segfault when using Internet Explorer after adding ssl.conf and running `apachectl restart`

Solution In Progress - Updated -

Environment

Red Hat Enterprise Linux 6.4

Issue

The httpd service is running without ssl enabled. An ssl.conf is added to /etc/httpd/conf.d and run apachectl restart.

HTTPS can then be used to browse with Firefox and Chrome but Internet Explorer causes a segfault. IE 8, 9 and 10 have been seen to cause the segfault. IE 10 on Windows 8 appears not to.

If a full service httpd restart is issued the segfault does not appear to occur.

In the logs: /var/log/httpd/error_log

[notice] Apache/2.2.15 (Unix) mod_webkit2/1.1 configured -- resuming normal operations
[notice] SIGHUP received. Attempting to restart
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_webkit2/1.1 configured -- resuming normal operations
[notice] child pid 20354 exit signal Segmentation fault (11)
[notice] child pid 20355 exit signal Segmentation fault (11)
[notice] child pid 20357 exit signal Segmentation fault (11)
[notice] child pid 20358 exit signal Segmentation fault (11)

Stack trace:
0x00007f346c78dba9 in ?? () from /etc/httpd/modules/mod_ssl.so
0x00007f346c783a10 in ?? () from /etc/httpd/modules/mod_ssl.so
0x00007f346c550610 in ssl_get_prev_session () from /usr/lib64/libssl.so.10
0x00007f346c52f6c1 in ssl3_get_client_hello () from /usr/lib64/libssl.so.10
0x00007f346c531b6f in ssl3_accept () from /usr/lib64/libssl.so.10
0x00007f346c53d0d9 in ssl23_get_client_hello () from /usr/lib64/libssl.so.10
0x00007f346c53d8b3 in ssl23_accept () from /usr/lib64/libssl.so.10
0x00007f346c781168 in ?? () from /etc/httpd/modules/mod_ssl.so
0x00007f346c782107 in ?? () from /etc/httpd/modules/mod_ssl.so
0x00007f34774f2d06 in ap_rgetline_core ()
0x00007f34774f376e in ap_read_request ()
0x00007f347750b910 in ?? ()
0x00007f34775076b8 in ap_run_process_connection ()
0x00007f3477513977 in ?? ()
0x00007f3477513c8a in ?? ()
0x00007f347751490c in ap_mpm_run ()
0x00007f34774eb900 in main ()

Resolution

This problem has been fixed with the errata:
https://access.redhat.com/errata/RHBA-2014:1386

OR

The specific issue here is a problem with shared memory session cache initialization which triggers ONLY if mod_ssl is loaded for the first time during a configuration reload.

A workaround could be to ensure that after enabling mod_ssl you run:

# service httpd restart

OR

apachectl -k stop
apachectl -k start

Instead of:

apachectl -k restart

The above as used here is equivalent to "service httpd reload". It reloads the configuration of the running server. When adding or removing modules it is advisable to always to do full stop/start of the service.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments