nginx ssl_prefer_server_ciphers and MSIE 7.x core dump

Doncho Gunchev dgunchev at gmail.com
Tue Aug 4 13:22:00 MSD 2009 

2009/7/21 Doncho Gunchev <dgunchev at gmail.com>:
> 2009/7/21 Igor Sysoev <is at rambler-co.ru>:
>> On Mon, Jul 20, 2009 at 01:09:22PM +0300, Doncho Gunchev wrote:
>>
>>> Hello,
>>>
>>> First of all many thanks for nginx.
>>>
>>> I have a machine where 'ssl_prefer_server_ciphers on;' plus Internet
>>> Explorer 7 (win 2003/XP) causes segmentation fault in Kerberos
>>> libraries:
>>> --- cut ---
>>> Program received signal SIGSEGV, Segmentation fault.
>>> 0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
>>> (gdb) bt
>>> #0  0x00000036b7e610a2 in krb5_is_referral_realm () from /usr/lib64/libkrb5.so.3
>>> #1  0x00000036b7e48ade in krb5_kt_get_entry () from /usr/lib64/libkrb5.so.3
>>> #2  0x00000036b963862e in kssl_keytab_is_available () from /lib64/libssl.so.6
>>> #3  0x00000036b961e2d5 in ssl3_choose_cipher () from /lib64/libssl.so.6
>>> #4  0x00000036b9619a7b in ssl3_get_client_hello () from /lib64/libssl.so.6
>>> --- cut ---
>>> The host OS is RHEL 5.3 fully updated. I tried 32 and 64 bit versions
>>> from 0.6.32 to 0.6.38 with and without perl. The CPU is Intel(R)
>>> Xeon(R) CPU E5410 @ 2.33GHz. Exactly the same binary works on other
>>> machines (including KVM virtual ones) on CentOS 5.3 fully updated and
>>> I was using it on another machine with RHEL (have no access to that
>>> one any more).
>>>
>>> Can I help further? Can I disable all kerberos related stuff in the
>>> meantime somehow?
>>
>> Could you confirm that "ssl_prefer_server_ciphers off" does not cause
>> faults ?
>
> Yes, that's the way I'm using it currently.
>
>>
>> As to disabling kerberos you may try to build OpenSSL statically
>> with nginx:
>>
>> ./configure --with-openssl=/path/to/openssl/sources --with-openssl-opt=no-krb5
>
> Thank you, will try ASAP :)
>

Sorry for the late reply, I compiled nginx with statically linked
openssl without any krb5 support and it is working at least a week
without any problems, so I almost forgot the problem... The OpenSSL
and nginx are exaclty the same version (I have a CentOS 5 x86_64 rpm
if someone wants it). Something else I can check?

-- 
  BR,
    Doncho Gunchev

More information about the nginx mailing list