Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-239

When using the zip distribution with a non-default SSLCryptoDevice on httpd (mod_ssl) httpd cannot start

XMLWordPrintable

    • 8
    • Release Notes
    • ER3
    • +
    • Hide

      Set the OPENSSL_ENGINES environment variable to the desired engines directory (e.g. $JBCS_HOME/httpd/lib/engines/) prior to starting httpd.

      Show
      Set the OPENSSL_ENGINES environment variable to the desired engines directory (e.g. $JBCS_HOME/httpd/lib/engines/) prior to starting httpd.
    • Hide

      1) Install JBCS httpd and cd into the $JBCS_HOME/httpd directory
      2) Configure SSLCryptoDevice in conf.d/ssl.conf to use something other than builtin, such as SSLCryptoDevice chil. Note that you don't have to have the hardware to demonstrate the issue.
      3) Try and start httpd using strace so that you can check the directory that it checks for engines

      # strace -fvttT -s 256 -o strace.out sbin/apachectl start

      4) Check the strace to see that it's checking the wrong path for engines. It should be using $JBCS_HOME/httpd/lib/engines to lookup the libchil.so library.

      #  grep libchil strace.out -A2
1767  11:51:37.321058 open("/opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/libchil.so", O_RDONLY) = -1 ENOENT (No such file or directory) <0.000005>
1767  11:51:37.321096 write(2, "AH00526: Syntax error on line 71 of /root/jbcs-httpd24-2.4/httpd/conf.d/ssl.conf:\n", 82) = 82 <0.000008>
1767  11:51:37.321116 write(2, "SSLCryptoDevice: Invalid argument; must be one of: 'builtin' (none), 'rdrand' (Intel RDRAND engine), 'dynamic' (Dynamic engine loading support)\n", 144) = 144 <0.000004>

      5) Observe that httpd has not started and you see an error in the httpd.log. Note that httpd shouldn't start if the engine is missing, but here mod_ssl is checking the wrong place for the engine.

      Show
      1) Install JBCS httpd and cd into the $JBCS_HOME/httpd directory 2) Configure SSLCryptoDevice in conf.d/ssl.conf to use something other than builtin, such as SSLCryptoDevice chil . Note that you don't have to have the hardware to demonstrate the issue. 3) Try and start httpd using strace so that you can check the directory that it checks for engines # strace -fvttT -s 256 -o strace.out sbin/apachectl start 4) Check the strace to see that it's checking the wrong path for engines. It should be using $JBCS_HOME/httpd/lib/engines to lookup the libchil.so library. # grep libchil strace.out -A2 1767 11:51:37.321058 open("/opt/rh/jbcs-httpd24/root/usr/lib64/openssl/engines/libchil.so", O_RDONLY) = -1 ENOENT (No such file or directory) <0.000005> 1767 11:51:37.321096 write(2, "AH00526: Syntax error on line 71 of /root/jbcs-httpd24-2.4/httpd/conf.d/ssl.conf:\n", 82) = 82 <0.000008> 1767 11:51:37.321116 write(2, "SSLCryptoDevice: Invalid argument; must be one of: 'builtin' (none), 'rdrand' (Intel RDRAND engine), 'dynamic' (Dynamic engine loading support)\n", 144) = 144 <0.000004> 5) Observe that httpd has not started and you see an error in the httpd.log. Note that httpd shouldn't start if the engine is missing, but here mod_ssl is checking the wrong place for the engine.

      We compile openssl with --enginesdir pointing to the RPM distribution's engine directory, but we don't update that for the ZIP at any point. This means that when using a non-default SSLCryptoDevice within the zip distribution, httpd fails to start.

      This can be worked around with an environment variable (see workaround description), but we should probably add this setting to the postinstall like we did for LD_LIBRARY_PATH to correct it before the user even knows it's broken.

        1. error_log-2.4.29-SP1-ER1.event
          11 kB
        2. error_log-2.4.29-SP1-ER1.prefork
          17 kB
        3. error_log-2.4.29-SP1-ER1.worker
          9 kB
        4. libdummy.so
          14 kB

              pprokopi@redhat.com Petros Marios Prokopiou (Inactive)
              rhn-support-csutherl Coty Sutherland
              Paul Lodge Paul Lodge
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: