Maybe sk_X509_NAME_pop_free(ca_list, X509_NAME_free) should be called too
before returning NULL in ssl_init_FindCAList() (so to avoid a leak in case
of failure).
Regards;
Yann.
On Fri, Nov 22, 2013 at 4:20 PM, Jeff Trawick <traw...@gmail.com> wrote:
> On Wed, Nov 20, 2013 at 5:19 AM, Kaspar Brand <httpd-dev.2...@velox.ch>wrote:
>
>> On 18.11.2013 14:59, Jeff Trawick wrote:
>> > Has anyone looked at making ssl_die() clean up pools on the way out
>> > (presumably by calling some function besides exit())? It is rather
>> easy to
>> > end up with a bunch of stranded IPC objects while debugging your SSL
>> config.
>>
>> Oh yes, a major annoyance I'm also occasionally running into.
>>
>> > * XXX: The config hooks should return errors instead of calling
>> exit().
>>
>> Gave it a try, see attachment. Not yet extensively tested (*), so
>> perhaps incomplete. But httpd now properly cleans up for me, e.g. when a
>> SIGHUPing fails, as shown in this log extract:
>>
>> > [Wed Nov 20 11:02:14.304528 2013] [mpm_worker:notice] [pid 23918:tid
>> 3214934016] AH00298: SIGHUP received. Attempting to restart
>> > [Wed Nov 20 11:02:14.544660 2013] [ssl:info] [pid 23918:tid 3214934016]
>> AH02200: Loading certificate & private key of SSL-aware server 'server:443'
>> > [Wed Nov 20 11:02:14.545137 2013] [ssl:emerg] [pid 23918:tid
>> 3214934016] AH02241: Init: Unable to read server certificate from file
>> /tmp/snakeoil.pem
>> > [Wed Nov 20 11:02:14.545240 2013] [ssl:emerg] [pid 23918:tid
>> 3214934016] SSL Library Error: error:0D06B08E:asn1 encoding
>> routines:ASN1_D2I_READ_BIO:not enough data
>> > [Wed Nov 20 11:02:14.545278 2013] [ssl:emerg] [pid 23918:tid
>> 3214934016] AH02312: Fatal error initialising mod_ssl, exiting.
>> > [Wed Nov 20 11:02:14.545310 2013] [:emerg] [pid 23918:tid 3214934016]
>> AH00020: Configuration Failed, exiting
>>
>> ("Configuration Failed, exiting" is the key here - this comes from
>> main.c and will call destroy_and_exit_process() to clean up.)
>>
>> Kaspar
>>
>> (*) The changes related to ssl_read_pkcs7 in particular are fairly
>> superficial, but I think we should drop that PKCS#7 stuff from mod_ssl
>> anyway.
>>
>
> This is what I found:
>
> The two calls to ssl_init_ctx() (engine_init) need to be checked for rv !=
> APR_SUCCESS.
>
> The various calls to ssl_server_import_cert() in ssl_init_server_certs()
> need different rc checking than before. (Now ssl_server_import_cert() can
> return a fatal error instead of just a boolean.)
>
> (same for ssl_server_import_key())
>
> The call to ssl_init_server_check() (engine_init) needs to be checked for
> rv != APR_SUCCESS.
>
> call to ssl_init_ctx_protocol() also needs a check
> same for ssl_init_ticket_key()
>
> It looks like some errors in the proxy config that previously were ignored
> now cause startup failures... (shrug)
>
> Not bad for boiling the ocean :)
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
