On 12.03.2014 01:59, Dr Stephen Henson wrote: > On 12/03/2014 00:30, Dr Stephen Henson wrote: >> >> The fix was applied on Feb 11 2013. That would mean that official releases >> affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release >> should >> include the fix but we weren't planning to make any more 0.9.8 official >> releases >> though a 0.9.8 snapshot should include the fix. >> >> OS specific versions of OpenSSL might not have included the fix. This is the >> actual diff: >> >> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10 >> > > It looks like the only case this can happen is ssl_init_server_certs where an > SSL structure is created, SSL_get_certificate called and then it is freed. > > If so then calling SSL_set_connect_state before the SSL_get_certificate > call is a potential workaround. This works because the faulty code isn't used > by > SSL structures where ssl->server == 0 and SSL_set_connect_state does that, > among other things. > > This is a bit of a hack because it's called on a server SSL structure. This > would probably fail horribly if an attempt was made to use the SSL structure > but > in this case we're freeing it up immediately so this should hopefully not > matter.
Following your advice I added the following patch: http://people.apache.org/~rjung/patches/ssl-init-crash.patch and switched back to using OpenSSL 1.0.1e. Indeed the crash during startup didn't occur with that patch in place. I will wait a bit and if I hear no complains apply to trunk (if noone beats me to it). Regards, Rainer
