Segmentation Fault with SSLProxyMachineCertificateFile

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm getting Segmentation Fault on proxy apache with SSLProxyMachineCertificateFile configuration.
I use proxy for passing through client certificats to internal web server, mod_ssl & mo_proxy are mainly used modules.

I precise that the order for the SSLProxyMachineCertificateFile is the right one, certificat then private key.
 
Client -> Proxy -> WebServer without client auth = OK
Client -> Proxy -> WebServer with client auth & SSLProxyMachineCertificateFile =KO

Proxy Config:
<VirtualHost 192.168.0.77:443>

ServerName canopia.company.com

ProxyPass / https://canopia.company.com/
ProxyPassReverse / https://canopia.company.com/

SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl/certs/proxy.company.com-cert-key.pem
ProxyRequests Off

RewriteEngine On 

LogLevel debug
CustomLog /var/log/apache2/proxy-canopia.log combined
ErrorLog /var/log/apache2/proxy-canopia-error.log

SSLProxyEngine On

...............

</VirtualHost>

Apache compiled fron sources:
./configure --prefix=/usr/local/apache2 --enable-module=most --enable-shared=max --enable-rewrite --enable-unique-id --enable-proxy-http --enable-proxy --enable-proxy-connect --enable-ssl

Server version: Apache/2.2.24 (Unix)
Server built:   Mar 14 2013 17:46:34
Server's Module Magic Number: 20051115:31
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

root# ldd /usr/local/apache2/bin/httpd
    linux-gate.so.1 =>  (0xb7771000)
    libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb771f000)
    libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb75c7000)
    libm.so.6 => /lib/libm.so.6 (0xb75a0000)
    libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb7580000)
    libdb-4.8.so => /usr/lib/libdb-4.8.so (0xb741a000)
    libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb73ec000)
    libpthread.so.0 => /lib/libpthread.so.0 (0xb73d3000)
    libc.so.6 => /lib/libc.so.6 (0xb728e000)
    libdl.so.2 => /lib/libdl.so.2 (0xb7289000)
    libz.so.1 => /usr/lib/libz.so.1 (0xb7275000)
    /lib/ld-linux.so.2 (0xb7772000)
    libuuid.so.1 => /lib/libuuid.so.1 (0xb7271000)
    librt.so.1 => /lib/librt.so.1 (0xb7268000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7236000)
    libexpat.so.1 => /usr/lib/libexpat.so.1 (0xb720f000)


