Bug 649648

Summary: mod_ssl: startup fails with duplicate SSL vhost configurations
Product: Red Hat Enterprise Linux 5 Reporter: Masahiro Matsuya <mmatsuya>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 5.5   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 676831 (view as bug list) Environment:
Last Closed: 2011-07-21 08:53:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed patch
none
proposed patch none

Description Masahiro Matsuya 2010-11-04 07:55:24 UTC 
Description of problem:
In a customer's environment, httpd didn't start with the following error.

  [error] Oops, no RSA or DSA server certificate found for 'www.kennismakingslot.nl:0'?!

For this vhost, SSLCertificateFile and SSLCertificateKeyFile is configured properly in the config file.

The certificate should be inserted to a hash table in ssl_asn1_table_set() called in ssl_pphrase_Handle(). But, it's not executed for this vhost.

void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
{
...
    /*
     * Walk through all configured servers
     */
    for (pServ = s; pServ != NULL; pServ = pServ->next) {
...
            ucp = ssl_asn1_table_set(mc->tPublicCert, cp, length);
...
                if (pkey_mtime) {
                    int i;

                    for (i=0; i < SSL_AIDX_MAX; i++) {
                        const char *key_id =
                            ssl_asn1_table_keyfmt(p, cpVHostID, i);
                        ssl_asn1_t *asn1 =
                            ssl_asn1_table_get(mc->tPrivateKey, key_id);

                        if (asn1 && (asn1->source_mtime == pkey_mtime)) {
                            ap_log_error(APLOG_MARK, APLOG_INFO,
                                         0, pServ,
                                         "%s reusing existing "
                                         "%s private key on restart",
                                         cpVHostID, ssl_asn1_keystr(i));
                            return;  <<==== (A)

Before executing this for-loop for this vhost, this function returns at (A).

Version-Release number of selected component (if applicable):
httpd-2.2.3-43

How reproducible:
Always

Steps to Reproduce:
1. use the httpd configuration I will attach soon
2. service httpd start

  
Actual results:
httpd doesn's start.

Expected results:
httpd starts without any errors.

Additional info:
I created a proposed patch. I tested it and the httpd started without errors.
I will attach it as well.
Comment 2 Masahiro Matsuya 2010-11-04 07:59:28 UTC 
Created attachment 457717 [details]
proposed patch
Comment 3 Masahiro Matsuya 2010-11-04 08:02:00 UTC 
Created attachment 457720 [details]
proposed patch
Comment 4 Joe Orton 2010-11-04 16:19:21 UTC 
Thanks for the report and patch.

I'm away from a machine on which I can repro the problem at the moment.  The *-ssl.conf are using:

<VirtualHost ssd09-app4:443>
	ServerName www.kennismakingslot.nl

which is not quite correct; it should use a port-qualified ServerName throughout:

        ServerName www.kennismakingslot.nl:443

in all cases.  Does it make a difference if this is changed throughout?  (without the patch applied)
Comment 5 Masahiro Matsuya 2010-11-05 01:54:29 UTC 
Hi Joe,

I tested with "ServerName www.kennismakingslot.nl:443" on an environment without my patch. And, httpd didn't start with the same error.

# date
Sat Nov  6 08:19:50 IST 2010

# grep ServerName /etc/httpd/conf.d/ssd09-ssl.conf
	ServerName www.kennismakingslot.nl:443

# service httpd start
Starting httpd:                                            [FAILED]

# tail -2 /var/log/httpd/ssd09-ssl-error_log
[Sat Nov 06 08:19:58 2010] [debug] ssl_engine_init.c(602): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]
[Sat Nov 06 08:19:58 2010] [error] Oops, no RSA or DSA server certificate found for 'www.kennismakingslot.nl:443'?!

Regards,

Masahiro
Comment 6 Joe Orton 2011-02-11 12:30:50 UTC 
Thanks for that.  I have committed upstream two changes:

http://svn.apache.org/viewvc?rev=1069765&view=rev
... a minor cleanup to the function.

http://svn.apache.org/viewvc?rev=1069772&view=rev
... an adapted version of your patch.

I do not see how the innermost loop there was necessary or correct, so I've removed it which both simplifies the code and the change needed to fix the bug.
Comment 10 errata-xmlrpc 2011-07-21 08:53:21 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html
Comment 11 errata-xmlrpc 2011-07-21 11:47:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html