Segfault on OpenSSL engine initialisation when AES-NI is enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| OpenSSL |
Fix Released
|
Unknown
|
||
| php |
Invalid
|
Undecided
|
Unassigned | |
| openssl (Ubuntu) |
High
|
Colin Watson | ||
| Lucid |
High
|
Colin Watson | ||
| Maverick |
High
|
Colin Watson |
Bug Description
Binary package hint: apache2
Installed software:
apache2-mpm-prefork 2.2.14-5ubuntu8
php5 5.3.2-1ubuntu4.2
libapache2-mod-php5 5.3.2-1ubuntu4.2
php5-curl 5.3.2-1ubuntu4.2
Ubuntu version: Ubuntu 10.04 LTS
If php5-curl module enabled in the apache2 and access any page on this server with https:// regardless of URL and handler of this URL (php5 or simple static file), apache reset connection logging following in the error.log:
[Mon Jun 07 08:48:58 2010] [notice] Apache/2.2.14 (Ubuntu) DAV/2 SVN/1.6.6 PHP/5.3.
[Mon Jun 07 08:49:10 2010] [notice] child pid 24120 exit signal Segmentation fault (11)
[Mon Jun 07 08:49:10 2010] [notice] child pid 24121 exit signal Segmentation fault (11)
This bug was appeared after upgrade from 9.10 to 10.04, nothing was changed in the configs, previous version of ubuntu working ok.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: apache2.2-bin 2.2.14-5ubuntu8
ProcVersionSign
Uname: Linux 2.6.32-22-generic x86_64
Architecture: amd64
Date: Mon Jun 7 08:49:30 2010
ExecutablePath: /usr/lib/
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
ProcEnviron:
PATH=(custom, no user)
LANG=C
SourcePackage: apache2
solik (jankkhvej) wrote : | #1 |
Chuck Short (zulcss) wrote : | #2 |
Changed in apache2 (Ubuntu): | |
importance: | Undecided → Low |
status: | New → Incomplete |
solik (jankkhvej) wrote : | #3 |
Here is backtrace, thank you for instructions!
Changed in apache2 (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in php: | |
status: | New → Confirmed |
I have the same configuration and also get the segmentation fault. I'd like just to add that the apache crashes even if any SSL page is accessed on that server, not only via php5-curl.
solik (jankkhvej) wrote : | #5 |
Just checked it today after update and the bug is gone. All SSL pages works.
So, what should we do now? ;-)
solik (jankkhvej) wrote : | #6 |
Miroslav Zacek: that's exactly what I've reported.
I checked it today and it is still there for me :-(
I checked the code and found that php5-curl in ext/curl/
I have openssl, libssl0.9.8 and libssl-dev version 0.9.8k-7ubuntu8.
See openssl bug #2305
Greg Hanley (greg-s-hanley) wrote : | #9 |
After reading through the comments on the openssl bug report ( http://
Miroslav Zacek: It sounds like you have found the issue in openssl. Is there any other troubleshooting I can do to help?
Greg Hanley: it seems the bug was found and will be fixed in the next release of openssl. The reason why it is segfaulting on one machine and not the other is probably the fact that one CPU supports AES-NI and the other not. The problem is in multiple openssl initializations.
If you want to fix it before the official version comes there is a patch: http://
If you do not want to recompile, try to avoid multiple ssl initializations (e.g. in my case these were the apache mod-ssl and php5-curl), but this is not sure that it helps.
Miroslav: silly question; if the bug will be fixed in the next release of openssl, when should that release be available?
Zhang Huangbin (michaelbibby) wrote : | #12 |
Any update on this issue?
Zhang Huangbin (michaelbibby) wrote : | #13 |
Oops, i tested it in Ubuntu 10.04 (amd64) moment ago, seems it was fixed. at least it works well in iRedMail mail server solution, Thanks very much. :)
Fraid it's still an issue for me. Seems to resolve itself when removing php5-curl from the install.
It hasn't been fixed yet, unfortunately :-(
So here is a small howto for (k)ubuntu if you need to fix it (root privileges assumed):
1) create a directory somewhere, e.g. /usr/src/openssl, chdir there and run:
apt-get source openssl
apt-get build-dep openssl
2) edit ./openssl-
+ ENGINE_add (toadd);
to
+ if (ENGINE_add (toadd))
3) edit /openssl-
OPENSSL_
4) now build the packages (from /usr/src/
dpkg-buildpackage
5) Then you'll get new packages in /usr/src/openssl. Install libssl0.
