I use httpd-2.0.52 (but same effect with .51) When I try to authenticate my proxy server (mod_proxy) to a remote server with a certificate using the SSLProxyMachineCertificateFile, my httpd child process exits with a segmentation fault (both in prefork and worker mode). Following message in error_log (on proxy server): [Mon Oct 11 07:42:39 2004] [notice] child pid 18156 exit signal Segmentation fault (11) Remark: if the remote server has to authenticate itself to the proxy with a certificate, it works without any problem. Here is the proxy configuration: -------------------------------- <VirtualHost 159.29.24.152:443> ServerName uws0064.rtc.ch ServerAdmin root@uws0064.rtc.ch DocumentRoot /export/home/apache2/htdocs ErrorLog /var/apache/logs/uws0064-error_log CustomLog /var/apache/logs/uws0064-access_log common CustomLog /var/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # SSL directives: SSLEngine On <Directory /> SSLRequireSSL </Directory> SSLProtocol -All +SSLv3 +TLSv1 SSLVerifyClient none SSLVerifyDepth 10 SSLCertificateKeyFile /etc/apache/ssl.key/uws0064.rtc.ch.key SSLCertificateFile /etc/apache/ssl.crt/uws0064.rtc.ch.crt # Configuration for the proxy: ProxyRequests On SSLProxyEngine On ProxyVia On SSLProxyProtocol -All +SSLv3 +TLSv1 # Remote server has to provide a valid certificate: # SSLProxyVerify require # SSLProxyCACertificateFile /etc/apache/ssl.crt/uws0068.rtc.ch.crt # This server must deliver the remote server a valid certificate: SSLProxyMachineCertificateFile /etc/apache/ssl.crt/uws0064.rtc.ch.crt # Other proxy directives: <Proxy *> Order deny,allow Deny from all Allow from 159.29.0.0/16 ExtFilterOptions DebugLevel=1 SetOutputFilter ebppfilter </Proxy> ProxyPass /foo https://uws0068.rtc.ch:443 ProxyPassReverse /foo https://uws0068.rtc.ch:443 </VirtualHost> Here is the remote server configuration: --------------------------------------- <VirtualHost 159.29.24.104:443> ServerAdmin root@uws0068.rtc.ch DocumentRoot /export/home/apache2/htdocs ServerName uws0068.rtc.ch ErrorLog /var/apache/logs/uws0068-error_log CustomLog /var/apache/logs/uws0068-access_log common SSLEngine On SSLProtocol SSLv3 +TLSv1 SSLCertificateKeyFile /etc/apache/ssl.key/uws0068.rtc.ch.key SSLCertificateFile /etc/apache/ssl.crt/uws0068.rtc.ch.crt # Client must authenticate himself: # SSLVerifyClient none # SSLVerifyClient optional SSLVerifyClient require # if SSLVerifyClient require => apache process crashes (see /var/opt/apache/logs/error_log) SSLVerifyDepth 10 SSLCACertificateFile /etc/apache/ssl.crt/uws0064.rtc.ch.crt </VirtualHost> uws0068-error_log on the remote server: -------------------------------------- [Mon Oct 11 07:42:39 2004] [debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to read on BIO#263980 [mem: 2b0028] [Mon Oct 11 07:42:39 2004] [debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv3 read client certificate A [Mon Oct 11 07:42:39 2004] [debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv3 read client certificate A [Mon Oct 11 07:42:39 2004] [info] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Mon Oct 11 07:42:39 2004] [info] Connection to child 2 closed with abortive shutdown(server uws0068.rtc.ch:443, client 159.29.24.152)
Can you firstly eliminate the ExtFilter defintion in the Proxy block, to simplify the reproduction case? ExtFilterOptions DebugLevel=1 SetOutputFilter ebppfilter and then, can you try to obtain a core dump and a backtrace? (from a prefork-based server is best). You may need to use coreadm to enable core dumps on Solaris: http://httpd.apache.org/dev/debugging.html#sol27
Created attachment 13023 [details] tar file + gzip
Hallo, Following your proposition, I recompiled the httpd server with the -g flag and installed it. Then I used the 3 following tools: a] gcore: # for pid in `ps -eaf | fgrep httpd | cut -d' ' -f4` do truss -f -l -t\!all -S SIGSEGV -p $pid 2>&1 | egrep SIGSEGV & done gcore <pid> b] pstack <pid> c] gdb httpd <pid> The results of these commands as well as the logs are in the tar file. Thanks 1000000000 times for your support! It's great! Cheers, Jean-Louis
Sorry, another comment: I also removed the filter function from the httpd.conf file.
The client certificate you configured: /etc/apache/ssl.crt/uws0064.rtc.ch.crt - is it encrypted? There is a known bug where you can get segfaults if you configure an encrypted client cert.
Created attachment 13027 [details] SSL certificate for the proxy client
Here is the certificate. Tell me if it dosen't work. For the production time, the remote server is not in our enterprise. Is it in this case possible to use an uncrypted certificate? I compiled on a redhat server. Same effect...
There is no private key in that file - you must put *both* the client certificate and the unencrypted private key file in the file referenced by SSLProxyMachineCertificateFile, per the documentation: http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslproxymachinecertificatefile The server should not crash, of course: that is filed as bug 24030. *** This bug has been marked as a duplicate of 24030 ***
Hy, I tried it and it works well. This is now the occasion for me to thank you for your support. This is really GREAT! Freeware support for such a quality and rapidity, wouahhh! Thanks again! When do you think you have a patch or a new release for the bug 24030?
It's proposed for inclusion in 2.0.53.