Apache starts to segfault with 2000+ includes (everything is okay with ~600-1000 includes): (gdb) b ap_process_request Note: breakpoints 1 and 3 also set at pc 0x809f9e9. Breakpoint 4 at 0x809f9e9: file http_request.c, line 252. (gdb) run -X -d /etc/httpd Starting program: /usr/sbin/httpd -X -d /etc/httpd [Thread debugging using libthread_db enabled] [New Thread -1208407840 (LWP 30464)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208407840 (LWP 30464)] 0x00e21d63 in RAND_SSLeay () from /lib/libcrypto.so.4 (gdb) n Single stepping until exit from function RAND_SSLeay, which has no line number information. Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists.
This is an OpenSSL bug, fixed in 0.9.8c and later. (it uses select() rather than poll() and doesn't check for the FD_SETSIZE overflow)
What do you think about this patch? diff -Nur httpd-2.2.6.orig/modules/ssl/ssl_engine_rand.c httpd-2.2.6/modules/ssl/ssl_engine_rand.c --- httpd-2.2.6.orig/modules/ssl/ssl_engine_rand.c 2006-07-11 22:38:44.000000000 -0500 +++ httpd-2.2.6/modules/ssl/ssl_engine_rand.c 2007-10-01 17:28:24.000000000 -0500 @@ -127,9 +127,23 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "%sSeeding PRNG with %d bytes of entropy", prefix, nDone); +/* + * RAND_status() will generate segfaults when more than 1024 filedescriptors are + * open on OpenSSL versions before 0.9.8c and 0.9.7k + */ +#if SSL_LIBRARY_VERSION < 0x00908000 +#if SSL_LIBRARY_VERSION >= 0x009070b0 if (RAND_status() == 0) ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "%sPRNG still contains insufficient entropy!", prefix); +#endif +#else +#if SSL_LIBRARY_VERSION >= 0x00908030 + if (RAND_status() == 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "%sPRNG still contains insufficient entropy!", prefix); +#endif +#endif return nDone; }
I see no need to add complexity to mod_ssl to attempt to work around this bug, it's a bug in OpenSSL and has been fixed there.