On 2019/04/11 23:22, Stuart Henderson wrote: > On 2019/04/11 20:25, Stuart Henderson wrote: > > On 2019/04/10 05:12, Frank Groeneveld wrote: > > > Last week an update to apache-httpd was released which fixes an important > > > security issue. I updated a number of servers right away, but after > > > receiving some traffic they started to produce SSL errors. I've tried to > > > debug this as far as I could and have come to the conclusion that it only > > > happens when using mpm_event_module. My configs are default, but I enable > > > SSL and switch to the evented MPM. For certificates I use Let's Encrypt > > > (using acme-client). ab prints the following errors. > > > > > > SSL handshake failed (1). > > > 140321585887104:error:0407008A:rsa > > > routines:RSA_padding_check_PKCS1_type_1:invalid > > > padding:crypto/rsa/rsa_pk1.c:66: > > > 140321585887104:error:04067072:rsa > > > routines:rsa_ossl_public_decrypt:padding check > > > failed:crypto/rsa/rsa_ossl.c:655: > > > 140321585887104:error:1416D07B:SSL routines:tls_process_key_exchange:bad > > > signature:ssl/statem/statem_clnt.c:2414: > > > > > > Web browsers show an error also, but some refreshing sometimes fixes the > > > problem. Is anybody else able to reproduce this? Can I do anything to > > > help resolve it? > > > > > > Thanks in advance. > > > > > > Frank > > > > > > > I can replicate this on 6.4 but not -current, I'll see if I can figure > > out what's up. > > > > Seems it was introduced between 2.4.35 and 2.4.37. I don't see > anything particularly suspicious in the main code diff between those > two versions, but one of the subtler changes is that it switches off > MODSSL_USE_OPENSSL_PRE_1_1_API for libressl 2.7+. > > So probably one of the ifdef blocks is taking a code path that fails > with the libressl code in 6.4 but has been changed post-6.4-release. > > Builds are taking ages on the machine I'm testing on and the wifi > connection I'm on at the moment is stalling every few minutes and > I'm losing patience now but if anyone wants to pick it up I'd suggest > looking through the various #if MODSSL_USE_OPENSSL_PRE_1_1_API blocks > and see if adding "&& !defined(LIBRESSL_VERSION_NUMBER)" to any of > them fixes things (the usual libressl-porting whack-a-mole..). >
...oh I have something that works now :)