrote:
> Hello
>
> I have a NetBSD box running apache that regulary dumps a core, always
> with a SIGSEGV in SSL code:
>
> #0 0xbbb37b54 in ssl3_finish_mac () from /usr/lib/libssl.so.6
> #1 0xbbb343b2 in ssl3_do_write () from /usr/lib/libssl.so.6
> #2 0xbbb2435e in ssl3_send_server_hello () from /usr/lib/libssl.so.6
> #3 0xbbb2674f in ssl3_accept () from /usr/lib/libssl.so.6
> #4 0xbbb3b7bd in SSL_accept () from /usr/lib/libssl.so.6
> #5 0xbbb19bcb in ssl23_get_client_hello () from /usr/lib/libssl.so.6
> #6 0xbbb1a356 in ssl23_accept () from /usr/lib/libssl.so.6
> #7 0xbbb3b7bd in SSL_accept () from /usr/lib/libssl.so.6
>
> The machine runs NetBSD 5.0_STABLE as of 200908010000Z, with
> apache-2.2.14 built from pkgsrc (as of today).
>
> httpd is linked with /usr/lib/libssl.so.6, from built-in OpenSSL.
> openssl version says "OpenSSL 0.9.9-dev 09 May 2008"
>
> I have this in httpd.conf. It was copied from some place I don't really
> remeber. I have no idea whether it's good or if it would be better to
> remove the line (hint welcome):
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> It seems that Firefox 3.6 beta have a much higher chance of triggering
> the problem. Any idea of what can be wrong?
>
Your SSLCipherSuite is a little different from the default of:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
It looks like you're attempting to explicitly exclude EXPORT56 which
gives me an error when I try to see what's included in that list:
fester$ openssl ciphers -v 'EXPORT56'
Error in cipher list
3148069380:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher
match:/home/builds/ab/netbsd-5-0-1-RELEASE/src/crypto/dist/openssl/ssl/ssl_lib.c:1252:
I don't know why (!) excluding a list would cause an issue not caught
at server start, but I would try getting rid of EXPORT56 (or just
using the default SSLCipherSuite) and seeing if that helps. If that
works I think it counts as a mod_ssl bug to not validate the
configured SSLCipherSuites.
Home |
Main Index |
Thread Index |
Old Index