In the previous howto in step 2 please note there is no semicolon at the end of the line after the change. This is correct!. On the following line 1957 there is a function call that should be executed only if ENGINE_add (toadd) returns true. If you keep the semicolon there the code will compile but segmentation errors persist.
Greg Hanley (greg-s-hanley) wrote : | #17 |
Thanks for the step-by-step of patching the source Miroslav Zacek! It seems to have fixed the seg faulting I was getting.
Christie Koehler (christi3k) wrote : | #18 |
Confirming that the patch posted by Miroslav Zacek works for me as well. Many thanks!
Ditto here. Now we wait for openssl to be updated :-)
solik (jankkhvej) wrote : | #20 |
Thank you, Miroslav! Can't test it now, 'cause I'm switched to Mac OS X, but anyway, well done!
Jan Willem (jwknopper) wrote : | #21 |
Thanks! This fixes the problem for me as well.
Wells Oliver (wells-submute) wrote : | #22 |
Why is this marked as 'low' priority? Apache + SSL + curl is probably a very common combination. This is incredibly tedious..
Wells Oliver (wells-submute) wrote : | #23 |
Also confirming that the patch from Miroslav worked for me. AWESOME!
Rhomboid (rhomboid) wrote : | #24 |
Thanks Miroslav. That fixed it for me as well. I can't believe this hasn't been fixed.
My test environment was 32-bit so I missed this initially and then spent way too long trying to figure it out.
affects: | apache2 (Ubuntu) → openssl (Ubuntu) |
Changed in openssl (Ubuntu): | |
assignee: | nobody → Colin Watson (cjwatson) |
Changed in php: | |
status: | Confirmed → Invalid |
Changed in openssl (Ubuntu): | |
importance: | Low → High |
status: | Confirmed → In Progress |
Changed in openssl (Ubuntu Lucid): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Colin Watson (cjwatson) |
Changed in openssl (Ubuntu Maverick): | |
milestone: | none → ubuntu-10.10 |
Changed in openssl (Ubuntu Lucid): | |
milestone: | none → ubuntu-10.04.2 |
summary: |
- apache exit with signal Segmentation fault (11) on access to https:// if - php5-curl enabled + Segfault on OpenSSL engine initialisation when AES-NI is enabled |
Colin Watson (cjwatson) wrote : | #25 |
I've uploaded a fix to lucid-proposed, waiting for approval. SRU team: apologies for the spurious diffs to Makefile and crypto/
Launchpad Janitor (janitor) wrote : | #26 |
This bug was fixed in the package openssl - 0.9.8o-1ubuntu4
---------------
openssl (0.9.8o-1ubuntu4) maverick; urgency=low
* Update AES-NI patch to openssl-
from http://
on engine initialisation (LP: #590639).
-- Colin Watson <email address hidden> Fri, 24 Sep 2010 12:20:49 +0100
Changed in openssl (Ubuntu Maverick): | |
status: | In Progress → Fix Released |
Accepted openssl into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/
Changed in openssl (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed |
Greg Hanley (greg-s-hanley) wrote : | #28 |
I installed the new proposed OpenSSL packages and it fixed my issues with apache2/
tags: |
added: verification-done removed: verification-needed |
Rhomboid (rhomboid) wrote : | #29 |
Verified it's fixed for me too using the proposed update (apache2 SSL, calling PHP curl in turn to an SSL site).
Launchpad Janitor (janitor) wrote : | #30 |
This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.2
---------------
openssl (0.9.8k-7ubuntu8.2) lucid-proposed; urgency=low
* Update AES-NI patch to openssl-
from http://
on engine initialisation (LP: #590639).
-- Colin Watson <email address hidden> Fri, 24 Sep 2010 12:25:28 +0100
Changed in openssl (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
Changed in openssl: | |
status: | Unknown → Confirmed |
Changed in openssl: | |
status: | Confirmed → Fix Released |
Thank you for taking the time to report this bug and helping to make Ubuntu better. Please try to obtain a backtrace following the instructions at http:// wiki.ubuntu. com/DebuggingPr ogramCrash and upload the backtrace (as an attachment) to the bug report. This will greatly help us in tracking down your problem.