On 05/08/2013 04:31 PM, Guy Helmer wrote:
> I was using squid 3.3.4 on FreeBSD 8.3 with transparent interception
> (via ipfw) and ssl bump with success.
> After upgrading FreeBSD to 9.1 [...] squid is failing with
> segmentation violations and the ssl_crtd helpers are dying.
> #7 0xbfbff044 in ?? ()
> #8 0x0000000b in ?? ()
> #9 0x484eb5c8 in ssl_get_server_send_pkey () from /usr/lib/libssl.so.6
> #10 0x484eb68d in ssl_get_server_send_cert () from /usr/lib/libssl.so.6
> #11 0x484eb6c4 in SSL_get_certificate () from /usr/lib/libssl.so.6
> #12 0x083cb5ef in Ssl::verifySslCertificate (sslContext=0x4a259340,
> properties=@0xbfbfd9d8) at support.cc:1422
> #13 0x0813d20d in ConnStateData::getSslContextStart (this=0x4a257cd0)
> at client_side.cc:3820
> #14 0x0814a89e in ConnStateData::httpsPeeked (this=0x4a257cd0,
> serverConnection=@0xbfbfdadc) at client_side.cc:3968
Smells like an OpenSSL bug that we thought we had a workaround for:
http://bugs.squid-cache.org/show_bug.cgi?id=3816
The workaround should be in v3.3.4 that you are running but, apparently,
it is not sufficient, or our OpenSSL version detection code is failing
in your environment. We thought the bug affects OpenSSL versions 1.0.1d
and 1.0.1e only.
Which OpenSSL version are you building Squid with?
What is the OPENSSL_VERSION_NUMBER constant in OpenSSL header files
where you build Squid? You can probably run something like "fgrep -RI
OPENSSL_VERSION_NUMBER /usr/include/openssl" to figure that out.
Which OpenSSL version are you running Squid with?
Thank you,
Alex.
Received on Thu May 09 2013 - 03:55:59 MDT
This archive was generated by hypermail 2.2.0 : Thu May 09 2013 - 12:00:07 MDT