[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mod_ssl and openssl 1.0.2 initialization

Something fishy reported in https://bz.apache.org/bugzilla/show_bug.cgi?id=62552

Which points to a problem with CRYPTO_THREADID and crypto locks and initialization oder in OpenSSL 1.0.2. (I believe OpenSSL 1.1.x eleminated that).

During the analysis of the bug, there seem to be 3 modules in play that use openssl: mod_ssl, mod_md and mod_authn_dbd (mysql). Depending on configuration and load order the server works or crashes. Generally, the rule seems to be:

- without mod_authn_dbd (and directive for mysql driver), all is well
- with it, crash in mod_md md_crypto_init (which calls RAND_status(), which crashes)
- *unless* mod_ssl is loaded before the others.

This seems a bit nasty. Does someone of our mod_ssl experts agree to this analysis and that crypto locking is the issue?

If so, what can we do about it?