Re: A new workaround for bug 3816: ssl_crtd crash with OpenSSL v...

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Tue, 14 May 2013 16:44:00 +0300

A new version of the patch.
I will commit this patch to trunk....

On 05/14/2013 06:55 AM, Amos Jeffries wrote:
> On 14/05/2013 6:28 a.m., Tsantilas Christos wrote:
>> I am attaching a fix.
>> Still needs some discussion.
>> This patch does the following two checks:
>> 1) Checks if the SSL_get_certificate is buggy
>> 2) Checks it he workaround can be enabled.
>>
>> Inside squid:
>> If the workaround can be used, enable it
>> else if the SSL_get_certificate is not buggy, use it
>> else hit an assertion
>>
>> I select this approach:
>> 1) because the workaround is significant faster than using the
>> SSL_get_certificate
>> 2) to avoid the segfault if the SSL_get_certificate is buggy .
>>
>> Problems:
>> I had problem with the LD_LIBRARY_PATH. For example if the user does
>> not want to use system libraries and use openSSL SDK installed under a
>> non standard directory, the test program will run with system libraries.
>> To avoid this someone should use the LD_LIBRARY_PATH in configure script:
>> ./configure --with-openssl=/path/to/openssl/
>> LD_LIBRARY_PATH=/path/to/openssl/
>>
>> I do not like this option, so in the test I am using the -wl,-rpath
>> compiler option to pass the openSSL libraries path.
>> But this option does not looks good too..
>>
>> Also we may want to harden the workaround test to use a hardcoded
>> certificate instead of a NULL certificate. (I attached an example in a
>> previous mail)
>>
>> Regards,
>> Christos
>
> Looks like good progress.
>
> Have you tried moving the m4_include statement after AC_SUBST(SSLLIB)?
> The the m4_include will expand the file in-place inside configure.ac.
>
> Have you tried passing the flags as an argument to the check macro? eg.
> SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS([$SSLLIB])
>
> partial audit:
> * Provided the m4_include is not sensitive to location I would like this
> AC_DEFUN to be in acinclude/lib-checks.m4 though along with the other
> library hack checks. If location is sensitive we will be forced to use a
> separate .m4 file though.
>
> * Also the .cc code does not need to use "#if defined(" when the squid
> code is in explicit control of the macro definitino 0/1/absent state.
> Just use "#if SQUID_"...
>
> Amos
>

Received on Tue May 14 2013 - 13:44:18 MDT

This archive was generated by hypermail 2.2.0 : Tue May 14 2013 - 12:00:09 MDT