[Bug 821077] [NEW] Apache2 segfault with SSLProxyMachineCertificateFile (upstream patch not applied in ubuntu)

Loic 821077 at bugs.launchpad.net
Thu Aug 4 18:43:42 UTC 2011 

Public bug reported:

When I use SSLProxyMachineCertificateFile in my apache configuration,
the service crashes with a segfault on startup.

Here's the error.log contents with "LogLevel debug" :

[Thu Aug 04 20:35:05 2011] [info] Init: Seeding PRNG with 648 bytes of entropy
[Thu Aug 04 20:35:05 2011] [info] Loading certificate & private key of SSL-aware server
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Thu Aug 04 20:35:05 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Aug 04 20:35:05 2011] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Aug 04 20:35:05 2011] [info] Init: Initializing (virtual) servers for SSL
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(548): Configuring client authentication
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(1143): CA certificate: [hidden for privacy]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(636): Configuring certificate revocation facility
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(966): loaded 1 client certs for SSL proxy
[Thu Aug 04 20:35:05 2011] [info] Configuring server for SSL protocol
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv3, TLSv1)
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(548): Configuring client authentication
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(1143): CA certificate:  [hidden for privacy]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [HIGH:MEDIUM:!ADH]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(636): Configuring certificate revocation facility
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(370): Configuring TLS extension handling
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(742): Configuring RSA server certificate
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(781): Configuring RSA server private key
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(415): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(548): Configuring client authentication
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(1143): CA certificate:  [hidden for privacy]
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(636): Configuring certificate revocation facility
[Thu Aug 04 20:35:05 2011] [debug] ssl_engine_init.c(966): loaded 1 client certs for SSL proxy
[Thu Aug 04 20:35:05 2011] [info] mod_ssl/2.2.14 compiled against Server: Apache/2.2.14, Library: OpenSSL/0.9.8k

Googleing this issue, I found a very similar story leading to a patch by
the apache team (see
https://issues.apache.org/bugzilla/show_bug.cgi?id=39915 and
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?r1=417988&r2=417987&pathrev=417988).

I ran apt-get source apache2 on my server and compared the included
ssl_engine_init.c with the patched version from the svn above. I confirm
this patch is not included the current package (as available today in
ubuntu repositories for Lucid).

I would happily patch my source, compile and test to confirm it fixes
the issue, but that's a bit beyond my Ubuntu knowledge (especially the
"compile and rebuild package before apt-get-installing the fixed
version" part).

BTW : please consider publishing the fixed version in Lucid
repositories, as I cannot use a non-LTS release.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: apache2 2.2.14-5ubuntu8.4
ProcVersionSignature: Ubuntu 2.6.32-30.59-generic-pae 2.6.32.29+drm33.13
Uname: Linux 2.6.32-30-generic-pae i686
Architecture: i386
Date: Thu Aug  4 20:21:18 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu-Server 10.04.1 LTS "Lucid Lynx" - Release i386 (20100816.2)
ProcEnviron:
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: apache2

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug i386 lucid

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/821077

Title:
  Apache2 segfault with SSLProxyMachineCertificateFile (upstream patch
  not applied in ubuntu)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/821077/+subscriptions

More information about the Ubuntu-server-bugs mailing list