nginx ssl_prefer_server_ciphers and MSIE 7.x core dump

D
Doncho
  • 20 Jul '09
Hello,

First of all many thanks for nginx.

I have a machine where 'ssl_prefer_server_ciphers on;' plus Internet
Explorer 7 (win 2003/XP) causes segmentation fault in Kerberos
libraries:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
(gdb) bt
#0  0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
#1  0x00000036b7e48ade in krb5_kt_get_entry () from /usr/lib64/libkrb5.so.3
#2  0x00000036b963862e in kssl_keytab_is_available () from /lib64/libssl.so.6
#3  0x00000036b961e2d5 in ssl3_choose_cipher () from /lib64/libssl.so.6
#4  0x00000036b9619a7b in ssl3_get_client_hello () from /lib64/libssl.so.6
--- cut ---
The host OS is RHEL 5.3 fully updated. I tried 32 and 64 bit versions
from 0.6.32 to 0.6.38 with and without perl. The CPU is Intel(R)
Xeon(R) CPU E5410 @ 2.33GHz. Exactly the same binary works on other
machines (including KVM virtual ones) on CentOS 5.3 fully updated and
I was using it on another machine with RHEL (have no access to that
one any more).

Can I help further? Can I disable all kerberos related stuff in the
meantime somehow?

-- 
  BR,
    Doncho Gunchev
I
Igor
  • 21 Jul '09
On Mon, Jul 20, 2009 at 01:09:22PM +0300, Doncho Gunchev wrote:

> Hello,
> 
> First of all many thanks for nginx.
> 
> I have a machine where 'ssl_prefer_server_ciphers on;' plus Internet
> Explorer 7 (win 2003/XP) causes segmentation fault in Kerberos
> libraries:
> --- cut ---
> Program received signal SIGSEGV, Segmentation fault.
> 0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
> (gdb) bt
> #0  0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
> #1  0x00000036b7e48ade in krb5_kt_get_entry () from /usr/lib64/libkrb5.so.3
> #2  0x00000036b963862e in kssl_keytab_is_available () from /lib64/libssl.so.6
> #3  0x00000036b961e2d5 in ssl3_choose_cipher () from /lib64/libssl.so.6
> #4  0x00000036b9619a7b in ssl3_get_client_hello () from /lib64/libssl.so.6
> --- cut ---
> The host OS is RHEL 5.3 fully updated. I tried 32 and 64 bit versions
> from 0.6.32 to 0.6.38 with and without perl. The CPU is Intel(R)
> Xeon(R) CPU E5410 @ 2.33GHz. Exactly the same binary works on other
> machines (including KVM virtual ones) on CentOS 5.3 fully updated and
> I was using it on another machine with RHEL (have no access to that
> one any more).
> 
> Can I help further? Can I disable all kerberos related stuff in the
> meantime somehow?

Could you confirm that "ssl_prefer_server_ciphers off" does not cause
faults ?

As to disabling kerberos you may try to build OpenSSL statically
with nginx:

./configure --with-openssl=/path/to/openssl/sources --with-openssl-opt=no-krb5

-- 
Igor Sysoev
http://sysoev.ru/en/
D
Doncho
  • 21 Jul '09
2009/7/21 Igor Sysoev <is at rambler-co.ru>:
> On Mon, Jul 20, 2009 at 01:09:22PM +0300, Doncho Gunchev wrote:
>
>> Hello,
>>
>> First of all many thanks for nginx.
>>
>> I have a machine where 'ssl_prefer_server_ciphers on;' plus Internet
>> Explorer 7 (win 2003/XP) causes segmentation fault in Kerberos
>> libraries:
>> --- cut ---
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
>> (gdb) bt
>> #0 ?0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
>> #1 ?0x00000036b7e48ade in krb5_kt_get_entry () from /usr/lib64/libkrb5.so.3
>> #2 ?0x00000036b963862e in kssl_keytab_is_available () from /lib64/libssl.so.6
>> #3 ?0x00000036b961e2d5 in ssl3_choose_cipher () from /lib64/libssl.so.6
>> #4 ?0x00000036b9619a7b in ssl3_get_client_hello () from /lib64/libssl.so.6
>> --- cut ---
>> The host OS is RHEL 5.3 fully updated. I tried 32 and 64 bit versions
>> from 0.6.32 to 0.6.38 with and without perl. The CPU is Intel(R)
>> Xeon(R) CPU E5410 @ 2.33GHz. Exactly the same binary works on other
>> machines (including KVM virtual ones) on CentOS 5.3 fully updated and
>> I was using it on another machine with RHEL (have no access to that
>> one any more).
>>
>> Can I help further? Can I disable all kerberos related stuff in the
>> meantime somehow?
>
> Could you confirm that "ssl_prefer_server_ciphers off" does not cause
> faults ?

Yes, that's the way I'm using it currently.

>
> As to disabling kerberos you may try to build OpenSSL statically
> with nginx:
>
> ./configure --with-openssl=/path/to/openssl/sources --with-openssl-opt=no-krb5

Thank you, will try ASAP :)

>
> --
> Igor Sysoev
> http://sysoev.ru/en/

-- 
  BR,
    Doncho Gunchev
  • Page 1 of 1
Reply