Re: nginx-0.8.54 и ssl

Andrey Y. Ostanovsky andrey на ostanovsky.spb.ru
Вт Фев 1 16:55:13 MSK 2011 

Igor Sysoev пишет:
> On Tue, Feb 01, 2011 at 03:32:25PM +0300, Andrey Y. Ostanovsky wrote:
>   
>> Обновился из портов с nginx-0.7.67 на nginx-0.8.54 - сломался ssl с
>> диагностикой
>>
>> 2011/02/01 15:17:52 [alert] 90164#0: worker process 90171 exited on
>> signal 10
>>
>> Откатился обратно на 7-ю ветку.
>>     
>
> nginx -V
>   
nginx version: nginx/0.8.54
TLS SNI support disabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I
/usr/local/include' --with-ld-opt='-L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log --user=www --group=www
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
--http-log-path=/var/log/nginx-access.log --with-http_gzip_static_module
--with-http_realip_module --with-http_ssl_module
--with-http_stub_status_module --with-pcre

> и корки

Собрано без отладочных символов, поэтому корка фактически пустая:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging
symbols found)...
Core was generated by `nginx-0.8.54'.
Program terminated with signal 10, Bus error.
Reading symbols from /lib/libcrypt.so.4...(no debugging symbols
found)...done.
Loaded symbols for /lib/libcrypt.so.4
Reading symbols from /usr/local/lib/libpcre.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/local/lib/libpcre.so.0
Reading symbols from /usr/lib/libssl.so.5...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libssl.so.5
Reading symbols from /lib/libcrypto.so.5...(no debugging symbols
found)...done.
Loaded symbols for /lib/libcrypto.so.5
Reading symbols from /lib/libz.so.4...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.4
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols
found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x0000000800ecf416 in memcpy () from /lib/libc.so.7
(gdb) bt
#0  0x0000000800ecf416 in memcpy () from /lib/libc.so.7
#1  0x00000000004231d0 in ?? ()
#2  0x00000000004339ae in ?? ()



Ломается не весь протокол SSL, а редирект по коду ошибки в случае,
если клиентский сертификат нам не подошел:

...
        ssl_verify_client       on;
        ssl_verify_depth        1;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;
...
        error_page 496     https://stat2.some...host.ru/location1/;
        error_page 497     https://stat2.some...host.ru/location1/;

В логах - код ошибки 400 и пустая странца в браузере.

Этот же конфиг при смене бинаря на 0.7.67 работает

nginx version: nginx/0.7.67
TLS SNI support disabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I
/usr/local/include' --with-ld-opt='-L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log --user=www --group=www
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-log-path=/var/log/nginx-access.log --with-http_flv_module
--with-http_gzip_static_module --with-http_realip_module
--with-http_ssl_module --with-http_stub_status_module --with-pcre


-- 
Best regards, Andrey Y. Ostanovsky
xmpp: aost at jabber.spb.ru
phone: +7 911 7006295 
St.Petersburg, Russia 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx-ru/attachments/20110201/9398dc14/attachment-0001.html>

Подробная информация о списке рассылки nginx-ru