On May 8, 2013, at 10:55 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 05/08/2013 04:31 PM, Guy Helmer wrote: > >> I was using squid 3.3.4 on FreeBSD 8.3 with transparent interception >> (via ipfw) and ssl bump with success. > >> After upgrading FreeBSD to 9.1 [...] squid is failing with >> segmentation violations and the ssl_crtd helpers are dying. > >> #7 0xbfbff044 in ?? () >> #8 0x0000000b in ?? () >> #9 0x484eb5c8 in ssl_get_server_send_pkey () from /usr/lib/libssl.so.6 >> #10 0x484eb68d in ssl_get_server_send_cert () from /usr/lib/libssl.so.6 >> #11 0x484eb6c4 in SSL_get_certificate () from /usr/lib/libssl.so.6 >> #12 0x083cb5ef in Ssl::verifySslCertificate (sslContext=0x4a259340, >> properties=@0xbfbfd9d8) at support.cc:1422 >> #13 0x0813d20d in ConnStateData::getSslContextStart (this=0x4a257cd0) >> at client_side.cc:3820 >> #14 0x0814a89e in ConnStateData::httpsPeeked (this=0x4a257cd0, >> serverConnection=@0xbfbfdadc) at client_side.cc:3968 > > Smells like an OpenSSL bug that we thought we had a workaround for: > http://bugs.squid-cache.org/show_bug.cgi?id=3816 > > The workaround should be in v3.3.4 that you are running but, apparently, > it is not sufficient, or our OpenSSL version detection code is failing > in your environment. We thought the bug affects OpenSSL versions 1.0.1d > and 1.0.1e only. > > Which OpenSSL version are you building Squid with? > > What is the OPENSSL_VERSION_NUMBER constant in OpenSSL header files > where you build Squid? You can probably run something like "fgrep -RI > OPENSSL_VERSION_NUMBER /usr/include/openssl" to figure that out. > > Which OpenSSL version are you running Squid with? Under FreeBSD 8.3, it was built and running with OpenSSL 0.9.8q (OPENSSL_VERSION_NUMBER 0x0090811f). Under FreeBSD 9.1 (stable branch checkout as of 2013-04-10), it is built and running with OpenSSL 0.9.8y (OPENSSL_VERSION_NUMBER 0x0090819fL). I made this little change to support.cc, rebuilt squid and ssl_crtd, and it seems to be working OK with transparent SSL bumping: --- src/ssl/support.cc.orig 2013-05-09 08:59:19.000000000 -0500 +++ src/ssl/support.cc 2013-05-09 09:00:25.000000000 -0500 @@ -1413,7 +1413,7 @@ { // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e // Try to retrieve certificate directly from SSL_CTX object -#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL +#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL || OPENSSL_VERSION_NUMBER == 0x0090819fL X509 ***pCert = (X509 ***)sslContext->cert; X509 * cert = pCert && *pCert ? **pCert : NULL; #else Thanks for the pointer, Alex! Guy
