Nexenta Operating System

Apache 2 does not work with SSL enabled on NCP2

Bug #381771 reported by Phillip Steinbachs
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Nexenta Operating System
Fix Released
High
Tim Spriggs
Nexenta Operating System hardy-release

Bug Description

Enabling the SSL module for Apache 2 under NCP2 results in Apache appearing to hang while connecting to either port 80 or 443. netstat -na shows that it's listening and shows client connections to the port, but Apache does not appear to receive them. truss/dtruss doesn't reveal anything unusual. Turning on full debug shows nothing strange in the logs. Apache 2 works properly if the SSL module is disabled.

In an attempt to narrow this down, I compiled Apache 2.2.11 from Ubuntu Jaunty source on NCP2 and it exhibited the same problem. I compiled 2.2.11 directly from source on the apache website and it exhibited the same problem. The nginx package in the Hardy repo works with SSL. The Apache 2.2.8 packages in the Hardy repo work properly on NCP 1.x. It would appear the issue is with mod_ssl and the patched Sun openssl from sunwopenssl-libraries.

Revision history for this message
Phillip Steinbachs (psteinbachs) wrote :

As an additional test, I have modified the apache 2.2.8 packages in hardy to link against openssl 0.9.8k I compiled from source in /usr/local, and everything works now as expected. Tim Spriggs noticed that starting the apache2 binary with the -X flag also allowed it to function in a limited capacity (debug mode, only one child process) and I have confirmed that.

Revision history for this message
Phillip Steinbachs (psteinbachs) wrote :

I stumbled upon a workaround for this. In /etc/apache2/conf.d add an ssl.conf with the following contents:

<IfModule mod_ssl.c>
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice pkcs11
</IfModule>

These changes are derived from:

http://src.opensolaris.org/source/xref/webstack/apache2/httpd/patches/ssl.conf.in.patch.Solaris

After this, both port 80 and 443 work with the standard hardy packages.

Revision history for this message
Tim Spriggs (tim-tajinc) wrote : Re: [Bug 381771] Re: Apache 2 does not work with SSL enabled on NCP2

It looks like the only required line for this is "SSLCryptoDevice
pkcs11" Keeping the configuration the same and adding the line to
/etc/apache2/mods-available/ssl.conf has the desired effect.

Additionally, apache2 is version 2.0 and not 2.2 as hardy should be.
I'll be recompiling the newer apache and depends with the ssl.conf patch.

Phillip Steinbachs wrote:
> I stumbled upon a workaround for this. In /etc/apache2/conf.d add an
> ssl.conf with the following contents:
>
> <IfModule mod_ssl.c>
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT56:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
> SSLRandomSeed startup file:/dev/urandom 512
> SSLRandomSeed connect file:/dev/urandom 512
> SSLCryptoDevice pkcs11
> </IfModule>
>
> These changes are derived from:
>
> http://src.opensolaris.org/source/xref/webstack/apache2/httpd/patches/ssl.conf.in.patch.Solaris
>
> After this, both port 80 and 443 work with the standard hardy packages.
>

Revision history for this message
Tim Spriggs (tim-tajinc) wrote :

The apache 2.2.8 source has been rebuilt and uploaded to the hardy-unstable repository with a patch to add "SSLCryptoDevice
pkcs11" to the default ssl.conf

Changed in nexenta:
assignee: nobody → Tim Spriggs (tim-tajinc)
importance: Undecided → High
milestone: none → hardy-release
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.