[Page 1, 2 Next]

Topic: PHP bug 55470 Crash when calling openssl_sign under mod_php

[1]

Topic: PHP bug 55470 Crash when calling openssl_sign under mod_php

[dvdoug]

Hi all

I filed https://bugs.php.net/bug.php?id=55470 last night, which is a PHP crash that occurs only when running under Apache.

However, upon further investigation I have discovered that that while the PHP crash is reproducible using Apache 2.2.19, it doesn't crash when running under Apache 2.2.17 (same machine, same httpd.conf, same PHP) which makes me think that it's really an Apache bug.

Can anyone else reproduce this or have any ideas?

[Kanashii]

With version of PHP ?

[dvdoug]

5.3.7

[Kanashii]

You use accelerators ?

echo base64_encode($signature); // coments for test
upgrade fcgid to d

[dvdoug]

I think your post got cut off?

I do use APC, but the bug exists even when it is disabled.

I use mod_php

[Kanashii]

try mod_fcgid - so if php crash will be respawn

[Kanashii]

[22-Aug-2011]

Due to unfortunate issues with 5.3.7 (see bug#55439) users should wait with upgrading until 5.3.8 will be released (expected in few days).

https://bugs.php.net/bug.php?id=55439

So i think its more buqqy with crypt liblary

[dvdoug]

It's not the PHP version - I've tested the last few dot releases, and they're all the same.

mod_fcgid is obviously something to investigate for the future, but changing SAPIs isn't simple (and according to my reading mod_fcgid doesn't play nicely with APC)

[dvdoug]

According to a comment in the PHP bug, it's because PHP is compiled with openssl 0.9, and the new Apache Lounge builds use openssl 1.0.

It doesn't crash under the older Apache versions because those were also built with openssl 0.9...

[Steffen]

Contacted PHP dev to look at this post.

Thanks,

Steffen

[Steffen]

Answer from PHP dev is:

The reason why php is not updating to 1.0 is the change in the way it works and some incompatibilities with 3rd party. Planned for final 5.4.0.

I going coming days to make a 2.2.20 with latest OpenSSL 0.9.

Steffen

[dvdoug]

Thanks!

[Steffen]

Please try Removed

Replace the included files, new mod_ssl is not needed.

When ok, then I make it official.

To be sure, only the issue when running php as module and not with mod_fcgid ?


Steffen

[dvdoug]

I can confirm the new files fix the crash under mod_php for me (thanks again).

I don't use mod_fcgid, but since that separates the PHP process from the Apache one I don't think it would affected by the incompatibility. There's a simple testcase in the PHP bug though that someone could run to be sure?

[dvdoug]

Are you sure that mod_ssl doesn't need to be replaced as well?

I ask, because since deploying Firefox gives me the following error message on an intermittent basis:

SSL received an unexpected New Session Ticket handshake message.

(Error code: ssl_error_rx_unexpected_new_session_ticket)

I've therefore downgraded again.

Thanks in advance

[Steffen]

I shall build coming days a complete version based on OpenSSL_0.9.8r, inlcuding mod_ssl.

Steffen

[admin]

Build with OpenSSL_0.9.8r available at the download page.

Please tell how it goes.

Steffen

[dvdoug]

I've put into production - will let you know in a couple of days.

Thanks again for your assistance.

[dvdoug]

I've had the new build in production for a few days now, and it seems completely stable. Looks like a complete build with 0.9.8 is the way to go.

[gdprogrammer59]

I have posted a similar message on mozilla.org forum so please excuse the duplicity but I am in need of some guidance.

Since installing the ApacheLounge build of Apache 2.2.21 with OpenSSL 0.9.8r, the Apache to PHP no longer hangs up (requiring a "long" restart of Apache) but now I get this message from Firefox (version 8.0.1 and no, I haven't tried older versions) ssl_error_rx_unexpected_new_session_ticket. Retry (which requires a resend of POST data) will eventually get it to accept without the error message. I am using a multi-domain SSL certificate but I didn't get this error when running Apache 2.2.21 with OpenSSL 0.9.8r from Apache.org.

An interesting note about the problem. I have a test domain that only has a single domain associated with it and I don't get this error at all. And it seems that if I get Firefox to finally accept it that as long as I continue to use that domain (you can access the domain from either domain.com or www.domain.com) that the problem doesn't happen unless you switch from www.domain.com to domain.com or vice versa.

Do you have any suggestions or things to check and/or verify?

Does it make sense to try the beta versions of PHP and/or Apache?

Thank you for any help you can provide.