As you know, 90% of us are very happy to run a rock solid SSL solution with
mod_ssl but there were 10% of us which still see segfaults from time to time
or even on a regular basis. And you also know that for months I'm searching
for the origin of these segfaults, but because I never could reproduce them I
never was able to fix it. Recently we at least discovered that it happens
inside OpenSSL by referencing some RSA structures. But until now we never
figured out the reason why those structures are messed up. Especially, as I
said, because I'm still unable to reproduce the problem myself.
But today David Kerry [EMAIL PROTECTED] mailed me in a private mail the
essential hint, I think. In short, he said "What I discovered was, it is these
temporary keys that contain the bad rsa-meth values.". And then after I went
over the source related to the temporary keys the last hours, it was obvious.
We stored the RSA temp keys and DH params over restarts as RSA* and DH*
structures (i.e. OpenSSL structures) instead of raw (and this way safe)
ASN.1/DER data. And because OpenSSL uses some static internal stuff which is
interlinked to these structures (the rsa-meth stuff!), although after a
restart the RSA structure itself survived, the pointers inside it then pointed
into nirvana - AT LEAST ON SOME PLATFORM. Most platforms map the stuff to the
same address on restarts, so the segfaults never occured for us. And even on
platforms were it can occur, it only occured if 40bit browsers reached the
website, of course (because for them the temp keys are mainly needed).
Pu... I'm 100% sure that this subtle detail is the root of all evil. So
I've today completely rewritten the RSA temp key and DH param handling for us
and it now should avoid this problem. The remaining problem just is, that
for me it still works as good as before ;) Because I never can reproduce the
old problem. SO IT IS NOW YOUR TURN! Those of you who still receive
segfaults (and which seemed not be related to the session cache!) should give
the appended patch a try. I'm sure it will fix the problem plus minus the bugs
I've introduced with the patch itself. It's a patch against 2.4.7.
Please give me feedback.
Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: mod_ssl.h
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.117
diff -u -r1.117 mod_ssl.h
--- mod_ssl.h 1999/10/22 19:37:33 1.117
+++ mod_ssl.h 1999/11/03 15:28:29
@@ -383,6 +383,20 @@
#define SSL_AIDX_MAX (2)
/*
+ * Define IDs for the temporary RSA keys and DH params
+ */
+
+#define SSL_TKP_GEN(0)
+#define SSL_TKP_ALLOC (1)
+#define SSL_TKP_FREE (2)
+
+#define SSL_TKPIDX_RSA512 (0)
+#define SSL_TKPIDX_RSA1024 (1)
+#define SSL_TKPIDX_DH512 (2)
+#define SSL_TKPIDX_DH1024 (3)
+#define SSL_TKPIDX_MAX (4)
+
+/*
* Define the SSL options
*/
#define SSL_OPT_NONE (0)
@@ -506,10 +520,6 @@
pool *pPool;
BOOLbFixed;
int nInitCount;
-RSA*pRSATmpKey512;
-RSA*pRSATmpKey1024;
-DH *pDHTmpParam512;
-DH *pDHTmpParam1024;
int nSessionCacheMode;
char *szSessionCacheDataFile;
int nSessionCacheDataSize;
@@ -520,6 +530,8 @@
int nMutexFD;
int nMutexSEMID;
array_header *aRandSeed;
+ssl_ds_table *tTmpKeys;
+void *pTmpKeys[SSL_TKPIDX_MAX];
ssl_ds_table *tPublicCert;
ssl_ds_table *tPrivateKey;
struct {
@@ -627,6 +639,7 @@
/* module initialization */
void ssl_init_Module(server_rec *, pool *);
void ssl_init_SSLLibrary(void);
+void ssl_init_TmpKeysHandle(int, server_rec *, pool *);
void ssl_init_ConfigureServer(server_rec *, pool *, SSLSrvConfigRec *);
void ssl_init_CheckServers(server_rec *, pool *);
STACK_OF(X509_NAME)
Index: ssl_engine_config.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.61
diff -u -r1.61 ssl_engine_config.c
--- ssl_engine_config.c 1999/08/25 07:03:48 1.61
+++ ssl_engine_config.c 1999/11/03 15:28:32
@@ -127,10 +127,6 @@
* initialize per-module configuration
*/
mc-nInitCount = 0;
-mc-pRSATmpKey512 = NULL;
-mc-pRSATmpKey1024 = NULL;
-mc-pDHTmpParam512 = NULL;
-mc-pDHTmpParam1024= NULL;
mc-nSessionCacheMode = SSL_SCMODE_UNSET;
mc-szSessionCacheDataFile = NULL;
mc-nSessionCacheDataSize = 0;
@@ -143,6 +139,9 @@
mc-aRandSeed =
