Hi, Yann - It took me a while, but I've managed to reproduce this issue with two smallish configs:
Backend server (host01): ================================================================== <Files "file.xml"> </Files> <LocationMatch "^/bob/(bob)"> SSLVerifyClient require RewriteEngine on RewriteRule /bob/bob /file.xml </LocationMatch> <Location /> Require all granted </Location> SSLEngine on Listen 443 SSLPassPhraseDialog builtin SSLOptions +ExportCertData +StdEnvVars +LegacyDNStringFormat ==================================================================== Reverse proxy server (host02) =================================================================== SSLProxyEngine on SSLProxyMachineCertificateFile /path/to/cert.crt_and_key ProxyPreserveHost off ExtendedStatus on Listen 443 <VirtualHost _default_:443> SSLEngine on SSLOptions +ExportCertData +StdEnvVars +LegacyDNStringFormat SSLProtocol all +TLSv1 +SSLv3 +TLSv1.1 +TLSv1.2 SSLCertificateFile /path/to/server/cert/cert.pem SSLCertificateKeyFile /path/to/server/key.nopass.pem SSLCACertificateFile /path/to/ca.pem SSLVerifyDepth 4 </VirtualHost> <Location /host01> ProxyPass https://host01 ProxyPassReverse https://host01 RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" SSLVerifyClient require </Location> ======================================================== The proxy server SEGV's with the following stack on every third or fourth request for https://host02/host01/bob/bob. It appears to be having trouble with the client cert. #0 0x00007f29c8400132 in ssl_callback_SSLVerify () from /var/www/modules/mod_ssl.so #1 0x0000003c90521730 in X509_verify_cert () from /usr/lib64/libcrypto.so.10 #2 0x0000003c93c46d88 in ssl_verify_cert_chain () from /usr/lib64/libssl.so.10 #3 0x0000003c93c2569c in ssl3_get_server_certificate () from /usr/lib64/libssl.so.10 #4 0x0000003c93c27d62 in ssl3_connect () from /usr/lib64/libssl.so.10 #5 0x0000003c93c2cbe3 in ssl3_read_bytes () from /usr/lib64/libssl.so.10 #6 0x0000003c93c28260 in ?? () from /usr/lib64/libssl.so.10 #7 0x00007f29c83fc99c in ssl_io_input_read () from /var/www/modules/mod_ssl.so #8 0x00007f29c83ff6bd in ssl_io_filter_input () from /var/www/modules/mod_ssl.so #9 0x0000000000438b2e in ap_rgetline_core () #10 0x00007f29c86238c8 in ap_proxygetline () at mod_proxy_http.c:1161 #11 0x00007f29c8623d2b in ap_proxy_http_process_response.isra.2 () at mod_proxy_http.c:1279 #12 0x00007f29c8626802 in proxy_http_handler () at mod_proxy_http.c:2011 #13 0x00007f29c8a3a63c in proxy_run_scheme_handler () from /var/www/modules/mod_proxy.so #14 0x00007f29c8a3b7d6 in proxy_handler () from /var/www/modules/mod_proxy.so #15 0x0000000000450820 in ap_run_handler () #16 0x0000000000450db6 in ap_invoke_handler () #17 0x0000000000465fa3 in ap_process_async_request () #18 0x0000000000462561 in ap_process_http_connection () #19 0x0000000000459d50 in ap_run_process_connection () #20 0x000000000046f8c5 in process_socket () at event.c:1050 #21 0x000000000047018a in worker_thread () at event.c:2083 #22 0x0000003c84007aa1 in start_thread () from /lib64/libpthread.so.0 #23 0x0000003c83ce8c4d in clone () from /lib64/libc.so.6 If I remove +ExportCertData from SSLOptions it works. But I need the cert data. Unfortunately, I don't have a debug session anymore that I can give you the values of those variables, but I don't believe that any of them were null pointers, just an out-of-range memory read on mctx-> crl_check_mask. I tried to look at the code diff between 2.4.29 and 2.4.38 for ssl_engine_kernel.c, but so much has changed that I couldn't make much sense of it. Please let me know if there is anything else that I can do to help solve this issue. Thanks! Marty -----Original Message----- From: Yann Ylavic [mailto:ylavic....@gmail.com] Sent: Friday, February 01, 2019 1:44 AM To: users@httpd.apache.org Subject: Re: [users@httpd] Crash in mod_ssl after 2.4.29 Hello Marty, On Thu, Jan 31, 2019 at 7:13 PM Schettler, Marty L. <martin.l.schett...@leidos.com.invalid> wrote: > > I have a simple ssl reverse proxy set up that has been working for years up > through 2.4.29. When upgrading to 2.4.38, it now crashes periodically. It is > repeatable, but inconsistent. Can you please share the relevant configuration? > > Gdb indicates that mctx (declared on the previous line) is incorrectly > constructed, and so trying to access the field crl_check_mask results in > trying to access unavailable memory. Do you have a NULL pointer somewhere (mctx, sslconn->dc or sslconn->dc->proxy)? Otherwise what's the content of each (i.e. print *mctx, *sslconn->dc and *sslconn->dc->proxy)? Feel free to send me your configuration and gdb output privately if you wish. Regards, Yann.
