Description of problem: OpenSSL can segfault or deadlock if RAND_poll is called on a fd when >= FD_SETSIZE. This primarily affects apache2 with many SSL vhosts in use More information (including a patch) can be found here: http://rt.openssl.org/Ticket/Display.html?id=1298&user=guest&pass=guest Version-Release number of selected component (if applicable): openssl-0.9.7a-43.14 How reproducible: Easy Steps to Reproduce: 1. install httpd, install mod_ssl 2. create at least 6000 Virtualhosts, each should have a logfile. It also helps to have many of the vhosts listening on a unique port, as this will open more fd's 3. start apache. segfault will occur Actual results: Expected results: Additional info:
additional steps to help recreate the problem. 1) setup httpd.conf as normal. make sure mod_ssl is loaded 2) add a lot of vhosts with this simple perl script: #!/usr/bin/perl $num_vhosts = 10000; my $i = 0; while ( $i < $num_vhosts ) { my $port = 10000 + $i; print <<EOF; <VirtualHost 1.1.1.1:80> ServerName shared-test$i.something.dom ServerAdmin support\@something.dom DocumentRoot /web/htdocs CustomLog /tmp/shared-test-log-$i.log combined </VirtualHost> Listen $port <VirtualHost 1.1.1.1:$port> ServerName shared-test$i-$port.something.dom ServerAdmin support\@something.dom DocumentRoot /web/htdocs CustomLog /tmp/shared-test-log-ssl-$i.log combined </VirtualHost> EOF $i++; } # perl fillvhosts.pl >> httpd.conf # ulimit -n 128000 # /usr/sbin/httpd.worker
We have this patched in RHEL-5 and Fedora openssl.
Excellent. Will it be patched for RHEL3 or 4 as well?
RHEL3 - probably not. RHEL4 - it depends on further evaluation.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
This is a pretty serious problem as it takes a lot less then 6000 vhosts. In some cases with log files it can be < 1000 which is pretty common.
It has been 7 months since this bug was first submitted. 6 months since management said they would look into it further. Can we please get an update on the status of a fix? I am hoping Redhat hasn't abandoned users who are still using RHEL 4. I look forward to an update from the Redhat team shortly. Xavier
As you can see from bug status the bug fix errata for this is in the release pending state to be released within RHEL 4.6 update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-1003.html