Apache + SSL = Seg.Fault [Solved]

Discussions Regarding Software

Moderator: Moderators

Apache + SSL = Seg.Fault [Solved]

Postby _m_ » Sat Sep 24, 2011 22:29

This should be simple what have I missed?

I want to have a https apache server running...

First I make a NEW install from CoreCDX6 x86 ISO on a VirtualBox where hosted OS set to Linux/Gentoo, then I run:
Code: Select all
# equo update && equo install apache
# /etc/init.d/ufw stop
# /etc/init.d/apache2 start


Now the http:// works fine but https:// gives:
”107 (net::ERR_SSL_PROTOCOL_ERROR): SSL-protocol error.”
in the browser and a segmentation fault in the apache error log. The SSL error log is blank.

Code: Select all
# tail /var/log/apache2/error_log
[Sat Sep 24 19:45:38 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Sep 24 19:45:40 2011] [notice] Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/1.0.0d configured -- resuming normal operations
[Sat Sep 24 19:47:03 2011] [notice] child pid 16451 exit signal Segmentation fault (11)
[Sat Sep 24 19:47:03 2011] [notice] child pid 16452 exit signal Segmentation fault (11)

I have tried generate new self signed cert file and tried follow a lot of different howto from gentoo sites/blogs and tried installing from the server ISO but nothing helps. And the thing is that I manage to set up a https server for over a year back on a sabayon 5.1 system and I could not remember any problems from that.

This feels like a trivial fault from my side or a sabayon issue.
Please point me in some direction to figure out this problem.
_m_
Baby Hen
 
Posts: 5
Joined: Sat Mar 27, 2010 18:52

Re: Apache + SSL = Seg.Fault

Postby sabayonino » Sun Sep 25, 2011 12:03

did you generate SSL certificates ?
see http://en.gentoo-wiki.com/wiki/Apache2/SSL_Certificates

check your browser if SSL2.0 support is enabled


see also

http://www.apachefriends.org/f/viewtopic.php?p=161542
User avatar
sabayonino
Sagely Hen
 
Posts: 2465
Joined: Sun Sep 21, 2008 1:12
Location: Italy

Re: Apache + SSL = Seg.Fault

Postby _m_ » Sun Sep 25, 2011 15:24

Yes I have followed that guide also.
Im really stuck on this problem so I did test it ones more.

I generate a self signed server.crt from a generated server.key file as below:
Code: Select all
# openssl genrsa 1024 > server.key
# openssl req -new -x509 -nodes -sha1 -days 365 -key server.key > server.crt
# rm /etc/ssl/apache2/*
# cp server.* /etc/ssl/apache2/
# /etc/init.d/apache2 restart

This gave same error as before...

Have tested with Chrome 14.0.x, Safari and Explorer 8.0 none works.

Have also tried to connect to the apache server with openssl s_client with error:
Code: Select all
# openssl s_client -connect localhost:443
CONNECTED(00000003)
3074365096:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 211 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

I also use openssl to start a web server using my cert files. Then I can connect with all browsers above and I know that the cert file is OK
Code: Select all
# openssl s_server -cert server.pem -www

Server is on https://localhost:4433
This test was done using a .pem file instead of .key and .csr inpired by the guy from the other forum link with same error code. The pem file is just the .key and .csr in one file.
This could be generated by:
Code: Select all
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.pem -out server.pem

For me this seems to be some problem with apache or its default configuration. The SSL module flags -D SSL -D SSL_DEFAULT_VHOST are all set in /etc/conf.d/apache2 and my 00_default_ssl_vhost.conf looks like this when I use the .PEM file instead of .key and .crt files:
Code: Select all
<IfDefine SSL>
  <IfDefine SSL_DEFAULT_VHOST>
    <IfModule ssl_module>

      Listen 443
      NameVirtualHost *:443

      <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/ssl/apache2/server.pem

        ServerName localhost
        SSLOptions StrictRequire

        SSLOptions StrictRequire
        SSLProtocol all -SSLv2

        DocumentRoot /var/www/localhost/htdocs
        <Directory /var/www/localhost/htdocs/>
          SSLRequireSSL
          Order Deny,Allow
          Allow from All
        </Directory>
      </VirtualHost>

    </IfModule>
  </IfDefine>
</IfDefine>


All help are very welcome...
_m_
Baby Hen
 
Posts: 5
Joined: Sat Mar 27, 2010 18:52

Re: Apache + SSL = Seg.Fault

Postby sabayonino » Sun Sep 25, 2011 18:12



did you mean 443 port ??

Code: Select all
NameVirtualHost *:443

      <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/ssl/apache2/server.pem
User avatar
sabayonino
Sagely Hen
 
Posts: 2465
Joined: Sun Sep 21, 2008 1:12
Location: Italy

Re: Apache + SSL = Seg.Fault

Postby _m_ » Sun Sep 25, 2011 19:56

Not when I run the test server through openssl s_server -cert server.pem -www this server runs on port 4433. The apache runs on 443 as it should.

It is apache V 2.2.20 I have installed.
Have also emerge apache V2.2.21 from portage just to check...same thing
_m_
Baby Hen
 
Posts: 5
Joined: Sat Mar 27, 2010 18:52

Re: Apache + SSL = Seg.Fault

Postby _m_ » Sun Sep 25, 2011 21:33

hmm seems like I have to write a bugg report on sabayon apache binary... the problem is a CFLAGS :shock:

Check this https://bbs.archlinux.org/viewtopic.php?id=118661

And I verified with:
Code: Select all
# CFLAGS="-O0 -march=i686 -pipe" emerge www-servers/apache


Guess what! It all worked right out the box.... :D

(-O1 also work)
_m_
Baby Hen
 
Posts: 5
Joined: Sat Mar 27, 2010 18:52

Re: Apache + SSL = Seg.Fault

Postby r1k0 » Fri Nov 04, 2011 14:06

man, man, man, I have a stable sabayon (server) and after an upgrade, I was locked out ALL my vhosts...
After having spent *a lot* of time troubleshooting php, wsgi and many more modules, I've simply left the box where it was, not with a high sense of frustration.
For some strange reason I didn't this post. No need to say I've googled a lot.
I then built a gentoo ground up and migrated my vhost over and of course cursed sabayon for locking me out of my data.

This was 2-3 months ago....

An hour ago, a friday afternoon, bored at work, I thought about reusing that "dead" server.
I upgraded the box, crossing my fingers, hoping that dev would have fixed things either upstream or not, but I knew it was not coming from my server in terms of configuration or else, but the upgrade didn't change anything.

I then googled a bit (really bored today) and found your post.
Tried it, 3minutes later it works! WTF!

So thank you for making me benefit from your experience and shame shame shame on the devs for letting a corrupted apache package in their repo for more than 2 months especially on a server distro.
Well actually it is still in the repo!!!

I'm used to top quality distro with sabayon but there, man, man, man, I can't believe it, very lame!
r1k0
Baby Hen
 
Posts: 3
Joined: Fri Nov 04, 2011 13:50

Re: Apache + SSL = Seg.Fault

Postby lxnay » Fri Nov 04, 2011 21:01

Lame are those upstream devs who managed to break their software if compiled with DEFAULT CFLAGS (-O2)...
Image
Join us on IRC (chat.freenode.net #sabayon or WebChat)
Submit bugs to our Bug Tracker
Follow me on Twitter
Add me on Facebook
Add me on Google+
lxnay
Land Owner
 
Posts: 3595
Joined: Thu Oct 13, 2005 23:16
Location: Italy


Return to Software in General

Who is online

Users browsing this forum: No registered users and 3 guests