Percona Server moved to https://jira.percona.com/projects/PS

Bug #1028240
Comment #9

Comment 9 for bug 1028240

Revision history for this message

Barney Desmond (barneydesmond) wrote on 2012-09-18:

Hi there,

We've been following this issue at our company and believe we have a firm grasp on the problem here, so I'd like to make two notes.

1. This bug *appears* to be related to #1002164, I'm not sure if they should be linked in any way.

2. Our description is of the problem is published here, we believe it's accurate:
http://www.anchor.com.au/blog/2012/09/why-does-percona-cause-ssl-issues-in-postfix/

Alexey, the answer to your question appears to be "yes".

A direct technical summary is as follows:

* We see the problem in /usr/libexec/postfix/smtp when SSL/TLS is attempted, it segfaults
* ldd shows that it links to libcrypto.so.10 and libmysqlclient.so.16
libmysqlclient.so.16 => /usr/lib64/libmysqlclient.so.16 (0x00007f586b3b2000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f586a91e000)
* libmysqlclient embeds YaSSL, which provides four dummy functions:
    - CRYPTO_add_lock
    - CRYPTO_lock
    - CRYPTO_mem_ctrl
    - EVP_CIPHER_CTX_init
* These functions are not used internally by libmysqlclient, nor are they “hidden” in any way
* Those symbols are also exported by libcrypto, which actually implements them properly. Software like Postfix (and PHP, amongst others) expect to use libcrypto's functions
* The symbols from libmysqlclient are “winning” over those from libcrypto
* When Postfix tries to use SSL/TLS, it hits those broken functions and then segfaults

We then looked further into the packaging to see what could be done.

* /usr/lib64/libmysqlclient.so.16 is provided by the package Percona-Server-shared-compat
* Percona-Server-shared-compat is built directly from Mysql-shared-compat, thus the bug is upstream
* The bug appears to have since been fixed in MySQL
* Percona is built with a specific version of Mysql-shared-compat that has the buggy libmysqlclient

Therefore, we believe the correct approach to fix Percona is to target a version of Mysql-shared-compat that doesn't contain the buggy libmysqlclient.so.16 library.

----

We hope this information is useful, we'd be happy to answer further questions if it's helpful.

System details:

--
root@lily:~# rpm -qa | grep Percona
Percona-Server-shared-55-5.5.27-rel28.1.296.rhel6.x86_64
Percona-Server-server-55-5.5.27-rel28.1.296.rhel6.x86_64
Percona-Server-shared-compat-5.5.27-rel28.1.296.rhel6.x86_64
Percona-Server-client-55-5.5.27-rel28.1.296.rhel6.x86_64

--
root@lily:~# cat /etc/redhat-release
CentOS release 6.3 (Final)

--
root@lily:~# uname -a
Linux lily.example.com 2.6.32-279.5.1.el6.x86_64 #1 SMP Tue Aug 14 23:54:45 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

----
The problem has also be observed on a CentOS 5 server:

--
root@rock:~# rpm -qa | grep Percona
Percona-Server-client-55-5.5.27-rel28.1.296.rhel5
Percona-XtraDB-Cluster-devel-5.5.27-23.6.356.rhel5
Percona-Server-shared-compat-5.5.27-rel28.1.296.rhel5
Percona-Server-shared-55-5.5.27-rel28.1.296.rhel5
Percona-Server-server-55-5.5.27-rel28.1.296.rhel5

--
root@rock:~# cat /etc/redhat-release
CentOS release 5.8 (Final)

--
root@rock:~# uname -a
Linux rock.example.com 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:18 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux

Hi there,

We've been following this issue at our company and believe we have a firm grasp on the problem here, so I'd like to make two notes.

1. This bug *appears* to be related to #1002164, I'm not sure if they should be linked in any way.

2. Our description is of the problem is published here, we believe it's accurate:
http://www.anchor.com.au/blog/2012/09/why-does-percona-cause-ssl-issues-in-postfix/

Alexey, the answer to your question appears to be "yes".

A direct technical summary is as follows:

* We see the problem in /usr/libexec/postfix/smtp when SSL/TLS is attempted, it segfaults
 * ldd shows that it links to libcrypto.so.10 and libmysqlclient.so.16
	libmysqlclient.so.16 => /usr/lib64/libmysqlclient.so.16 (0x00007f586b3b2000)
	libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f586a91e000)
 * libmysqlclient embeds YaSSL, which provides four dummy functions:
    - CRYPTO_add_lock
    - CRYPTO_lock
    - CRYPTO_mem_ctrl
    - EVP_CIPHER_CTX_init
 * These functions are not used internally by libmysqlclient, nor are they “hidden” in any way
 * Those symbols are also exported by libcrypto, which actually implements them properly. Software like Postfix (and PHP, amongst others) expect to use libcrypto's functions
 * The symbols from libmysqlclient are “winning” over those from libcrypto
 * When Postfix tries to use SSL/TLS, it hits those broken functions and then segfaults

We then looked further into the packaging to see what could be done.

* /usr/lib64/libmysqlclient.so.16 is provided by the package Percona-Server-shared-compat
 * Percona-Server-shared-compat is built directly from Mysql-shared-compat, thus the bug is upstream
 * The bug appears to have since been fixed in MySQL
 * Percona is built with a specific version of Mysql-shared-compat that has the buggy libmysqlclient

Therefore, we believe the correct approach to fix Percona is to target a version of Mysql-shared-compat that doesn't contain the buggy libmysqlclient.so.16 library.

----

We hope this information is useful, we'd be happy to answer further questions if it's helpful.

System details:

--
root@lily:~# cat /etc/redhat-release 
CentOS release 6.3 (Final)

--
root@lily:~# uname -a
Linux lily.example.com 2.6.32-279.5.1.el6.x86_64 #1 SMP Tue Aug 14 23:54:45 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

----
The problem has also be observed on a CentOS 5 server:

--
root@rock:~# cat /etc/redhat-release 
CentOS release 5.8 (Final)

--
root@rock:~# uname -a
Linux rock.example.com 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:18 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux