Re: SIGBUS after upgrading to mod_ssl-2.8.15-1.3.28 and ...

This message bounced back to me with some error about invalid characters
in the subject line, so I chopped out the +OptRenegotiate part...
hopefully this will work now. :)

---------- Forwarded message ----------
Date: Mon, 27 Oct 2003 13:41:41 -0500 (EST)
From: Cliff Woolley
To: Matt Stevenson
Cc: modssl-users@modssl.org
Subject: Re: SIGBUS after upgrading to mod_ssl-2.8.15-1.3.28 and using
+OptRenegotiate

On Mon, 27 Oct 2003, Matt Stevenson wrote:

> Is the cert being freed already by the
> sk_X509_pop_free on line 999 (after being place on the
> stack in previous code)?
>
> 997 if (SSL_get_peer_cert_chain(ssl) !=
> certstack) {
> 998 /* created by us, so free it */
> 999 sk_X509_pop_free(certstack,
> X509_free);
> 1000 }
> 1001 X509_free(cert);
> }

I'd have to look more carefully at your version of mod_ssl, but the
mod_ssl for Apache 2.x doesn't have that extra X509_free() call at line
1001, so I would guess that removing it might indeed be a correct change.

You can see where the corresponding lines were added to mod_ssl for Apache
2.x here:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_ engine_kernel.c.diff?r1=1.72&r2=1.73

The log message that went along with that commit was:

'SSLOptions +OptRengotiate' will use client cert in from the ssl
session cache when there is no cert chain in the cache. prior to
the fix this situation would result in a FORBIDDEN response and
error message "Cannot find peer certificate chain"

Hope this helps,
Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org