Bug 31633 - proxy client cannot authenticate to remote server / segmentation fault
Summary: proxy client cannot authenticate to remote server / segmentation fault
Status: CLOSED DUPLICATE of bug 24030
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy (show other bugs)
Version: 2.0.51
Hardware: Sun Solaris
: P3 blocker (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2004-10-11 06:48 UTC by Jean-Louis Morard
Modified: 2004-11-16 19:05 UTC (History)
0 users

tar file + gzip (238.14 KB, application/octet-stream)
2004-10-11 11:41 UTC, Jean-Louis Morard
SSL certificate for the proxy client (1.28 KB, application/octet-stream)
2004-10-11 13:53 UTC, Jean-Louis Morard

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-Louis Morard 2004-10-11 06:48:40 UTC
I use httpd-2.0.52 (but same effect with .51)
When I try to authenticate my proxy server (mod_proxy) to a remote server with 
a certificate using the SSLProxyMachineCertificateFile, my httpd child process 
exits with a segmentation fault (both in prefork and worker mode). Following 
message in error_log (on proxy server):
[Mon Oct 11 07:42:39 2004] [notice] child pid 18156 exit signal Segmentation 
fault (11)

Remark: if the remote server has to authenticate itself to the proxy with a 
certificate, it works without any problem.

Here is the proxy configuration:
	ServerName uws0064.rtc.ch
	ServerAdmin root@uws0064.rtc.ch
	DocumentRoot /export/home/apache2/htdocs
	ErrorLog /var/apache/logs/uws0064-error_log
	CustomLog /var/apache/logs/uws0064-access_log common
	CustomLog /var/apache/logs/ssl_request_log \
	  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# SSL directives:
	SSLEngine On
	<Directory />
	SSLProtocol -All +SSLv3 +TLSv1
	SSLVerifyClient none
	SSLVerifyDepth	 10
	SSLCertificateKeyFile /etc/apache/ssl.key/uws0064.rtc.ch.key
	SSLCertificateFile /etc/apache/ssl.crt/uws0064.rtc.ch.crt
# Configuration for the proxy:
	ProxyRequests On
	SSLProxyEngine On
	ProxyVia On
	SSLProxyProtocol -All +SSLv3 +TLSv1
# Remote server has to provide a valid certificate:
#	SSLProxyVerify require
#	SSLProxyCACertificateFile /etc/apache/ssl.crt/uws0068.rtc.ch.crt
# This server must deliver the remote server a valid certificate:
	SSLProxyMachineCertificateFile /etc/apache/ssl.crt/uws0064.rtc.ch.crt
# Other proxy directives:
	<Proxy *>
                Order deny,allow
		Deny from all
		Allow from
		ExtFilterOptions DebugLevel=1
		SetOutputFilter ebppfilter
	ProxyPass /foo https://uws0068.rtc.ch:443
	ProxyPassReverse /foo https://uws0068.rtc.ch:443

Here is the remote server configuration:
	ServerAdmin root@uws0068.rtc.ch
	DocumentRoot /export/home/apache2/htdocs
	ServerName uws0068.rtc.ch
	ErrorLog /var/apache/logs/uws0068-error_log
	CustomLog /var/apache/logs/uws0068-access_log common
	SSLEngine On
	SSLProtocol SSLv3 +TLSv1
	SSLCertificateKeyFile /etc/apache/ssl.key/uws0068.rtc.ch.key
	SSLCertificateFile /etc/apache/ssl.crt/uws0068.rtc.ch.crt
# Client must authenticate himself:
#	SSLVerifyClient none
#	SSLVerifyClient optional
	SSLVerifyClient require
# if SSLVerifyClient require => apache process crashes 
(see /var/opt/apache/logs/error_log)
	SSLVerifyDepth	 10
	SSLCACertificateFile /etc/apache/ssl.crt/uws0064.rtc.ch.crt

uws0068-error_log on the remote server:
[Mon Oct 11 07:42:39 2004] [debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 
5 bytes expected to read on BIO#263980 [mem: 2b0028]
[Mon Oct 11 07:42:39 2004] [debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: 
error in SSLv3 read client certificate A
[Mon Oct 11 07:42:39 2004] [debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: 
error in SSLv3 read client certificate A
[Mon Oct 11 07:42:39 2004] [info] (70014)End of file found: SSL handshake 
interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Oct 11 07:42:39 2004] [info] Connection to child 2 closed with abortive 
shutdown(server uws0068.rtc.ch:443, client
Comment 1 Joe Orton 2004-10-11 09:35:23 UTC
Can you firstly eliminate the ExtFilter defintion in the Proxy block, to
simplify the reproduction case?

                ExtFilterOptions DebugLevel=1
                SetOutputFilter ebppfilter

and then, can you try to obtain a core dump and a backtrace? (from a
prefork-based server is best).

You may need to use coreadm to enable core dumps on Solaris:


Comment 2 Jean-Louis Morard 2004-10-11 11:41:57 UTC
Created attachment 13023 [details]
tar file + gzip
Comment 3 Jean-Louis Morard 2004-10-11 11:43:25 UTC

Following your proposition, I recompiled the httpd server with the -g flag and 
installed it. Then I used the 3 following tools:

a] gcore:
    # for pid in `ps -eaf | fgrep httpd | cut -d' ' -f4`
      truss -f -l -t\!all -S SIGSEGV -p $pid 2>&1 | egrep SIGSEGV &
	gcore <pid>
b] pstack <pid>
c] gdb httpd <pid>

The results of these commands as well as the logs are in the tar file.
Thanks 1000000000 times for your support! It's great!

Comment 4 Jean-Louis Morard 2004-10-11 11:45:00 UTC
Sorry, another comment: I also removed the filter function from the httpd.conf 
Comment 5 Joe Orton 2004-10-11 12:07:53 UTC
The client certificate you configured: /etc/apache/ssl.crt/uws0064.rtc.ch.crt  -
is it encrypted?  There is a known bug where you can get segfaults if you
configure an encrypted client cert.
Comment 6 Jean-Louis Morard 2004-10-11 13:53:55 UTC
Created attachment 13027 [details]
SSL certificate for the proxy client
Comment 7 Jean-Louis Morard 2004-10-11 13:56:00 UTC

Here is the certificate. Tell me if it dosen't work.
For the production time, the remote server is not in our enterprise. Is it in 
this case possible to use an uncrypted certificate?
I compiled on a redhat server. Same effect...
Comment 8 Joe Orton 2004-10-11 15:56:46 UTC
There is no private key in that file - you must put *both* the client
certificate and the unencrypted private key file in the file referenced by
SSLProxyMachineCertificateFile, per the documentation:


The server should not crash, of course: that is filed as bug 24030.

*** This bug has been marked as a duplicate of 24030 ***
Comment 9 Jean-Louis Morard 2004-10-14 15:21:16 UTC
I tried it and it works well. This is now the occasion for me to thank you for 
your support. This is really GREAT! Freeware support for such a quality and 
rapidity, wouahhh! Thanks again!
When do you think you have a patch or a new release for the bug 24030?
Comment 10 Joe Orton 2004-10-14 15:32:47 UTC
It's proposed for inclusion in 2.0.53.