Date: Thu, 23 Dec 2010 21:21:40 +0000 From: "Philip M. Gollucci" <pgollucci@p6m7g8.com> To: Adam Langley <agl@chromium.org> Cc: apache@freebsd.org Subject: Re: Mismatched OpenSSL versions causing crashes Message-ID: <4D13BD64.5030007@p6m7g8.com> In-Reply-To: <AANLkTi=pATkC0NqStOXO8%2Bkn9HqYPoHjvGh718KVAY1b@mail.gmail.com> References: <AANLkTi=pATkC0NqStOXO8%2Bkn9HqYPoHjvGh718KVAY1b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--------------enigEB6181303C6401C195E3D827 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/23/10 17:09, Adam Langley wrote: > Hi there, >=20 > I'm a developer on Google Chrome and we've seen some reports recently > that Chrome isn't working with some HTTPS sites. Getting details has > been tough, but I have one example of a site which is reporting these > strings: >=20 > FreeBSD iden2334.securesites.net 6.4-RELEASE-p8 FreeBSD 6.4-RELEASE-p8 > #1 r101746: Mon Aug 30 10:34:40 MDT 2010 > root@fc:/usr/src/sys/i386/compile/VKERN i386 >=20 > Apache/2.2.15 (Unix) PHP/5.2.9 with Suhosin-Patch mod_ssl/2.2.15 > OpenSSL/1.0.0a mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.7 >=20 > The interesting bit is that, on the PHP info page it includes: >=20 > OpenSSL Version OpenSSL 0.9.8m 25 Feb 2010 >=20 >=20 > I suspect that the Apache binary has been compiled against OpenSSL > 0.9.8 headers, but is run-time linking against libcrypto.so from > 1.0.0a. Chrome negotiates DEFLATE compression and this appears to be > triggering crashes. (0.9.8 and 1.0.0 are not ABI compatible, although > they are close enough that it might appear to mostly work.) >=20 > I'm afraid that I don't know enough about FreeBSD to know if this is a > package issue or an administrator error. However, I thought that I > would bring it to your attention. Admin issue, quite a common one too. see ports/Mk/bsd.openssl.mk they have both the base system ssl at play and the ports version. in this day in age you almost always want everything against the port b/c of CVEs and timelyness. WITH_OPENSSL_PORT=3Dyes in /etc/make.conf or other appropriate places will trigger the port. Its so low in the dependency chain, that I'd recommend you re-install all ports on the box to relink them all correctly. --=20 ------------------------------------------------------------------------ 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 VP Apache Infrastructure; Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Sr. System Admin, Ridecharge Inc. Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. --------------enigEB6181303C6401C195E3D827 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iD8DBQFNE71mdbiP+9ubjBwRAtEIAJ99eGeME8t93dBd1m0zVffKXeYaHQCgk+5k 0gnm+ld0k96SfgZvsw9vjjs= =kkcv -----END PGP SIGNATURE----- --------------enigEB6181303C6401C195E3D827--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D13BD64.5030007>