On May 8, 2013, at 10:55 PM, Alex Rousskov <rousskov_at_measurement-factory.com> wrote:
> On 05/08/2013 04:31 PM, Guy Helmer wrote:
>
>> I was using squid 3.3.4 on FreeBSD 8.3 with transparent interception
>> (via ipfw) and ssl bump with success.
>
>> After upgrading FreeBSD to 9.1 [...] squid is failing with
>> segmentation violations and the ssl_crtd helpers are dying.
>
>> #7 0xbfbff044 in ?? ()
>> #8 0x0000000b in ?? ()
>> #9 0x484eb5c8 in ssl_get_server_send_pkey () from /usr/lib/libssl.so.6
>> #10 0x484eb68d in ssl_get_server_send_cert () from /usr/lib/libssl.so.6
>> #11 0x484eb6c4 in SSL_get_certificate () from /usr/lib/libssl.so.6
>> #12 0x083cb5ef in Ssl::verifySslCertificate (sslContext=0x4a259340,
>> properties=@0xbfbfd9d8) at support.cc:1422
>> #13 0x0813d20d in ConnStateData::getSslContextStart (this=0x4a257cd0)
>> at client_side.cc:3820
>> #14 0x0814a89e in ConnStateData::httpsPeeked (this=0x4a257cd0,
>> serverConnection=@0xbfbfdadc) at client_side.cc:3968
>
> Smells like an OpenSSL bug that we thought we had a workaround for:
> http://bugs.squid-cache.org/show_bug.cgi?id=3816
>
> The workaround should be in v3.3.4 that you are running but, apparently,
> it is not sufficient, or our OpenSSL version detection code is failing
> in your environment. We thought the bug affects OpenSSL versions 1.0.1d
> and 1.0.1e only.
>
> Which OpenSSL version are you building Squid with?
>
> What is the OPENSSL_VERSION_NUMBER constant in OpenSSL header files
> where you build Squid? You can probably run something like "fgrep -RI
> OPENSSL_VERSION_NUMBER /usr/include/openssl" to figure that out.
>
> Which OpenSSL version are you running Squid with?
Under FreeBSD 8.3, it was built and running with OpenSSL 0.9.8q (OPENSSL_VERSION_NUMBER 0x0090811f).
Under FreeBSD 9.1 (stable branch checkout as of 2013-04-10), it is built and running with OpenSSL 0.9.8y (OPENSSL_VERSION_NUMBER 0x0090819fL).
I made this little change to support.cc, rebuilt squid and ssl_crtd, and it seems to be working OK with transparent SSL bumping:
--- src/ssl/support.cc.orig 2013-05-09 08:59:19.000000000 -0500
+++ src/ssl/support.cc 2013-05-09 09:00:25.000000000 -0500
@@ -1413,7 +1413,7 @@
{
// SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
// Try to retrieve certificate directly from SSL_CTX object
-#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL
+#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL || OPENSSL_VERSION_NUMBER == 0x0090819fL
X509 ***pCert = (X509 ***)sslContext->cert;
X509 * cert = pCert && *pCert ? **pCert : NULL;
#else
Thanks for the pointer, Alex!
Guy
Received on Thu May 09 2013 - 14:20:09 MDT
This archive was generated by hypermail 2.2.0 : Thu May 09 2013 - 12:00:07 MDT