On 11/03/2014 21:46, Gregg Smith wrote: > On 3/11/2014 1:29 PM, Rainer Jung wrote: >> On 11.03.2014 17:34, Jim Jagielski wrote: >>> The pre-release test tarballs for Apache httpd 2.4.8 can be found >>> at the usual place: >>> >>> http://httpd.apache.org/dev/dist/ >>> >>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. >>> >>> [ ] +1: Good to go >>> [ ] +0: meh >>> [ ] -1: Danger Will Robinson. And why. >>> >>> Vote will last the normal 72 hrs. >>> >>> NOTE: The *-deps are only there for convenience. >> I get a segfault during startup init on www.apache.org when using SSL. >> This didn't happen for r1570851. Candidate is r1573360. > > I'm seeing this with OpenSSL 0.9.8y on Windows. >
Here are some more details of the bug in OpenSSL I *think* triggers this. The function SSL_get_certificate was modified in some versions of OpenSSL to return the certificate the server used instead of the current certificate it had done previously. This was to make OCSP stapling work with multiple configured certificates. Unfortunately a bug in the change mean it would crash if it was called before the server sent the certificate. Later versions of OpenSSL restored the original behaviour unless SSL_get_certificate was called inside the OCSP callback when it would return the certificate actually sent. The fix was applied on Feb 11 2013. That would mean that official releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release should include the fix but we weren't planning to make any more 0.9.8 official releases though a 0.9.8 snapshot should include the fix. OS specific versions of OpenSSL might not have included the fix. This is the actual diff: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10 Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
