On Wed, Nov 20, 2013 at 5:19 AM, Kaspar Brand <httpd-dev.2...@velox.ch>wrote:
> On 18.11.2013 14:59, Jeff Trawick wrote:
> > Has anyone looked at making ssl_die() clean up pools on the way out
> > (presumably by calling some function besides exit())? It is rather easy
> to
> > end up with a bunch of stranded IPC objects while debugging your SSL
> config.
>
> Oh yes, a major annoyance I'm also occasionally running into.
>
> > * XXX: The config hooks should return errors instead of calling
> exit().
>
> Gave it a try, see attachment. Not yet extensively tested (*), so
> perhaps incomplete. But httpd now properly cleans up for me, e.g. when a
> SIGHUPing fails, as shown in this log extract:
>
> > [Wed Nov 20 11:02:14.304528 2013] [mpm_worker:notice] [pid 23918:tid
> 3214934016] AH00298: SIGHUP received. Attempting to restart
> > [Wed Nov 20 11:02:14.544660 2013] [ssl:info] [pid 23918:tid 3214934016]
> AH02200: Loading certificate & private key of SSL-aware server 'server:443'
> > [Wed Nov 20 11:02:14.545137 2013] [ssl:emerg] [pid 23918:tid 3214934016]
> AH02241: Init: Unable to read server certificate from file /tmp/snakeoil.pem
> > [Wed Nov 20 11:02:14.545240 2013] [ssl:emerg] [pid 23918:tid 3214934016]
> SSL Library Error: error:0D06B08E:asn1 encoding
> routines:ASN1_D2I_READ_BIO:not enough data
> > [Wed Nov 20 11:02:14.545278 2013] [ssl:emerg] [pid 23918:tid 3214934016]
> AH02312: Fatal error initialising mod_ssl, exiting.
> > [Wed Nov 20 11:02:14.545310 2013] [:emerg] [pid 23918:tid 3214934016]
> AH00020: Configuration Failed, exiting
>
> ("Configuration Failed, exiting" is the key here - this comes from
> main.c and will call destroy_and_exit_process() to clean up.)
>
> Kaspar
>
> (*) The changes related to ssl_read_pkcs7 in particular are fairly
> superficial, but I think we should drop that PKCS#7 stuff from mod_ssl
> anyway.
>
This is what I found:
The two calls to ssl_init_ctx() (engine_init) need to be checked for rv !=
APR_SUCCESS.
The various calls to ssl_server_import_cert() in ssl_init_server_certs()
need different rc checking than before. (Now ssl_server_import_cert() can
return a fatal error instead of just a boolean.)
(same for ssl_server_import_key())
The call to ssl_init_server_check() (engine_init) needs to be checked for
rv != APR_SUCCESS.
call to ssl_init_ctx_protocol() also needs a check
same for ssl_init_ticket_key()
It looks like some errors in the proxy config that previously were ignored
now cause startup failures... (shrug)
Not bad for boiling the ocean :)
--
Born in Roswell... married an alien...
http://emptyhammock.com/
