Bug 1392900

Summary: httpd FTBS with openssl 1.1
Product: [Fedora] Fedora Reporter: Anton Guda <atu>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: atu, jkaluza, jorton, luhliari, pahan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: httpd-2.4.23-6.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-16 08:29:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Anton Guda 2016-11-08 12:49:45 UTC 
Description of problem:
httpd failed to rebuild with new openssl installed.
Without rebuild, it sometimes hangs, and require
long time to restart (systemd sends --9 to httpd processes.


Version-Release number of selected component (if applicable):
httpd-2.4.23-4.fc25.x86_64
apr-1.5.2-4.fc25.x86_64
openssl-1.1.0b-3.fc26.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Try to rebuild httpd

Actual results:
Pack of complication/link error.

Expected results:
Good compilation and work.

Additional info:
I try patch from upstream, it compliles, but segfaulted in
something related to apr.

systemd-coredump: Process 16436 (/usr/sbin/httpd) of user 0 dumped core.#012#012Stack trace of thread
16436:#012#0  0x00007f488dee65f4 apr_pool_create_ex (libapr-1.so.0)#012#1  0x00007f487b587e3c svn_pool_create_ex (libsvn_su
br-1.so.0)#012#2  0x00007f487c33870e synchronized_initialize (libsvn_fs-1.so.0)#012#3  0x00007f487b55f548 svn_atomic__init_
once (libsvn_subr-1.so.0)#012#4  0x00007f487c787370 init (mod_dav_svn.so)#012#5  0x0000557999914e33 ap_run_post_config (htt
pd)#012#6  0x00005579998f2ccc main (httpd)#012#7  0x00007f488d703451 __libc_start_main (libc.so.6)#012#8  0x00005579998f300
a _start (httpd)
Comment 1 Joe Orton 2016-11-14 10:46:59 UTC 
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=0d708eba112ce37ecdc29c1dc5054c2e61a2e2c4
Comment 2 Joe Orton 2016-11-14 11:04:34 UTC 
Package: httpd-2.4.23-6.fc26
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=817612
Comment 3 Anton Guda 2016-11-14 14:16:28 UTC 
sigsegv with
 httpd-2.4.23-6.fc26.x86_64
 apr-util-1.5.4-4.fc26.x86_64
 apr-1.5.2-4.fc25.x86_64

Stack trace of thread 16237:
   #0  0x00007ff071d0cfb4 x509_verify_param_zero (libcrypto.so.1.1)
   #1  0x00007ff071d0d08e X509_VERIFY_PARAM_free (libcrypto.so.1.1)
   #2  0x00007ff071ff7b1c SSL_CTX_free (libssl.so.1.1)
   #3  0x00007ff06abed5dc ssl_init_ModuleKill (mod_ssl.so)
   #4  0x00007ff078bb62f1 apr_pool_clear (libapr-1.so.0)
   #5  0x0000558954e2ad2f main (httpd)
   #6  0x00007ff0783d3451 __libc_start_main (libc.so.6)
   #7  0x0000558954e2b00a _start (httpd)
Comment 4 Joe Orton 2016-11-14 14:19:18 UTC 
What version of openssl?
Comment 5 Anton Guda 2016-11-14 14:49:47 UTC 
openssl-1.1.0c-1.fc26.x86_64 - latest for now

compat-openssl10-1.0.2j-5.fc26.x86_64

It it required to rebuild apr, not only apr-util?
Comment 6 Joe Orton 2016-11-14 15:16:58 UTC 
If there's something that still requires compat-openssl10 please let me know, I just rebuilt apr-util.

With:

httpd-2.4.23-6.fc26.x86_64
apr-1.5.2-3.fc24.x86_64
apr-util-1.5.4-4.fc26.x86_64
openssl-1.1.0c-1.fc26.x86_64
mod_ssl-2.4.23-6.fc26.x86_64

I'm getting a successful startup here (Fedora 24 system with openssl102 from the Copr repo), and can load pages over HTTPS.
Comment 7 Joe Orton 2016-11-14 19:44:17 UTC 
Make sure you don't have any modules pulling in the older OpenSSL, that could do weird things still.
Comment 8 Joe Orton 2016-11-15 09:11:42 UTC 
Updated this test system to Raw Hide (as of yesterday) and it is working fine.  If you're still seeing a crash on startup can you show me config diffs and list of modules installed?
Comment 9 Anton Guda 2016-11-15 21:37:29 UTC 
Found!

Offending module is from
zgridsite.conf (gridsite-2.3.2-2.fc26.x86_64).

After removing all is near to fine!

Propose to close this bug.
Comment 10 Joe Orton 2016-11-16 08:28:40 UTC 
Awesome, thanks Anton.  Please do file bugs for anything still linking against the old OpenSSL, though I've gone through and rebuilt a few myself.