Segmentation fault on incorrect SSLRequire
am 14.03.2002 05:00:25 von Angus Lee
Hi,
Has anyone faced such problem that mod_ssl will have a segmentation fault when repeated access to a resource which has SSLRequire but that SSLRequire has error.
My scenario is that we have a Solaris workstation which has installed Oracle9i Application Server which is Apache + mod_ssl behind. We let the students to create their web pages there and add appropriate SSLRequire line in a .htaccess file so they can use client authentication to access their web pages. However some students produced an error SSLRequire line. When I look back the log file, I found mod_ssl has segmentation fault when repeated access was made. After that, Apache will complain 'SSLRequire syntax error' because mod_ssl was crashed.
How can I tackle such problem? Is there any way I can restart Oracle9i Application Server after mod_ssl segmentation fault? I tried to restart the workstation everyday but seems it won't help much. Please help me. Thanks.
Angus Lee
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE:
am 14.04.2003 10:40:55 von John.Airey
I think you mean ssl not ssh. If it is the case that www.httpsdomain.com and
nonhttpsdomain.com have the same IP address (and it looks like they do),
this is a "feature" of SSL. The reasons why are all over the mail archive
and in the FAQ, http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47, so I'm
not repeating it here.
-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk
Taking the path of least resistance is what makes rivers and Men crooked.
-----Original Message-----
From: Jordi [mailto:jordi@sirt.es]
Sent: 14 April 2003 09:07
To: modssl-users@modssl.org
Subject:
Hi
I have a linux box ( Red Hat 7.2 ) with apache 2.0.44, and about 100
virtual hosts, and one of them works with https ( www.httpsdomain.com ).
All works fine, except for a little problem...if i try to access a non https
domain via ssh ( https://nonhttpsdomain.com ) , i get the certificate for
the https domain, and when i accept, i see the
website of the www.httpsdomain.com
How can i do to ignore or redirect the domains that work with http when
going https??
I think with the command Redirect i can do it...but i have to create an
entry for every domain in the ssl.conf...and i think that thats not the best
solution.
thanks, and sorry for my english
-
NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.
RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE:
am 21.08.2003 14:43:28 von Boyle Owen
>-----Original Message-----
>From: Dave Paris [mailto:dparis@w3works.com]
>
> snip... You claim to
>have spent two MONTHS trying to find what I found in under 10
>SECONDS.
Er... the difference is that you recognised the problem immediately
because you have seen it before. So you knew exactly what to type into
Google.
If you put yourself in Ian's shoes, he was using the NBVH mechanism for
ages and became very familiar with it. He then tried to extend it to
SSL, which is a reasonable thing to do, and then was suprised that it
didn't work. It is not blindingly obvious, a priori, what the problem
is. In that case, it is not so obvious what to type into Google - you
might not necessarily realise that the problem is to do with NBVH,
especially if that is not the only thing you changed.
I am making this comment because I followed a very similar route to Ian
in discovering this SSL limitation. In my case, I was tasked by my boss,
who is a competent programmer, to "set up some NBVHs under SSL". It
never occurred to me that my boss could have handed me an impossible
task and I spent weeks trying to get it to work. In the end, it was this
mailing list which enlightened me.
Since then, I've tried to help out on the list, initially by explaining
this issue whenever it came up but lately (since others also now do this
quite ably), by chipping in whenever some bright spark reckons that he's
found a workaround (it's a bit like debunking perpetual motion machine
designs). Usually, he's forgotten about authentication and is using the
same cert in all VHs...
Anyway, the point I'm making is that the original poster is obviously a
seasoned hacker (he uses openssl from the command line!) and as such
should be welcome on this list and congratulated for using mod_ssl... So
could we be a bit friendlier please?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>That doesn't make me one bit of a better person than you... it just
>says that my mind works in a way that is different from yours. I'd
>wager there are certain tasks you accomplish quite easily that would
>take me some effort. It's the way us humans seem to be designed.
>
>Every once in awhile, it's a good thing to look at who we are
>and what
>we're good at and then review what we've chosen to do in life.
> Doing a
>job that meshes well with how you think can be all the difference
>between looking forward to an rewarding day at the office and
>a bruised
>forehead from repeatedly smashing your head against a wall in
>self-frustration. [ of course, I'm omitting the forehead bruising
>caused by external influences like PHBs ;-) ] As for the
>tone of your
>note .. life's tough, grab a helmet.
