Ubuntu
apache2 package

Apache2 segfault with SSLProxyMachineCertificateFile (upstream patch not applied in ubuntu)

Bug #821077 reported by Loic
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apache2 Web Server
Unknown
Unknown
apache2 (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

When I use SSLProxyMachineCertificateFile in my apache configuration, the service crashes with a segfault on startup.

Here's the error.log contents with "LogLevel debug" :

[Thu Aug 04 20:35:05 2011] [info] Init: Seeding PRNG with 648 bytes of entropy
[Thu Aug 04 20:35:05 2011] [info] Loading certificate & private key of SSL-aware server
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Thu Aug 04 20:35:05 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Aug 04 20:35:05 2011] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Aug 04 20:35:05 2011] [info] Init: Initializing (virtual) servers for SSL
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(548): Configuring client authentication
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(1143): CA certificate: [hidden for privacy]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(636): Configuring certificate revocation facility
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(966): loaded 1 client certs for SSL proxy
[Thu Aug 04 20:35:05 2011] [info] Configuring server for SSL protocol
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv3, TLSv1)
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(548): Configuring client authentication
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(1143): CA certificate: [hidden for privacy]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [HIGH:MEDIUM:!ADH]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(636): Configuring certificate revocation facility
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(370): Configuring TLS extension handling
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(742): Configuring RSA server certificate
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(781): Configuring RSA server private key
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(548): Configuring client authentication
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(1143): CA certificate: [hidden for privacy]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(636): Configuring certificate revocation facility
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(966): loaded 1 client certs for SSL proxy
[Thu Aug 04 20:35:05 2011] [info] mod_ssl/2.2.14 compiled against Server: Apache/2.2.14, Library: OpenSSL/0.9.8k

Googleing this issue, I found a very similar story leading to a patch by the apache team (see https://issues.apache.org/bugzilla/show_bug.cgi?id=39915 and http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?r1=417988&r2=417987&pathrev=417988).

I ran apt-get source apache2 on my server and compared the included ssl_engine_init.c with the patched version from the svn above. I confirm this patch is not included the current package (as available today in ubuntu repositories for Lucid).

I would happily patch my source, compile and test to confirm it fixes the issue, but that's a bit beyond my Ubuntu knowledge (especially the "compile and rebuild package before apt-get-installing the fixed version" part).

BTW : please consider publishing the fixed version in Lucid repositories, as I cannot use a non-LTS release.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: apache2 2.2.14-5ubuntu8.4
ProcVersionSignature: Ubuntu 2.6.32-30.59-generic-pae 2.6.32.29+drm33.13
Uname: Linux 2.6.32-30-generic-pae i686
Architecture: i386
Date: Thu Aug 4 20:21:18 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release i386 (20100816.2)
ProcEnviron:
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: apache2

Revision history for this message
Loic (lbndev) wrote :
Revision history for this message
Loic (lbndev) wrote :

Attaching a copy of the (one line) patch from apache (the URL I got it from is in the previous comment).

Revision history for this message
Loic (lbndev) wrote :

I managed to build a patched version of the package, reinstall and test. I confirm that the attached patch fixes my problem : apache starts and the SSL reverse proxy works.

Ben Howard (darkmuggle-deactivatedaccount)
Changed in apache2 (Ubuntu):
importance: Undecided → Medium
Ben Howard (darkmuggle-deactivatedaccount)
Changed in apache2 (Ubuntu):
status: New → Triaged
Revision history for this message
Chuck Short (zulcss) wrote :

This is probably a good candidate for an SRU.

Changed in apache2 (Ubuntu Precise):
status: Triaged → Fix Released
Revision history for this message
Loic (lbndev) wrote :

Thank you very much Chuck.

I'm still manually re-patching my packages and servers every time an apache2 package upgrade is published for Lucid. Looking forward for the SRU ! :-)

Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in apache2 (Ubuntu Lucid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.