On Wed, 12 Mar 2014 00:30:57 +0000 Dr Stephen Henson <shen...@opensslfoundation.com> wrote:
> On 11/03/2014 21:46, Gregg Smith wrote: > > On 3/11/2014 1:29 PM, Rainer Jung wrote: > >> On 11.03.2014 17:34, Jim Jagielski wrote: > >>> The pre-release test tarballs for Apache httpd 2.4.8 can be found > >>> at the usual place: > >>> > >>> http://httpd.apache.org/dev/dist/ > >>> > >>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. > >>> > >>> [ ] +1: Good to go > >>> [ ] +0: meh > >>> [ ] -1: Danger Will Robinson. And why. > >>> > >>> Vote will last the normal 72 hrs. > >>> > >>> NOTE: The *-deps are only there for convenience. > >> I get a segfault during startup init on www.apache.org when using > >> SSL. This didn't happen for r1570851. Candidate is r1573360. > > > > I'm seeing this with OpenSSL 0.9.8y on Windows. > > > > Here are some more details of the bug in OpenSSL I *think* triggers > this. > > The function SSL_get_certificate was modified in some versions of > OpenSSL to return the certificate the server used instead of the > current certificate it had done previously. This was to make OCSP > stapling work with multiple configured certificates. Unfortunately a > bug in the change mean it would crash if it was called before the > server sent the certificate. Later versions of OpenSSL restored the > original behaviour unless SSL_get_certificate was called inside the > OCSP callback when it would return the certificate actually sent. > > The fix was applied on Feb 11 2013. That would mean that official > releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later > official release should include the fix but we weren't planning to > make any more 0.9.8 official releases though a 0.9.8 snapshot should > include the fix. Perhaps a typo above? Or are we looking at several bugs? Rainer had specifically mentioned 1.0.1e as faulting. I'm of the same mind as Jim - that a 2.4.9 with some workaround patch as described is probably a good idea, but now I'm not clear whether the proposed workaround fixes the case you mention with 1.0.1c or also the 1.0.1e fault?
--- Begin Message ---On 11.03.2014 21:41, Dr Stephen Henson wrote: > On 11/03/2014 20:29, Rainer Jung wrote: >> On 11.03.2014 17:34, Jim Jagielski wrote: >>> The pre-release test tarballs for Apache httpd 2.4.8 can be found >>> at the usual place: >>> >>> http://httpd.apache.org/dev/dist/ >>> >>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. >>> >>> [ ] +1: Good to go >>> [ ] +0: meh >>> [ ] -1: Danger Will Robinson. And why. >>> >>> Vote will last the normal 72 hrs. >>> >>> NOTE: The *-deps are only there for convenience. >> >> I get a segfault during startup init on www.apache.org when using SSL. >> This didn't happen for r1570851. Candidate is r1573360. >> >> That server currently uses OpenSSL 1.0.1e. >> >> GDB: >> >> Program terminated with signal 11, Segmentation fault. >> #0 0x000000010287a19a in ssl_set_cert_masks () from >> /usr/local/lib/libssl.so.8 >> (gdb) bt full >> #0 0x000000010287a19a in ssl_set_cert_masks () from >> /usr/local/lib/libssl.so.8 >> No symbol table info available. >> #1 0x000000010287a6f6 in ssl_get_server_send_pkey () from >> /usr/local/lib/libssl.so.8 > > Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f. Thanks Steve. Will try, actually was on my way to update when I noticed there was not yet a BSD port for 1.0.1f. Will try nevertheless. Regards, Rainer
--- End Message ---