Hi, On Wed, Feb 08, Jarno Huuskonen wrote: > On Tue, Feb 07, Emmanuel Hocdet wrote: > > I'm not able to reproduce this crash with current 1.8dev and openssl 1.0.2j. > > OK, thanks for checking. I'll try to compile openssl-1.0.2/openssl-1.1.0 and > test with those to see if it's specific to openssl that comes w/centos7.
I just tested with 1.0.1u / 1.1.0c (compiled from source) -> no crash. > Do you have access to a centos7 vm (are you able to reproduce with > openssl that comes w/centos7) ? I still get a crash with openssl that comes with centos7. haproxy -vv reports version as: Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Is commit 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a boringssl specific ? -Jarno > > Manu > > > > > Le 5 févr. 2017 à 20:04, Jarno Huuskonen <jarno.huusko...@uef.fi> a écrit > > > : > > > > > > Hi, > > > > > > Commit 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a > > > (BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL) is causing > > > trouble (with centos7 + openssl-1.0.1e-60.el7.x86_64). > > > > > > If I have a backend server with ssl and httpchk enabled I get a crash: > > > (gdb) bt > > > #0 0x00007ffff7218419 in sk_free () from /lib64/libcrypto.so.10 > > > #1 0x00007ffff719f199 in int_free_ex_data () from /lib64/libcrypto.so.10 > > > #2 0x00007ffff75641fd in SSL_free () from /lib64/libssl.so.10 > > > #3 0x000000000040e332 in ssl_sock_close (conn=0x723ac0) at > > > src/ssl_sock.c:4012 > > > #4 0x000000000045d1b6 in conn_force_close (conn=0x723ac0) > > > at include/proto/connection.h:151 > > > #5 wake_srv_chk (conn=0x723ac0) at src/checks.c:1406 > > > #6 0x000000000049b6e6 in conn_fd_handler (fd=<optimized out>) > > > at src/connection.c:141 > > > #7 0x00000000004a7304 in fd_process_cached_events () at src/fd.c:223 > > > #8 0x0000000000409d7d in run_poll_loop () at src/haproxy.c:1598 > > > #9 main (argc=4, argv=0x7fffffffdc78) at src/haproxy.c:1957 > > > > > > This is fairly minimal config that fails for me: > > > global > > > log /dev/log local2 info > > > stats socket /tmp/stats level admin > > > > > > defaults > > > mode http > > > > > > frontend test4 > > > bind ipv4@127.0.0.1:8083 > > > default_backend test_be2 > > > > > > backend test_be2 > > > option httpchk GET /crashme\ HTTP/1.1\r\nHost:\ > > > some.example.org\r\nConnection:\ close > > > server srv1 some.ip.with.ssl:443 id 1 check ssl verify none -- Jarno Huuskonen