Hi Cyril, On Mon, Feb 13, 2017 at 10:12:34AM +0100, Cyril Bonté wrote: > Hi Willy, > > > De: "Willy Tarreau" <w...@1wt.eu> > > [...] > > Hmmm wait a minute, there's bug in this commit : > > > > @@ -4022,15 +4022,15 @@ static void ssl_sock_shutw(struct connection > > *conn, int > > { > > if (conn->flags & CO_FL_HANDSHAKE) > > return; > > + if (!clean) > > + /* don't sent notify on SSL_shutdown */ > > + SSL_CTX_set_quiet_shutdown(conn->xprt_ctx, 1); > > > > Here we call SSL_CTX_set_quiet_shutdown() (which takes an SSL_CTX *) > > instead of SSL_set_quiet_shutdown() which applies to an SSL*. > > Unfortunately conn->xprt_ctx is a void* so there is no warning, and > > who knows where the flag is set. It may overwrite any internal field, > > pointer etc... > > > > Jarno, please try this, I'm pretty sure it will fix the problem for > > you : > > > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > > index 232a497..e7eb5df 100644 > > --- a/src/ssl_sock.c > > +++ b/src/ssl_sock.c > > @@ -4177,7 +4177,7 @@ static void ssl_sock_shutw(struct connection > > *conn, int cl > > return; > > if (!clean) > > /* don't sent notify on SSL_shutdown */ > > - SSL_CTX_set_quiet_shutdown(conn->xprt_ctx, 1); > > + SSL_set_quiet_shutdown(conn->xprt_ctx, 1); > > /* no handshake was in progress, try a clean ssl shutdown */ > > if (SSL_shutdown(conn->xprt_ctx) <= 0) { > > /* Clear openssl global errors stack */ > > From some quick tests in a docker container with centos 7, once the patch is > applied, I don't reproduce the segfault anymore. > I let Jarno confirm but it looks promising ;-)
Cool, thanks. Did you reproduce it without the patch ? Willy