>
>Kind Regards,
>-dsp
>
>On Thursday, Aug 21, 2003, at 00:05 US/Eastern, Ian Newlands wrote:
>
>> If I hadn't already exhausted resources I would not have made this
>> post in the first place. I have tried 3 different versions
>of apache,
>> searched through previous postings, used search engines etc.
>bought 2
>> books on apache and have been attempting to get this going
>for almost
>> 2 months now.
>>
>> I'm glad you're amused by my frustration here.
>>
>> If there is anyone out there that is willing to submit a serious
>> response to this I would appreciate it greatly.
>>
>> Regards,
>>
>> Ian Newlands
>>
>>
>> ----- Original Message -----
>> From: "Dave Paris"
>> To:
>> Cc: "Ian Newlands"
>> Sent: Thursday, August 21, 2003 11:58 AM
>> Subject: Re: virtual hosting
>>
>>
>>> geeze. is it that time of the month already for this question?
>>> seems like it was just yesterday when it was asked last ..
>maybe I'm
>>> just thinking of the other 100,000 times it was asked.
>>>
>>> in all seriousness, this dead horse has been beaten so many
>times on
>>> this list there isn't even a carcass left to hit at this point.
>>> please go dig through the mail list archives to see why name-based
>>> virtual hosts don't work with SSL.
>>>
>>> yes, that's a flippant answer. no, you're not likely to
>get a reply
>>> any more serious.
>>>
>>> -dsp
>>>
>>> On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote:
>>>
>>> > I am currently running about 15 virtual hosts using name
>based on
>>> port > 80, and 1 virtual host using SSL.
>>> >
>>> > My SSL host is currently working with the following:
>>> >
>>> >
>>> >
>>> > However I want to change this to the IP based hosting for this
>>> host, > allowing me to then add more SSL based virtual
>hosts on this
>>> setup, so > I tried changing this to the following:
>>> >
>>> >
>>> >
>>> > By doing this my SSL virtual host stops working altogether.
>>> >
>>> > I try the following to debug it on a remote machine:
>>> >
>>> > # openssl s_client -connect 203.xxx.xxx.xxx:443
>>> > CONNECTED(00000003)
>>> > 27604:error:140770FC:SSL
>routines:SSL23_GET_SERVER_HELLO:unknown
>>> > protocol:s23_clnt.c:475:
>>> >
>>> > I do the exact same thing on the local machine and it
>responds with
>>> a > valid SSL response.
>>> >
>>> > Can anyone suggest might be wrong here?
>>> >
>>> > Regards,
>>> >
>>> > Ian Newlands
>>> >
>>> > ____________________________________________________________ _____
>>> > Hotmail is now available on Australian mobile phones. Go to >
>>> http://ninemsn.com.au/mobilecentral/signup.asp
>>> >
>>> >
>>>
>___________________________________________________________ ___________
>>> > Apache Interface to OpenSSL (mod_ssl)
>>> www.modssl.org
>>> > User Support Mailing List
>>> modssl-users@modssl.org
>>> > Automated List Manager
>>> majordomo@modssl.org
>>> >
>>>
>>>
>>>
>>
>> ____________________________________________________________ _____
>> Hot chart ringtones and polyphonics. Go to
>> http://ninemsn.com.au/mobilemania/default.asp
>>
>>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re:
am 21.08.2003 21:57:54 von babin-ebell
This is a cryptographically signed message in MIME format.
--------------ms090907060606020408050606
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hello Owen,
Boyle Owen wrote:
>>-----Original Message-----
>>From: Dave Paris [mailto:dparis@w3works.com]
>>
>>snip... You claim to
>>have spent two MONTHS trying to find what I found in under 10
>>SECONDS.
> Anyway, the point I'm making is that the original poster is obviously a
> seasoned hacker (he uses openssl from the command line!) and as such
> should be welcome on this list and congratulated for using mod_ssl... So
> could we be a bit friendlier please?
Especially since that what he wanted to do seems to be IP based VH...
>>>>>I am currently running about 15 virtual hosts using name
>>>>>based on port 80, and 1 virtual host using SSL.
>>>>
Please read:
>>>>>My SSL host is currently working with the following:
>>>>>
>>>>>
>>>>>
>>>>>However I want to change this to the IP based hosting for this
>>>>>host, allowing me to then add more SSL based virtual
>>>>>hosts on this setup, so I tried changing this to the following:
>>>>
>>>>>
[...]
