DRuggeri at primary
Feb 3, 2012, 9:45 AM
On 2/2/2012 1:02 PM, Daniel Ruggeri wrote:
Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
[In reply to]
> Since this happens with every attempt to start, I suspect it has nothing
> to do with the new directive and more to do with something I did on the
> openssl build.
I was, indeed, doing something stupid. A build with openssl 1.0.0g
replicates the behavior of 0.9.8g in that it fails when
SSLProxyMachineCertificateChainFile is enabled. The annoying part is
that (due to the error I get when running in dbx) I can get no useful
information in a debug session from Solaris.
... so I've switched to RHEL and gdb and have interesting information.
Under Linux, I get this error on init:
[Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device
[Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852
error:81067064:CHIL engine:HWCRHK_INIT:already loaded
[Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981
error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed
This only happens when SSLProxyMachineCertificateChainFile is set....
With some quick debugging I see that the hwcrhk_finish DOES NOT get
called during ssl_cleanup_pre_config... but DOES get called when the
directive has been removed. To me, it looks like httpd has not
registered the engine for cleanup, but that certainly shouldn't be
impacted by this patch. It seems something in the process of loading the
store is complicating things.
I'll continue poking around, but pointers are certainly appreciated.