DRuggeri at primary
Feb 3, 2012, 9:45 AM
Views: 444
Permalink
|
|
Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
[In reply to]
|
|
On 2/2/2012 1:02 PM, Daniel Ruggeri wrote:
> Since this happens with every attempt to start, I suspect it has nothing
> to do with the new directive and more to do with something I did on the
> openssl build.
I was, indeed, doing something stupid. A build with openssl 1.0.0g
replicates the behavior of 0.9.8g in that it fails when
SSLProxyMachineCertificateChainFile is enabled. The annoying part is
that (due to the error I get when running in dbx) I can get no useful
information in a debug session from Solaris.
... so I've switched to RHEL and gdb and have interesting information.
Under Linux, I get this error on init:
[Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device
API `chil'
[Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852
error:81067064:CHIL engine:HWCRHK_INIT:already loaded
[Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981
error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed
This only happens when SSLProxyMachineCertificateChainFile is set....
With some quick debugging I see that the hwcrhk_finish DOES NOT get
called during ssl_cleanup_pre_config... but DOES get called when the
directive has been removed. To me, it looks like httpd has not
registered the engine for cleanup, but that certainly shouldn't be
impacted by this patch. It seems something in the process of loading the
store is complicating things.
I'll continue poking around, but pointers are certainly appreciated.
--
Daniel Ruggeri
|
