DRuggeri at primary
Feb 2, 2012, 11:02 AM
On 1/19/2012 1:13 AM, Sander Temme wrote:
Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
[In reply to]
> Interesting... which version of OpenSSL? Must be 0.9.7 or 0.9.8, because err_cmp() disappeared after that. And the signature doesn't match what we're seeing in the backtrace.
> And which platform? Solaris? SPARC or x86_64?
I tried building against 1.0.0g and get a new error (with or without the
new SSLProxyMachineCertificateChainFile directive).
[Thu Feb 02 12:48:48 2012] [error] Init: Failed to enable Crypto Device
[Thu Feb 02 12:48:48 2012] [error] SSL Library Error: 2164682865
error:81067071:CHIL engine:HWCRHK_INIT:unit failure
[Thu Feb 02 12:48:48 2012] [error] SSL Library Error: 638287981
error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed
Since this happens with every attempt to start, I suspect it has nothing
to do with the new directive and more to do with something I did on the
openssl build. Attempts to run this guy in dbx bomb out with SIGILL here:
 _sparcv9_fmadd_probe(0x0, 0x1, 0x0, 0x82, 0xffffffff7ec00200,
0x6), at 0xffffffff7a96353c
 OPENSSL_cpuid_setup(0x0, 0x0, 0x0, 0x1000, 0x0, 0x0), at
If I force the ENV var OPENSSL_sparcv9cap=3, then things seem to chug
along and fail at the same point in the logs as above. Not sure where to
go from here or it it's even worth pursuing. I'm guessing openssl 1.0.0
isn't going to play nice in my environment.
> So the combination of directives causes some memory to be overwitten
> that ends up pointing outside httpd's allocated address space. Does
> the order of the directives matter? Which Engine if I may ask? A fix
> was applied to the CHIL Engine that removes a dangling cleanup
> function pointer which caused a segfault on startup on platforms that
> vary the address location in which libraries are loaded (RHEL 5 being
> a prime example). I don't remember off the top of my head which
> OpenSSL version got the fix. Can you reproduce with a non-optimized,
> debug/symbols enabled build of OpenSSL and Apache? With the latest
> versions of each? S.
After some testing, order doesn't matter- same results regardless. I
have confirmed that the chil update (noted by you and Steve) is applied
to this version of openssl (looks like it was formally incorporated into
the one I'm using). Unfortunately, openssl doesn't have a
debug-solaris64-sparcv9-cc build option so I can't produce a debug
version of openssl. I did remove optomizations from httpd, though... I'm
going to try with 0.9.8t and see if anything is different.