Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
On Tue, Mar 02, 1999, Ralf S. Engelschall wrote:
> On Tue, Mar 02, 1999, Sander Steffann wrote:
>
> > Same problem here on Linux. https is also down after a graceful restart.
> > Sander.
> >
> > >mod_ssl/2.2.3 failed to restart(kill -HUP).
> > >After restarting, http is OK, but https is down.
> > >OS is Solaris2.6(on SS20).
>
> I'll investigate in a few hours.
>[...]
Ok, I've now found and successfully fixed this problem for mod_ssl 2.2.4.
Thanks for the hints. It was my fault because I've forgotten that OpenSSL's
d2i_xx functions also change the data pointer (and not only i2d_xxx where I've
finally done it correctly). I've to incorporate some experimental EAPI hooks
for vendors before I can release 2.2.4 today or tomorrow, so I append you the
essential patch below. Apply it to ssl_engine_kernel.c and your server
should again survive restarts without problems. The patch is already
comitted this way for mod_ssl 2.2.4.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: ssl_engine_init.c
===
RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.50
retrieving revision 1.52
diff -u -r1.50 -r1.52
--- ssl_engine_init.c 1999/02/21 16:40:07 1.50
+++ ssl_engine_init.c 1999/03/03 09:29:24 1.52
@@ -321,6 +321,7 @@
SSL_CTX *ctx;
STACK *skCAList;
ssl_asn1_t *asn1;
+unsigned char *ucp;
char *cp;
/*
@@ -454,7 +455,13 @@
"Init: (%s) Ops, can't find server certificate?!", cpVHostID);
ssl_die();
}
-sc->px509Certificate = d2i_X509(NULL, &(asn1->cpData), asn1->nData);
+ucp = asn1->cpData;
+if ((sc->px509Certificate = d2i_X509(NULL, &ucp, asn1->nData)) == NULL) {
+ssl_log(s, SSL_LOG_ERROR,
+"Init: (%s) Failed to convert server certificate "
+"from DER to internal format?!", cpVHostID);
+ssl_die();
+}
/*
* Configure server private key
@@ -465,8 +472,14 @@
ssl_log(s, SSL_LOG_ERROR,
"Init: (%s) Ops, can't find server private key?!", cpVHostID);
ssl_die();
+}
+ucp = asn1->cpData;
+if ((sc->prsaKey = d2i_RSAPrivateKey(NULL, &ucp, asn1->nData)) == NULL) {
+ssl_log(s, SSL_LOG_ERROR,
+"Init: (%s) Failed to convert server private key "
+"from DER to internal format?!", cpVHostID);
+ssl_die();
}
-sc->prsaKey = d2i_RSAPrivateKey(NULL, &(asn1->cpData), asn1->nData);
return;
}
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
>> > >mod_ssl/2.2.3 failed to restart(kill -HUP). >> > >After restarting, http is OK, but https is down. >> > >OS is Solaris2.6(on SS20). >> I'll investigate in a few hours. >Ok, I've now found and successfully fixed this problem for mod_ssl 2.2.4. >Thanks for the hints. It was my fault because I've forgotten that OpenSSL's >d2i_xx functions also change the data pointer (and not only i2d_xxx where I've >finally done it correctly). I've to incorporate some experimental EAPI hooks >for vendors before I can release 2.2.4 today or tomorrow, so I append you the >essential patch below. Apply it to ssl_engine_kernel.c and your server >should again survive restarts without problems. The patch is already >comitted this way for mod_ssl 2.2.4. My server survive restarts without problem!! Thank you. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes: > On Tue, Mar 02, 1999, Ralf S. Engelschall wrote: > > > On Tue, Mar 02, 1999, Sander Steffann wrote: > > > > > Same problem here on Linux. https is also down after a graceful restart. > > > Sander. > > > > > > >mod_ssl/2.2.3 failed to restart(kill -HUP). > > > >After restarting, http is OK, but https is down. > > > >OS is Solaris2.6(on SS20). > > > > I'll investigate in a few hours. > >[...] > > Ok, I've now found and successfully fixed this problem for mod_ssl 2.2.4. Is this the same re-start bug that's been around for a while? At what point was this bug introduced? As of the very first EAPI based mod_ssl? Would it be possible to get a synopsis of what needs to be done to get rid of this bug? I have mod_ssl 2.1.3 that I have all hacked up, and would prefer to simply patch it, as opposed to upgrade to the latest, and re-hack it all up. It would be a real pain, for me, to have to always upgrade to the latest mod_ssl to get a bug fix especially when I do not need any new features. Much Thanks, Tom __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
On Wed, Mar 03, 1999, [EMAIL PROTECTED] wrote: > > Ok, I've now found and successfully fixed this problem for mod_ssl 2.2.4. > > Is this the same re-start bug that's been around for a while? > At what point was this bug introduced? As of the very first EAPI based > mod_ssl? No, it's a totally different bug I introduced in 2.2.3 while fixing another one (the DSO core dumps). It's not present in 2.2.2 or below AFAIK. > Would it be possible to get a synopsis of what needs to be done to get rid > of this bug? I have mod_ssl 2.1.3 that I have all hacked up, and would > prefer to simply patch it, as opposed to upgrade to the latest, and re-hack > it all up. It would be a real pain, for me, to have to always upgrade to > the latest mod_ssl to get a bug fix especially when I do not need any new > features. You've no problem in 2.1.3 because as I said, the bug was introduced with code comitted for 2.2.3. But in general when you want to fix a locally patched up version you should grab the CVS repository and look at the fixes in details with ``cvs diff -rMOD_SSL_2_X_Y ''. All mod_ssl versions have tags, so when the next days after 2.2.4 went out you can see the fixed in detail by using ``cvs diff -rMOD_SSL_2_2_3 -rMOD_SSL_2_2_4''. Alternatively you can also extract the two corresponding tarballs and perform the diff, of course. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
On Wed, Mar 03, 1999, [EMAIL PROTECTED] wrote: >[...] > Is this the same re-start bug that's been around for a while? Oh wait, I forgot to ask in the last mail: What bug are _YOU_ speaking about? I reads like you know a restart bug which is around for a while which I'm not aware of. Do you have details for me? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes: > On Wed, Mar 03, 1999, [EMAIL PROTECTED] wrote: > > >[...] > > Is this the same re-start bug that's been around for a while? > > Oh wait, I forgot to ask in the last mail: What bug are _YOU_ speaking about? > I reads like you know a restart bug which is around for a while which I'm not > aware of. Do you have details for me? The DSO core dump bug. I thought this popped up when the server re-started, or was it just the double init round that triggered it? -Tom __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
On Wed, Mar 03, 1999, [EMAIL PROTECTED] wrote: > > On Wed, Mar 03, 1999, [EMAIL PROTECTED] wrote: > > >[...] > > > Is this the same re-start bug that's been around for a while? > > > > Oh wait, I forgot to ask in the last mail: What bug are _YOU_ speaking about? > > I reads like you know a restart bug which is around for a while which I'm not > > aware of. Do you have details for me? > > The DSO core dump bug. I thought this popped up when the server re-started, > or was it just the double init round that triggered it? It was the double init round situation which causes it. And since mod_ssl 2.2.3 I've at least successfully solved these problems for FreeBSD, Linux and finally also for Solaris. But there may be some remaining DSO problems on other Unix platforms caused by OpenSSL internals. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