>>>>>By doing this my SSL virtual host stops working altogether.
Seems he knows that NBVH is not possible,
and got his IP based VH wrong...
>>>>>I try the following to debug it on a remote machine:
>>>>>
>>>>> # openssl s_client -connect 203.xxx.xxx.xxx:443
>>>>> CONNECTED(00000003)
>>>>> 27604:error:140770FC:SSL
With such problems it is best do do an
telnet 203.xxx.xxx.xxx 443
to test if the server suddenly wants to speak plain HTTP...
>>>>>I do the exact same thing on the local machine and it
>>>>>responds with a valid SSL response.
>>>>
>>>>>Can anyone suggest might be wrong here?
Sorry, not me...
Bye
Goetz
--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
--------------ms090907060606020408050606
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIIkDCC
BEQwggOtoAMCAQICDwCQHgAAAAJOQu0jEgf3pTANBgkqhkiG9w0BAQUFADCB vDELMAkGA1UE
BhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4 BgNVBAoTMVRD
IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdt YkgxIjAgBgNV
BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0BCQEW GmNlcnRpZmlj
YXRlQHRydXN0Y2VudGVyLmRlMB4XDTAzMDIxMDE0NDI1MFoXDTA0MDIxMDE0 NDI1MFowgaox
CzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1i dXJnMRowGAYD
VQQKExFUQyBUcnVzdENlbnRlciBBRzEUMBIGA1UECxMLRW50d2lja2x1bmcx GjAYBgNVBAMT
EUdvZXR6IEJhYmluLUViZWxsMSkwJwYJKoZIhvcNAQkBFhpiYWJpbi1lYmVs bEB0cnVzdGNl
bnRlci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB6adN6 EChrpAbT5KV1
ceRRIDAoGnz2gsBoFI2BwJLS+RpuIZfdJOepm4crg3X6LXrMKwSF/lshFeHr VPtLzabgLGyF
SujsJP0z3u7f4XNYCGHl4UbyPkYboIP9GC/DRtsknO1YfJUy/4yKBG4VjJ4A P6vZTEQey6jm
xelsK2ek4vwRfUjs/z9UcZmtj4ipiHP6IqFyydDTLarn1jWHUu2zFnJzryZ6 mXdOUPihCOFG
D+c1KFksZ1VscgDpKygTQcIg/VItmbeFkhOj9IkboOyiVKvvfhujlxmdm9AC t22MjMrB0RAb
9TR1DgXlyofwykKAK+GM8Cu8jcKaJjvfhaMCAwEAAaOB0zCB0DAMBgNVHRMB Af8EAjAAMA4G
A1UdDwEB/wQEAwIF4DA+BglghkgBhvhCAQgEMRYvaHR0cDovL3d3dy50cnVz dGNlbnRlci5k
ZS9ndWlkZWxpbmVzL2luZGV4Lmh0bWwwEQYJYIZIAYb4QgEBBAQDAgWgMF0G CWCGSAGG+EIB
AwRQFk5odHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNr LXJldi5jZ2kv
OTAxRTAwMDAwMDAyNEU0MkVEMjMxMjA3RjdBNT8wDQYJKoZIhvcNAQEFBQAD gYEAObOwuCFG
0HmVvCm8llpJ3qsBqtZgFyUT0wuz8JG6CZjHn5lwvOg+8m8huKrE5oGEQIo9 EwLcFLDNVsxB
CiwjX2juU3JQl2Hs2smUyHkOqg+W0COetRp+PcDAk4hk0Mth5A3bDy3Frzyh bjpYjAZTvnsY
9+QYmJm5cGWBJK9I7kIwggREMIIDraADAgECAg8AkB4AAAACTkLtIxIH96Uw DQYJKoZIhvcN
AQEFBQAwgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYD VQQHEwdIYW1i
dXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4g RGF0YSBOZXR3
b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENB MSkwJwYJKoZI
hvcNAQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw0wMzAyMTAx NDQyNTBaFw0w
NDAyMTAxNDQyNTBaMIGqMQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVy ZzEQMA4GA1UE
BxMHSGFtYnVyZzEaMBgGA1UEChMRVEMgVHJ1c3RDZW50ZXIgQUcxFDASBgNV BAsTC0VudHdp
