You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Gattu Madhusudanarao <gm...@yahoo.com> on 2007/04/30 12:55:03 UTC

[users@httpd] Apache 2.0.59 segfaults on HP-UX with SSL Certificate

Hi All,
   On HP-UX 11.23 , httpd does a segfault when
ClientCertificates are used for authentication. This
happens only on a multi-cpu, multi-threaded
environment.
   After debugging found that the problem is double
free of the certificate in ssl_engine_io.c 
----------snip------------------
    /* deallocate the SSL connection */
    if (sslconn->client_cert) {
        X509_free(sslconn->client_cert);
        sslconn->client_cert = NULL;
    }
    SSL_free(ssl);
----------/snip-----------

   Here, the sslconn->client_cert is freed up. If the
sslconn->client_cert address and the
ssl->session->peer address is the same, it dumps the
core.
   Hence, changed the above to look like this.
   Now, it does not dump core.
------snip----------------
    /* deallocate the SSL connection */
    if (sslconn->client_cert) {
        if(sslconn->client_cert == ssl->session->peer)
&& (ssl->references == 1) {
         ssl->session->peer = NULL;
        X509_free(sslconn->client_cert);
        sslconn->client_cert = NULL;
    }
    SSL_free(ssl);
-------/snip-----------

   Do you see any problem in this approach?
   How does the session certificate address match the
peer certificate address though they are in different
structures? 
   Is this any problem with apr_*alloc? 
   In Apache 1.3, the same code is in
ssl_engine_kernel.c and in 1.3, X509_free call is not
present.
   Would like to hear your comments on this.
Thanks,
Madhu

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org