Summary: | Apache 2.x goes down with 2000+ includes | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Lit <agne> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 2.2-HEAD | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux |
Description
Lit
2007-10-29 00:29:33 UTC
This is an OpenSSL bug, fixed in 0.9.8c and later. (it uses select() rather than poll() and doesn't check for the FD_SETSIZE overflow) What do you think about this patch? diff -Nur httpd-2.2.6.orig/modules/ssl/ssl_engine_rand.c httpd-2.2.6/modules/ssl/ssl_engine_rand.c --- httpd-2.2.6.orig/modules/ssl/ssl_engine_rand.c 2006-07-11 22:38:44.000000000 -0500 +++ httpd-2.2.6/modules/ssl/ssl_engine_rand.c 2007-10-01 17:28:24.000000000 -0500 @@ -127,9 +127,23 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%sSeeding PRNG with %d bytes of entropy", prefix, nDone); +/* + * RAND_status() will generate segfaults when more than 1024 filedescriptors are + * open on OpenSSL versions before 0.9.8c and 0.9.7k + */ +#if SSL_LIBRARY_VERSION < 0x00908000 +#if SSL_LIBRARY_VERSION >= 0x009070b0 if (RAND_status() == 0) ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "%sPRNG still contains insufficient entropy!", prefix); +#endif +#else +#if SSL_LIBRARY_VERSION >= 0x00908030 + if (RAND_status() == 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%sPRNG still contains insufficient entropy!", prefix); +#endif +#endif return nDone; } I see no need to add complexity to mod_ssl to attempt to work around this bug, it's a bug in OpenSSL and has been fixed there. |