Y2tsdW5nMRowGAYDVQQDExFHb2V0eiBCYWJpbi1FYmVsbDEpMCcGCSqGSIb3 DQEJARYaYmFi
aW4tZWJlbGxAdHJ1c3RjZW50ZXIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIB
AQCwemnTehAoa6QG0+SldXHkUSAwKBp89oLAaBSNgcCS0vkabiGX3STnqZuH K4N1+i16zCsE
hf5bIRXh61T7S82m4CxshUro7CT9M97u3+FzWAhh5eFG8j5GG6CD/Rgvw0bb JJztWHyVMv+M
igRuFYyeAD+r2UxEHsuo5sXpbCtnpOL8EX1I7P8/VHGZrY+IqYhz+iKhcsnQ 0y2q59Y1h1Lt
sxZyc68mepl3TlD4oQjhRg/nNShZLGdVbHIA6SsoE0HCIP1SLZm3hZITo/SJ G6DsolSr734b
o5cZnZvQArdtjIzKwdEQG/U0dQ4F5cqH8MpCgCvhjPArvI3CmiY734WjAgMB AAGjgdMwgdAw
DAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwPgYJYIZIAYb4QgEIBDEW L2h0dHA6Ly93
d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9pbmRleC5odG1sMBEGCWCG SAGG+EIBAQQE
AwIFoDBdBglghkgBhvhCAQMEUBZOaHR0cHM6Ly93d3cudHJ1c3RjZW50ZXIu ZGUvY2dpLWJp
bi9jaGVjay1yZXYuY2dpLzkwMUUwMDAwMDAwMjRFNDJFRDIzMTIwN0Y3QTU/ MA0GCSqGSIb3
DQEBBQUAA4GBADmzsLghRtB5lbwpvJZaSd6rAarWYBclE9MLs/CRugmYx5+Z cLzoPvJvIbiq
xOaBhECKPRMC3BSwzVbMQQosI19o7lNyUJdh7NrJlMh5DqoPltAjnrUafj3A wJOIZNDLYeQN
2w8txa88oW46WIwGU757GPfkGJiZuXBlgSSvSO5CMYIEdzCCBHMCAQEwgdAw gbwxCzAJBgNV
BAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTow OAYDVQQKEzFU
QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBH bWJIMSIwIAYD
VQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkB FhpjZXJ0aWZp
Y2F0ZUB0cnVzdGNlbnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMAkGBSsOAwIa BQCgggJ7MBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMDgy MTE5NTc1NFow
IwYJKoZIhvcNAQkEMRYEFJquSNC1fJ468feFjrkxDEG4AEwtMFIGCSqGSIb3 DQEJDzFFMEMw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG BSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIHhBgkrBgEEAYI3EAQxgdMwgdAwgbwxCzAJBgNVBAYT AkRFMRAwDgYD
VQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBU cnVzdENlbnRl
ciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQL ExlUQyBUcnVz
dENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0 ZUB0cnVzdGNl
bnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMIHjBgsqhkiG9w0BCRACCzGB06CB 0DCBvDELMAkG
A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcx OjA4BgNVBAoT
MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtz IEdtYkgxIjAg
BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0B CQEWGmNlcnRp
ZmljYXRlQHRydXN0Y2VudGVyLmRlAg8AkB4AAAACTkLtIxIH96UwDQYJKoZI hvcNAQEBBQAE
ggEAewG5eGCI1vd347s/t4ehFExVe5ROh/3/PKdnbjiJLJfMKzKD0K9uyEeR o8D/Gwe501SV
RwVXXBAAZVuCbDN6tx/E9BFntDsEZbvPOnG/CP2VR3p89Q/Fdk8gOkp+61zf zGO7cijL9DVB
5p1r2b8Je6UOn29eyEuw9CUThRUVdGwbRT5FpdFD8sohHMVUjsW1LBFqyb7I fDI7/s/9Bo1E
jO801TE0MM7Fe7nmp/zkHMWW5YrQHw7viyu9XcK8MhjC0IEdNRKT867C3y6z ce6yeYwzeCiP
KjVl76zpK2MGkdHeehjlCw7TToiqcyWJjmW78TZYC4FO5DKXG1FpzyzH7QAA AAAAAA==
--------------ms090907060606020408050606--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org