Bug 14147 - The conf directive "SSLOptions +StdEnvVars" for mod_ssl will cause every request to seg fault.
Summary: The conf directive "SSLOptions +StdEnvVars" for mod_ssl will cause every requ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Secure Web Server
Classification: Retired
Component: secureweb
Version: 3.2
Hardware: i386
OS: Linux
high
high
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-07-17 17:46 UTC by George Dittmeier
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-09-15 05:31:16 UTC
Embargoed:

Attachments (Terms of Use)
my conf file for Redhat Secure Web Server (The SSLOptions directive is currently commented out for obvious reasons) (42.21 KB, text/plain)
2000-07-17 17:50 UTC, George Dittmeier 		no flags Details
View All

Description George Dittmeier 2000-07-17 17:46:06 UTC 
Greetings.
I recently upgraded from the secure web server 2.0 product to 3.2.1-1.  I noticed that I was no longer getting the environment 
variable "HTTPS_SECRETKEYSIZE" in my cgi (perl) scripts.  After some investigation, I found that the name of this variable changed to 
"SSL_CIPHER_ALGKEYSIZE".  This didn't work either.  I then printed out my entire environment in cgi and found that non of the SSL 
environment variables as documented here-->http://www.modssl.org/docs/2.6/ssl_compat.html are being exported to my scripts.  According to 
the FAQ at www.modssl.org, I needed to add the set an SSLOption in my httpd.conf file to get these environment variables to export.  
Specifically, it says to add the line "SSLOptions +StdEnvVars" to the conf file withing the VirtualHost section for the secure server.  So I did 
this.  

So here's the rub.  I find that if I add "SSLOptions +StdEnvVars" to my httpd.conf file and restart my server every request to my secure server 
(even those that don't touch any cgi) result in a segmentation fault.  Needless to say this is very bad and getting very frustrating.  I currently 
have no way to access the SSL environment variables via cgi and our site needs to distinguish 128 bit key clients from 40 bit key clients.

We've been very disappointed in the quality and breadth of the documentation and support available for the red had secure server.  Hopefully a 
quick and meaningful response to this issue will change our minds.  
Thanks.
Comment 1 George Dittmeier 2000-07-17 17:50:24 UTC 
Created attachment 1227 [details]
my conf file for Redhat Secure Web Server (The SSLOptions directive is currently commented out for obvious reasons)
Comment 2 Nalin Dahyabhai 2000-07-18 18:20:30 UTC 
I've traced this one down to a call into the BSAFE library's ASN1_UTCTIME_print
function, which is not a supported API call.  Without the library source, the
best we
can do is to try to find a workaround.
Comment 3 George Dittmeier 2000-07-18 19:50:01 UTC 
As long as the workaround gives access to the SSL environment variables I'll be happy.  FYI, I tried using the mod_env package to make the variables I 
need accessible to my cgi progs, but this had no affect.  I guess they simply aren't in the environment. Seems like the BSAFE code is causing problems 
in several areas (references in other bugs).  Maybe a patch is in order?
Comment 4 George Dittmeier 2000-07-18 19:50:31 UTC 
Oh, and THANK YOU for your timely response.
Comment 5 George Dittmeier 2000-08-30 19:04:34 UTC 
Can we please get some kind of resolution to this bug?  It's been over a month since the last update.
I spending valuable resources working around it via silly cgi-based fixes.
Comment 6 George Dittmeier 2000-09-15 05:31:13 UTC 
Is anybody listening out there? Hello?
Comment 7 Nalin Dahyabhai 2000-10-27 16:48:57 UTC 
This fix is going into the security errata we're putting out.
Note You need to log in before you can comment on or make changes to this bug.