Bug 1664414
Summary: | CPU at 100% in process after SSL "scan" that logs as AH02042 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael Bayer <mbayer> |
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | anon.amish, hkario, jkaluza, jorton, luhliari, pahan, rkudyba, wrowe |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-01-24 14:41:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Bayer
2019-01-08 17:34:38 UTC
the server has many vhosts running, the one that gets SSL requests by default without a cert is alembic.sqlalchemy.org. The vhost config for this site is below: <VirtualHost *:80 *:443> ServerAdmin mike_mp ServerName alembic.sqlalchemy.org ServerAlias alembic.zzzcomputing.com DocumentRoot /www/hosts/alembic.sqlalchemy.org/static Errorlog /www/hosts/alembic.sqlalchemy.org/logs/error_log CustomLog "|/usr/sbin/rotatelogs /www/hosts/alembic.sqlalchemy.org/logs/access_log.%Y%m%d 86400" combined DirectoryIndex index.html RewriteEngine On # https-related behaviors SSLEngine On SSLCertificateFile /etc/letsencrypt/live/alembic.sqlalchemy.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/alembic.sqlalchemy.org/privkey.pem # used by letsencrypt <Directory "/www/hosts/alembic.sqlalchemy.org/static/.well-known"> AllowOverride None RewriteEngine off Require all granted </Directory> # allows use of redirects of the form: # %{ENV:ps}://www.foo.com # RewriteCond %{HTTPS} =on RewriteRule ^(.*)$ - [env=ps:https] RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ - [env=ps:http] RewriteCond %{HTTPS} !=on # rewrite all but the letsencrypt URI to https RewriteRule ^/(?!.well-known)(.*) https://%{SERVER_NAME}/$1 [R,L] # end https-related behaviors <Directory "//www/hosts/alembic.sqlalchemy.org/static"> AllowOverride None Require all granted RewriteEngine On RewriteRule ^/* %{ENV:ps}://alembic.sqlalchemy.org/en/latest/ ErrorDocument 404 /en/latest/search.html </Directory> # rewrite all occurrences of alternate domains with primary domain RewriteCond %{HTTP_HOST} !^alembic\.sqlalchemy\.org [NC] RewriteCond %{HTTP_HOST} !^$ RewriteRule ^/(.*) %{ENV:ps}://alembic.sqlalchemy.org/$1 [L,R] # handle letsencrypt RewriteRule ^/\.well-known/.* - [END] <Directory "//www/hosts/alembic.sqlalchemy.org/static/en/"> RewriteEngine Off </Directory> </VirtualHost> the settings in /etc/httpd/conf.d/ssl.conf are kept at their defaults, however I also tried the configuration at https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html which didn't change the results. Reviewing the backtrace, this may be based on a misunderstanding by our developers of the SSL_clear_error() function, as first identified here; https://bz.apache.org/bugzilla/show_bug.cgi?id=62590 Reproducer for the issue: https://github.com/tomato42/tlsfuzzer/pull/492 (scripts test-legacy-renegotiation.py and test-renegotiation-disabled.py in tlsfuzzer) the script is much stricter than is necessary to detect this issue; the bug manifests itself as a test failing with a timeout error *** Bug 1665692 has been marked as a duplicate of this bug. *** *** This bug has been marked as a duplicate of bug 1668489 *** |