On Fri, Apr 12, 2019, at 01:00, Stuart Henderson wrote: > On 2019/04/11 23:22, Stuart Henderson wrote: > > On 2019/04/11 20:25, Stuart Henderson wrote: > > > On 2019/04/10 05:12, Frank Groeneveld wrote: > > > > Last week an update to apache-httpd was released which fixes an > > > > important security issue. I updated a number of servers right away, but > > > > after receiving some traffic they started to produce SSL errors. I've > > > > tried to debug this as far as I could and have come to the conclusion > > > > that it only happens when using mpm_event_module. My configs are > > > > default, but I enable SSL and switch to the evented MPM. For > > > > certificates I use Let's Encrypt (using acme-client). ab prints the > > > > following errors. > > > > > > > > SSL handshake failed (1). > > > > 140321585887104:error:0407008A:rsa > > > > routines:RSA_padding_check_PKCS1_type_1:invalid > > > > padding:crypto/rsa/rsa_pk1.c:66: > > > > 140321585887104:error:04067072:rsa > > > > routines:rsa_ossl_public_decrypt:padding check > > > > failed:crypto/rsa/rsa_ossl.c:655: > > > > 140321585887104:error:1416D07B:SSL > > > > routines:tls_process_key_exchange:bad > > > > signature:ssl/statem/statem_clnt.c:2414: > > > > > > > > Web browsers show an error also, but some refreshing sometimes fixes > > > > the problem. Is anybody else able to reproduce this? Can I do anything > > > > to help resolve it? > > > > > > > > Thanks in advance. > > > > > > > > Frank > > > > > > > > > > I can replicate this on 6.4 but not -current, I'll see if I can figure > > > out what's up. > > > > > > > Seems it was introduced between 2.4.35 and 2.4.37. I don't see > > anything particularly suspicious in the main code diff between those > > two versions, but one of the subtler changes is that it switches off > > MODSSL_USE_OPENSSL_PRE_1_1_API for libressl 2.7+. > > > > So probably one of the ifdef blocks is taking a code path that fails > > with the libressl code in 6.4 but has been changed post-6.4-release. > > > > Builds are taking ages on the machine I'm testing on and the wifi > > connection I'm on at the moment is stalling every few minutes and > > I'm losing patience now but if anyone wants to pick it up I'd suggest > > looking through the various #if MODSSL_USE_OPENSSL_PRE_1_1_API blocks > > and see if adding "&& !defined(LIBRESSL_VERSION_NUMBER)" to any of > > them fixes things (the usual libressl-porting whack-a-mole..). > > > > ...oh I have something that works now :)
Works great, thank you very much! Frank