Error Log
[Thu Mar 14 18:45:22 2013] [info] mod_unique_id: using ip addr 192.168.0.77
[Thu Mar 14 18:45:23 2013] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Mar 14 18:45:23 2013] [info] Loading certificate & private key of SSL-aware server
[Thu Mar 14 18:45:23 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Thu Mar 14 18:45:23 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Mar 14 18:45:23 2013] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Mar 14 18:45:23 2013] [info] Init: Initializing (virtual) servers for SSL
[Thu Mar 14 18:45:23 2013] [info] Configuring server for SSL protocol
[Thu Mar 14 18:45:23 2013] [debug] ssl_engine_init.c(471): Creating new SSL context (protocols: SSLv3, TLSv1)
[Thu Mar 14 18:45:23 2013] [debug] ssl_engine_init.c(706): Configuring permitted SSL ciphers [HIGH:MEDIUM:!aNULL:!MD5]
[Thu Mar 14 18:45:23 2013] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Thu Mar 14 18:45:23 2013] [debug] ssl_engine_init.c(837): Configuring RSA server certificate
[Thu Mar 14 18:45:23 2013] [warn] RSA server certificate CommonName (CN) `proxy.company.com' does NOT match server name!?
[Thu Mar 14 18:45:23 2013] [debug] ssl_engine_init.c(876): Configuring RSA server private key
[Thu Mar 14 18:45:23 2013] [info] mod_ssl/2.2.24 compiled against Server: Apache/2.2.24, Library: OpenSSL/0.9.8o
[Thu Mar 14 18:45:23 2013] [info] mod_unique_id: using ip addr 192.168.0.77
[Thu Mar 14 18:45:24 2013] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Mar 14 18:45:24 2013] [info] Loading certificate & private key of SSL-aware server
[Thu Mar 14 18:45:24 2013] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Thu Mar 14 18:45:24 2013] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Mar 14 18:45:24 2013] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Thu Mar 14 18:45:24 2013] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Thu Mar 14 18:45:24 2013] [info] Shared memory session cache initialised
[Thu Mar 14 18:45:24 2013] [info] Init: Initializing (virtual) servers for SSL
[Thu Mar 14 18:45:24 2013] [info] Configuring server for SSL protocol
[Thu Mar 14 18:45:24 2013] [debug] ssl_engine_init.c(471): Creating new SSL context (protocols: SSLv3, TLSv1)
[Thu Mar 14 18:45:24 2013] [debug] ssl_engine_init.c(706): Configuring permitted SSL ciphers [HIGH:MEDIUM:!aNULL:!MD5]
[Thu Mar 14 18:45:24 2013] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Thu Mar 14 18:45:24 2013] [debug] ssl_engine_init.c(837): Configuring RSA server certificate
[Thu Mar 14 18:45:24 2013] [warn] RSA server certificate CommonName (CN) `proxy.company.com' does NOT match server name!?
[Thu Mar 14 18:45:24 2013] [debug] ssl_engine_init.c(876): Configuring RSA server private key
[Thu Mar 14 18:45:24 2013] [info] mod_ssl/2.2.24 compiled against Server: Apache/2.2.24, Library: OpenSSL/0.9.8o
[Thu Mar 14 18:45:24 2013] [warn] pid file /usr/local/apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1820): proxy: grabbed scoreboard slot 1 in child 5507 for worker proxy:reverse
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1936): proxy: initialized single connection worker 1 in child 5507 for (*)
[Thu Mar 14 18:45:24 2013] [notice] Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8o configured -- resuming normal operations
[Thu Mar 14 18:45:24 2013] [info] Server built: Mar 14 2013 17:46:34
[Thu Mar 14 18:45:24 2013] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1820): proxy: grabbed scoreboard slot 1 in child 5509 for worker proxy:reverse
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1839): proxy: worker proxy:reverse already initialized
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1820): proxy: grabbed scoreboard slot 1 in child 5510 for worker proxy:reverse
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1839): proxy: worker proxy:reverse already initialized
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1936): proxy: initialized single connection worker 1 in child 5509 for (*)
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1936): proxy: initialized single connection worker 1 in child 5510 for (*)
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1820): proxy: grabbed scoreboard slot 1 in child 5511 for worker proxy:reverse
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1820): proxy: grabbed scoreboard slot 1 in child 5508 for worker proxy:reverse
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1839): proxy: worker proxy:reverse already initialized
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1839): proxy: worker proxy:reverse already initialized
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1936): proxy: initialized single connection worker 1 in child 5511 for (*)
[Thu Mar 14 18:45:24 2013] [debug] proxy_util.c(1936): proxy: initialized single connection worker 1 in child 5508 for (*)
[Thu Mar 14 18:45:35 2013] [debug] proxy_util.c(1820): proxy: grabbed scoreboard slot 1 in child 5514 for worker proxy:reverse
[Thu Mar 14 18:45:35 2013] [debug] proxy_util.c(1839): proxy: worker proxy:reverse already initialized
[Thu Mar 14 18:45:35 2013] [debug] proxy_util.c(1936): proxy: initialized single connection worker 1 in child 5514 for (*)
[Thu Mar 14 18:45:41 2013] [notice] child pid 5510 exit signal Segmentation fault (11)

(gdb) backtrace
#0  0xb7ef6ff8 in EVP_PKEY_cmp () from /usr/lib/i686/cmov/libcrypto.so.0.9.8
#1  0xb7f21cb6 in X509_check_private_key () from /usr/lib/i686/cmov/libcrypto.so.0.9.8
#2  0xb7fcd1ed in ?? () from /usr/lib/i686/cmov/libssl.so.0.9.8
#3  0xb7fa9150 in ssl3_send_client_certificate () from /usr/lib/i686/cmov/libssl.so.0.9.8
#4  0xb7facb37 in ssl3_connect () from /usr/lib/i686/cmov/libssl.so.0.9.8
#5  0xb7fc424a in SSL_connect () from /usr/lib/i686/cmov/libssl.so.0.9.8
#6  0xb7fb5b33 in ssl23_connect () from /usr/lib/i686/cmov/libssl.so.0.9.8
#7  0xb7fc424a in SSL_connect () from /usr/lib/i686/cmov/libssl.so.0.9.8
#8  0x080c8043 in ssl_io_filter_connect ()
#9  0x080c8d35 in ssl_io_filter_output ()
#10 0x08093466 in ap_pass_brigade ()
#11 0x080b402e in pass_brigade ()
#12 0x080b483c in stream_reqbody_cl ()
#13 0x080b5ec5 in ap_proxy_http_request ()
#14 0x080b7b82 in proxy_http_handler ()
#15 0x080a7fd0 in proxy_run_scheme_handler ()
#16 0x080a4d7a in proxy_handler ()
#17 0x08087497 in ap_run_handler ()
#18 0x08087bc2 in ap_invoke_handler ()
#19 0x080dc0d2 in ap_process_request ()
#20 0x080d90e5 in ap_process_http_connection ()
#21 0x0808f477 in ap_run_process_connection ()
#22 0x0808f88b in ap_process_connection ()
#23 0x080fdc32 in child_main ()
#24 0x080fdd33 in make_child ()
#25 0x080fe2ce in ap_mpm_run ()
#26 0x08071239 in main ()

Thanks for help,
Tell me if you want more.
Alain


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux