Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

PFS not working on cherokee #984

Closed
AnonSphere opened this Issue Jul 20, 2013 · 83 comments

Comments

Projects
None yet
4 participants

I have following TLS Ciphers enabled:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA256:RC4-SHA:AES256-SHA:AES128-SHA

Most ciphers are currently not supported, but most common browsers (Chrome, Firefox, Safari) should fall back to ECDHE-RSA-RC4-SHA but they fall back to RC4-SHA and I have no explanation for that. Server Preference is enabled.

$ openssl ciphers ECDH
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AECDH-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AECDH-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AECDH-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDHE-RSA-NULL-SHA:ECDHE-ECDSA-NULL-SHA:AECDH-NULL-SHA:ECDH-RSA-NULL-SHA:ECDH-ECDSA-NULL-SHA

Seems as DHE is working, but it is much slower than ECDHE. Is it possible, that cherokee doesn't support ECDHE? I investigated a bit and nginx needed a little patch to support it. It does not seem to be a big deal to add it: see bumptech/stud#61 and http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
Here is the nginx implementation: http://forum.nginx.org/read.php?29,163903

Member

skinkie commented Jul 20, 2013

Would you like to get your hands a bit dirty and come up with a patch for Cherokee?

I could give you code for a lot of programming languages, but C is not my business. :-(

Member

skinkie commented Jul 20, 2013

I think we have a lot of infrastructure already for it but I can't promise to do it today :)

That's more than I could expect. :-)

The main problem with DHE is not the bad performance, but the missing option to use RC4 on the server or a better encryption in the browser. So you can only choose from using an encryption vulnerable to BEAST attack or using an encryption vulnerable to MIM attacks. Currently the whole browser TLS thing is a big mess. :-(

Member

skinkie commented Jul 20, 2013

Not to mention everyone still using IE6 :)

If I could choose on my own, I would disable this whole SSLv3 and TLS1.0 crap. ;-)

@skinkie skinkie added a commit that referenced this issue Jul 27, 2013

@skinkie skinkie Merge pull request #987 from alanswanson/master
Enable ECDH cipher support. Thanks @alanswanson for this patch and fixing #984 !!
760fe7c

@skinkie skinkie closed this Jul 27, 2013

I run into some problems with the patch when I run the ssl labs test:

*** stack smashing detected ***: /usr/sbin/cherokee-worker terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7fdc2d77c287]
/lib/libc.so.6(__fortify_fail+0x0)[0x7fdc2d77c250]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0(+0x86df2)[0x7fdc2dc84df2]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0(+0x87457)[0x7fdc2dc85457]
======= Memory map: ========
00400000-00403000 r-xp 00000000 09:00 41385995                           /usr/sbin/cherokee-worker
00602000-00603000 rw-p 00002000 09:00 41385995                           /usr/sbin/cherokee-worker
00ff3000-0131d000 rw-p 00000000 00:00 0                                  [heap]
7fdc18000000-7fdc18021000 rw-p 00000000 00:00 0 
7fdc18021000-7fdc1c000000 ---p 00000000 00:00 0 
7fdc1ef68000-7fdc1ef7e000 r-xp 00000000 09:00 2991164                    /lib/libgcc_s.so.1
7fdc1ef7e000-7fdc1f17d000 ---p 00016000 09:00 2991164                    /lib/libgcc_s.so.1
7fdc1f17d000-7fdc1f17e000 rw-p 00015000 09:00 2991164                    /lib/libgcc_s.so.1
7fdc1f17e000-7fdc1f17f000 ---p 00000000 00:00 0 
7fdc1f17f000-7fdc1f97f000 rw-p 00000000 00:00 0 
7fdc1f97f000-7fdc1f980000 ---p 00000000 00:00 0 
7fdc1f980000-7fdc20180000 rw-p 00000000 00:00 0 
7fdc20180000-7fdc20181000 ---p 00000000 00:00 0 
7fdc20181000-7fdc20981000 rw-p 00000000 00:00 0 
7fdc20981000-7fdc20982000 ---p 00000000 00:00 0 
7fdc20982000-7fdc21182000 rw-p 00000000 00:00 0 
7fdc21182000-7fdc21183000 ---p 00000000 00:00 0 
7fdc21183000-7fdc21983000 rw-p 00000000 00:00 0 
7fdc21983000-7fdc21984000 ---p 00000000 00:00 0 
7fdc21984000-7fdc22184000 rw-p 00000000 00:00 0 
7fdc22184000-7fdc22185000 ---p 00000000 00:00 0 
7fdc22185000-7fdc22985000 rw-p 00000000 00:00 0 
7fdc22985000-7fdc22986000 ---p 00000000 00:00 0 
7fdc22986000-7fdc23186000 rw-p 00000000 00:00 0 
7fdc23186000-7fdc23187000 ---p 00000000 00:00 0 
7fdc23187000-7fdc23987000 rw-p 00000000 00:00 0 
7fdc23987000-7fdc23988000 ---p 00000000 00:00 0 
7fdc23988000-7fdc24188000 rw-p 00000000 00:00 0 
7fdc24188000-7fdc24189000 ---p 00000000 00:00 0 
7fdc24189000-7fdc24989000 rw-p 00000000 00:00 0 
7fdc24989000-7fdc2498a000 ---p 00000000 00:00 0 
7fdc2498a000-7fdc2518a000 rw-p 00000000 00:00 0 
7fdc2518a000-7fdc2518b000 ---p 00000000 00:00 0 
7fdc2518b000-7fdc2598b000 rw-p 00000000 00:00 0 
7fdc2598b000-7fdc2598c000 ---p 00000000 00:00 0 
7fdc2598c000-7fdc2618c000 rw-p 00000000 00:00 0 
7fdc2618c000-7fdc2618d000 ---p 00000000 00:00 0 
7fdc2618d000-7fdc2698d000 rw-p 00000000 00:00 0 
7fdc2698d000-7fdc2698e000 ---p 00000000 00:00 0 
7fdc2698e000-7fdc2718e000 rw-p 00000000 00:00 0 
7fdc2718e000-7fdc2718f000 ---p 00000000 00:00 0 
7fdc2718f000-7fdc2798f000 rw-p 00000000 00:00 0 
7fdc2798f000-7fdc27990000 ---p 00000000 00:00 0 
7fdc27990000-7fdc28190000 rw-p 00000000 00:00 0 
7fdc28190000-7fdc28191000 ---p 00000000 00:00 0 
7fdc28191000-7fdc28991000 rw-p 00000000 00:00 0 
7fdc28991000-7fdc28993000 r-xp 00000000 09:00 6349013                    /usr/lib/cherokee/libplugin_target_ip.so
7fdc28993000-7fdc28b92000 ---p 00002000 09:00 6349013                    /usr/lib/cherokee/libplugin_target_ip.so
7fdc28b92000-7fdc28b93000 rw-p 00001000 09:00 6349013                    /usr/lib/cherokee/libplugin_target_ip.so
7fdc28b93000-7fdc28b9b000 r-xp 00000000 09:00 6348950                    /usr/lib/cherokee/libplugin_server_info.so
7fdc28b9b000-7fdc28d9a000 ---p 00008000 09:00 6348950                    /usr/lib/cherokee/libplugin_server_info.so
7fdc28d9a000-7fdc28d9b000 rw-p 00007000 09:00 6348950                    /usr/lib/cherokee/libplugin_server_info.so
7fdc28d9b000-7fdc28da2000 r-xp 00000000 09:00 6348938                    /usr/lib/cherokee/libplugin_cgi.so
7fdc28da2000-7fdc28fa2000 ---p 00007000 09:00 6348938                    /usr/lib/cherokee/libplugin_cgi.so
7fdc28fa2000-7fdc28fa3000 rw-p 00007000 09:00 6348938                    /usr/lib/cherokee/libplugin_cgi.so
7fdc28fa3000-7fdc28fa5000 r-xp 00000000 09:00 6348901                    /usr/lib/cherokee/libplugin_htdigest.so
7fdc28fa5000-7fdc291a5000 ---p 00002000 09:00 6348901                    /usr/lib/cherokee/libplugin_htdigest.so
7fdc291a5000-7fdc291a6000 rw-p 00002000 09:00 6348901                    /usr/lib/cherokee/libplugin_htdigest.so
7fdc291a6000-7fdc291a7000 r-xp 00000000 09:00 6348906                    /usr/lib/cherokee/libplugin_fullpath.so
7fdc291a7000-7fdc293a7000 ---p 00001000 09:00 6348906                    /usr/lib/cherokee/libplugin_fullpath.so
7fdc293a7000-7fdc293a8000 rw-p 00001000 09:00 6348906                    /usr/lib/cherokee/libplugin_fullpath.so
7fdc293a8000-7fdc293aa000 r-xp 00000000 09:00 6348873                    /usr/lib/cherokee/libplugin_evhost.so
7fdc293aa000-7fdc295a9000 ---p 00002000 09:00 6348873                    /usr/lib/cherokee/libplugin_evhost.so
7fdc295a9000-7fdc295aa000 rw-p 00001000 09:00 6348873                    /usr/lib/cherokee/libplugin_evhost.so
7fdc295aa000-7fdc295ac000 r-xp 00000000 09:00 6348891                    /usr/lib/cherokee/libplugin_error_redir.so
7fdc295ac000-7fdc297ab000 ---p 00002000 09:00 6348891                    /usr/lib/cherokee/libplugin_error_redir.so
7fdc297ab000-7fdc297ac000 rw-p 00001000 09:00 6348891                    /usr/lib/cherokee/libplugin_error_redir.so
7fdc297ac000-7fdc297ae000 r-xp 00000000 09:00 6348895                    /usr/lib/cherokee/libplugin_header.so
7fdc297ae000-7fdc299ad000 ---p 00002000 09:00 6348895                    /usr/lib/cherokee/libplugin_header.so
7fdc299ad000-7fdc299ae000 rw-p 00001000 09:00 6348895                    /usr/lib/cherokee/libplugin_header.so
7fdc299ae000-7fdc299af000 r-xp 00000000 09:00 6348862                    /usr/lib/cherokee/libplugin_and.so
7fdc299af000-7fdc29baf000 ---p 00001000 09:00 6348862                    /usr/lib/cherokee/libplugin_and.so
7fdc29baf000-7fdc29bb0000 rw-p 00001000 09:00 6348862                    /usr/lib/cherokee/libplugin_and.so
7fdc29bb0000-7fdc29bb2000 r-xp 00000000 09:00 6348885                    /usr/lib/cherokee/libplugin_request.so
7fdc29bb2000-7fdc29db1000 ---p 00002000 09:00 6348885                    /usr/lib/cherokee/libplugin_request.so
7fdc29db1000-7fdc29db2000 rw-p 00001000 09:00 6348885                    /usr/lib/cherokee/libplugin_request.so
7fdc29db2000-7fdc29db4000 r-xp 00000000 09:00 6348881                    /usr/lib/cherokee/libplugin_deflate.so
7fdc29db4000-7fdc29fb3000 ---p 00002000 09:00 6348881                    /usr/lib/cherokee/libplugin_deflate.so
7fdc29fb3000-7fdc29fb4000 rw-p 00001000 09:00 6348881                    /usr/lib/cherokee/libplugin_deflate.so
7fdc29fb4000-7fdc29fb6000 r-xp 00000000 09:00 6348936                    /usr/lib/cherokee/libplugin_authlist.so
7fdc29fb6000-7fdc2a1b5000 ---p 00002000 09:00 6348936                    /usr/lib/cherokee/libplugin_authlist.so
7fdc2a1b5000-7fdc2a1b6000 rw-p 00001000 09:00 6348936                    /usr/lib/cherokee/libplugin_authlist.so
7fdc2a1b6000-7fdc2a1b7000 r-xp 00000000 09:00 6348912                    /usr/lib/cherokee/libplugin_combined.so
7fdc2a1b7000-7fdc2a3b7000 ---p 00001000 09:00 6348912                    /usr/lib/cherokee/libplugin_combined.so
7fdc2a3b7000-7fdc2a3b8000 rw-p 00001000 09:00 6348912                    /usr/lib/cherokee/libplugin_combined.so
7fdc2a3b8000-7fdc2a3ba000 r-xp 00000000 09:00 6348886                    /usr/lib/cherokee/libplugin_ncsa.so
7fdc2a3ba000-7fdc2a5ba000 ---p 00002000 09:00 6348886                    /usr/lib/cherokee/libplugin_ncsa.so
7fdc2a5ba000-7fdc2a5bb000 rw-p 00002000 09:00 6348886                    /usr/lib/cherokee/libplugin_ncsa.so
7fdc2a5bb000-7fdc2a5bd000 r-xp 00000000 09:00 6348899                    /usr/lib/cherokee/libplugin_directory.so
7fdc2a5bd000-7fdc2a7bc000 ---p 00002000 09:00 6348899                    /usr/lib/cherokee/libplugin_directory.so
7fdc2a7bc000-7fdc2a7bd000 rw-p 00001000 09:00 6348899                    /usr/lib/cherokee/libplugin_directory.so
7fdc2a7bd000-7fdc2a7bf000 r-xp 00000000 09:00 6348981                    /usr/lib/cherokee/libplugin_gzip.so
7fdc2a7bf000-7fdc2a9bf000 ---p 00002000 09:00 6348981                    /usr/lib/cherokee/libplugin_gzip.so
7fdc2a9bf000-7fdc2a9c0000 rw-p 00002000 09:00 6348981                    /usr/lib/cherokee/libplugin_gzip.so
7fdc2a9c0000-7fdc2a9c2000 r-xp 00000000 09:00 6348930                    /usr/lib/cherokee/libplugin_common.so
7fdc2a9c2000-7fdc2abc1000 ---p 00002000 09:00 6348930                    /usr/lib/cherokee/libplugin_common.so
7fdc2abc1000-7fdc2abc2000 rw-p 00001000 09:00 6348930                    /usr/lib/cherokee/libplugin_common.so
7fdc2abc2000-7fdc2abc7000 r-xp 00000000 09:00 6348896                    /usr/lib/cherokee/libplugin_dirlist.so
7fdc2abc7000-7fdc2adc6000 ---p 00005000 09:00 6348896                    /usr/lib/cherokee/libplugin_dirlist.so
7fdc2adc6000-7fdc2adc7000 rw-p 00004000 09:00 6348896                    /usr/lib/cherokee/libplugin_dirlist.so
7fdc2adc7000-7fdc2adca000 r-xp 00000000 09:00 6348909                    /usr/lib/cherokee/libplugin_redir.so
7fdc2adca000-7fdc2afc9000 ---p 00003000 09:00 6348909                    /usr/lib/cherokee/libplugin_redir.so
7fdc2afc9000-7fdc2afca000 rw-p 00002000 09:00 6348909                    /usr/lib/cherokee/libplugin_redir.so
7fdc2afca000-7fdc2afcc000 r-xp 00000000 09:00 6348966                    /usr/lib/cherokee/libplugin_exists.so
7fdc2afcc000-7fdc2b1cb000 ---p 00002000 09:00 6348966                    /usr/lib/cherokee/libplugin_exists.so
7fdc2b1cb000-7fdc2b1cc000 rw-p 00001000 09:00 6348966                    /usr/lib/cherokee/libplugin_exists.so
7fdc2b1cc000-7fdc2b1cd000 r-xp 00000000 09:00 6348926                    /usr/lib/cherokee/libplugin_not.so
7fdc2b1cd000-7fdc2b3cd000 ---p 00001000 09:00 6348926                    /usr/lib/cherokee/libplugin_not.so
7fdc2b3cd000-7fdc2b3ce000 rw-p 00001000 09:00 6348926                    /usr/lib/cherokee/libplugin_not.so
7fdc2b3ce000-7fdc2b3d0000 r-xp 00000000 09:00 6349008                    /usr/lib/cherokee/libplugin_round_robin.so
7fdc2b3d0000-7fdc2b5cf000 ---p 00002000 09:00 6349008                    /usr/lib/cherokee/libplugin_round_robin.so
7fdc2b5cf000-7fdc2b5d0000 rw-p 00001000 09:00 6349008                    /usr/lib/cherokee/libplugin_round_robin.so
7fdc2b5d0000-7fdc2b5d7000 r-xp 00000000 09:00 6348858                    /usr/lib/cherokee/libplugin_fcgi.so
7fdc2b5d7000-7fdc2b7d7000 ---p 00007000 09:00 6348858                    /usr/lib/cherokee/libplugin_fcgi.so
7fdc2b7d7000-7fdc2b7d8000 rw-p 00007000 09:00 6348858                    /usr/lib/cherokee/libplugin_fcgi.so
7fdc2b7d8000-7fdc2b7dc000 r-xp 00000000 09:00 6348948                    /usr/lib/cherokee/libplugin_file.so
7fdc2b7dc000-7fdc2b9db000 ---p 00004000 09:00 6348948                    /usr/lib/cherokee/libplugin_file.so
7fdc2b9db000-7fdc2b9dc000 rw-p 00003000 09:00 6348948                    /usr/lib/cherokee/libplugin_file.so
7fdc2b9dc000-7fdc2b9de000 r-xp 00000000 09:00 6349030                    /usr/lib/cherokee/libplugin_extensions.so
7fdc2b9de000-7fdc2bbdd000 ---p 00002000 09:00 6349030                    /usr/lib/cherokee/libplugin_extensions.so
7fdc2bbdd000-7fdc2bbde000 rw-p 00001000 09:00 6349030                    /usr/lib/cherokee/libplugin_extensions.so
7fdc2bbde000-7fdc2bbe0000 r-xp 00000000 09:00 6349022                    /usr/lib/cherokee/libplugin_wildcard.so
7fdc2bbe0000-7fdc2bddf000 ---p 00002000 09:00 6349022                    /usr/lib/cherokee/libplugin_wildcard.so
7fdc2bddf000-7fdc2bde0000 rw-p 00001000 09:00 6349022                    /usr/lib/cherokee/libplugin_wildcard.so
7fdc2bde0000-7fdc2be34000 r-xp 00000000 09:00 3146213                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fdc2be34000-7fdc2c034000 ---p 00054000 09:00 3146213                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fdc2c034000-7fdc2c037000 r--p 00054000 09:00 3146213                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fdc2c037000-7fdc2c03e000 rw-p 00057000 09:00 3146213                    /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
7fdc2c03e000-7fdc2c044000 r-xp 00000000 09:00 6348942                    /usr/lib/cherokee/libplugin_libssl.so
7fdc2c044000-7fdc2c243000 ---p 00006000 09:00 6348942                    /usr/lib/cherokee/libplugin_libssl.so
7fdc2c243000-7fdc2c244000 rw-p 00005000 09:00 6348942                    /usr/lib/cherokee/libplugin_libssl.so
7fdc2c244000-7fdc2c250000 r-xp 00000000 09:00 2991064                    /lib/libnss_files-2.11.3.so
7fdc2c250000-7fdc2c44f000 ---p 0000c000 09:00 2991064                    /lib/libnss_files-2.11.3.so
7fdc2c44f000-7fdc2c450000 r--p 0000b000 09:00 2991064                    /lib/libnss_files-2.11.3.so
7fdc2c450000-7fdc2c451000 rw-p 0000c000 09:00 2991064                    /lib/libnss_files-2.11.3.so
7fdc2c451000-7fdc2c45b000 r-xp 00000000 09:00 2993566                    /lib/libnss_nis-2.11.3.so
7fdc2c45b000-7fdc2c65a000 ---p 0000a000 09:00 2993566                    /lib/libnss_nis-2.11.3.so
7fdc2c65a000-7fdc2c65b000 r--p 00009000 09:00 2993566                    /lib/libnss_nis-2.11.3.so
7fdc2c65b000-7fdc2c65c000 rw-p 0000a000 09:00 2993566                    /lib/libnss_nis-2.11.3.so
7fdc2c65c000-7fdc2c671000 r-xp 00000000 09:00 2992496                    /lib/libnsl-2.11.3.so
7fdc2c671000-7fdc2c870000 ---p 00015000 09:00 2992496                    /lib/libnsl-2.11.3.so
7fdc2c870000-7fdc2c871000 r--p 00014000 09:00 2992496                    /lib/libnsl-2.11.3.so
7fdc2c871000-7fdc2c872000 rw-p 00015000 09:00 2992496                    /lib/libnsl-2.11.3.so
7fdc2c872000-7fdc2c874000 rw-p 00000000 00:00 0 
7fdc2c874000-7fdc2c87b000 r-xp 00000000 09:00 2992132                    /lib/libnss_compat-2.11.3.so
7fdc2c87b000-7fdc2ca7a000 ---p 00007000 09:00 2992132                    /lib/libnss_compat-2.11.3.so
7fdc2ca7a000-7fdc2ca7b000 r--p 00006000 09:00 2992132                    /lib/libnss_compat-2.11.3.so
7fdc2ca7b000-7fdc2ca7c000 rw-p 00007000 09:00 2992132                    /lib/libnss_compat-2.11.3.so
7fdc2ca7c000-7fdc2ca7d000 ---p 00000000 00:00 0 
7fdc2ca7d000-7fdc2d27d000 rw-p 00000000 00:00 0 
7fdc2d27d000-7fdc2d281000 r-xp 00000000 09:00 6348955                    /usr/lib/cherokee/libplugin_rrd.so
7fdc2d281000-7fdc2d480000 ---p 00004000 09:00 6348955                    /usr/lib/cherokee/libplugin_rrd.so
7fdc2d480000-7fdc2d481000 rw-p 00003000 09:00 6348955                    /usr/lib/cherokee/libplugin_rrd.so
7fdc2d481000-7fdc2d497000 r-xp 00000000 09:00 3146542                    /lib/x86_64-linux-gnu/libz.so.1.2.7
7fdc2d497000-7fdc2d696000 ---p 00016000 09:00 3146542                    /lib/x86_64-linux-gnu/libz.so.1.2.7
7fdc2d696000-7fdc2d697000 r--p 00015000 09:00 3146542                    /lib/x86_64-linux-gnu/libz.so.1.2.7
7fdc2d697000-7fdc2d698000 rw-p 00016000 09:00 3146542                    /lib/x86_64-linux-gnu/libz.so.1.2.7
7fdc2d698000-7fdc2d7f1000 r-xp 00000000 09:00 2992177                    /lib/libc-2.11.3.so
7fdc2d7f1000-7fdc2d9f0000 ---p 00159000 09:00 2992177                    /lib/libc-2.11.3.so
7fdc2d9f0000-7fdc2d9f4000 r--p 00158000 09:00 2992177                    /lib/libc-2.11.3.so
7fdc2d9f4000-7fdc2d9f5000 rw-p 0015c000 09:00 2992177                    /lib/libc-2.11.3.so
7fdc2d9f5000-7fdc2d9fa000 rw-p 00000000 00:00 0 
7fdc2d9fa000-7fdc2d9fc000 r-xp 00000000 09:00 2993350                    /lib/libdl-2.11.3.so
7fdc2d9fc000-7fdc2dbfc000 ---p 00002000 09:00 2993350                    /lib/libdl-2.11.3.so
7fdc2dbfc000-7fdc2dbfd000 r--p 00002000 09:00 2993350                    /lib/libdl-2.11.3.so
7fdc2dbfd000-7fdc2dbfe000 rw-p 00003000 09:00 2993350                    /lib/libdl-2.11.3.so
7fdc2dbfe000-7fdc2ddb4000 r-xp 00000000 09:00 3146212                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fdc2ddb4000-7fdc2dfb4000 ---p 001b6000 09:00 3146212                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fdc2dfb4000-7fdc2dfcf000 r--p 001b6000 09:00 3146212                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fdc2dfcf000-7fdc2dfde000 rw-p 001d1000 09:00 3146212                    /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7fdc2dfde000-7fdc2dfe2000 rw-p 00000000 00:00 0 
7fdc2dfe2000-7fdc2e010000 r-xp 00000000 09:00 41369753                   /usr/lib/libcherokee-server.so.0.0.1
7fdc2e010000-7fdc2e20f000 ---p 0002e000 09:00 41369753                   /usr/lib/libcherokee-server.so.0.0.1
7fdc2e20f000-7fdc2e211000 rw-p 0002d000 09:00 41369753                   /usr/lib/libcherokee-server.so.0.0.1
7fdc2e211000-7fdc2e260000 r-xp 00000000 09:00 41369746                   /usr/lib/libcherokee-base.so.0.0.1
7fdc2e260000-7fdc2e45f000 ---p 0004f000 09:00 41369746                   /usr/lib/libcherokee-base.so.0.0.1
7fdc2e45f000-7fdc2e464000 rw-p 0004e000 09:00 41369746                   /usr/lib/libcherokee-base.so.0.0.1
7fdc2e464000-7fdc2e465000 rw-p 00000000 00:00 0 
7fdc2e465000-7fdc2e47c000 r-xp 00000000 09:00 2992108                    /lib/libpthread-2.11.3.so
7fdc2e47c000-7fdc2e67b000 ---p 00017000 09:00 2992108                    /lib/libpthread-2.11.3.so
7fdc2e67b000-7fdc2e67c000 r--p 00016000 09:00 2992108                    /lib/libpthread-2.11.3.so
7fdc2e67c000-7fdc2e67d000 rw-p 00017000 09:00 2992108                    /lib/libpthread-2.11.3.so
7fdc2e67d000-7fdc2e681000 rw-p 00000000 00:00 0 
7fdc2e681000-7fdc2e69f000 r-xp 00000000 09:00 2992109                    /lib/ld-2.11.3.so
7fdc2e88c000-7fdc2e891000 rw-p 00000000 00:00 0 
7fdc2e89a000-7fdc2e89b000 rw-p 00000000 00:00 0 
7fdc2e89b000-7fdc2e89c000 rw-s 00000000 09:00 2995605                    /tmp/cherokee-spawner-28656
7fdc2e89c000-7fdc2e89e000 rw-p 00000000 00:00 0 
7fdc2e89e000-7fdc2e89f000 r--p 0001d000 09:00 2992109                    /lib/ld-2.11.3.so
7fdc2e89f000-7fdc2e8a0000 rw-p 0001e000 09:00 2992109                    /lib/ld-2.11.3.so
7fdc2e8a0000-7fdc2e8a1000 rw-p 00000000 00:00 0 
7fffc038f000-7fffc03a4000 rw-p 00000000 00:00 0                          [stack]
7fffc03fa000-7fffc03fb000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
PID 28658: received a signal=6
Cherokee Web Server 1.2.103 (Jul 27 2013): Listening on ports ALL:443(TLS),
ALL:80, with TLS support via libssl, IPv6 enabled, using epoll, 4096 fds system
limit, max. 2041 connections, 20 threads, 102 connections per thread, standard
scheduling policy
Member

skinkie commented Jul 27, 2013

@alanswanson I did not see this when testing.

@AnonSphere could you run GDB and make a nice stacktrace?

Did a recompile with:

./autogen.sh --localstatedir=/var --prefix=/usr --sysconfdir=/etc --with-wwwroot=/var/www --enable-trace --enable-backtraces
make CFLAGS="-O0 -g3"
checkinstall
$ gdb cherokee
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/cherokee...(no debugging symbols found)...done.
(gdb) quit
Member

skinkie commented Jul 27, 2013

We really have lovely documentation:
CFLAGS="-O0 -ggdb3" ./autogen.sh ....

Still the same message after recompile with make CFLAGS="-O0 -ggdb3". :-/

Member

skinkie commented Jul 27, 2013

See the comment above ;)

Still the same message …

$ cherokee -i
Compilation
 Version: 1.2.103
 Compiled on: Jul 27 2013 14:46:16
 Arguments to configure:  '--localstatedir=/var' '--prefix=/usr' '--sysconfdir=/etc' '--with-wwwroot=/var/www' '--enable-trace' '--enable-backtraces' 'CFLAGS=-O0 -ggdb3'

Installation
 Deps dir: /usr/share/cherokee/deps
 Data dir: /usr/share/cherokee
 Icons dir: /usr/share/cherokee/icons
 Themes dir: /usr/share/cherokee/themes
 Plug-in dir: /usr/lib/cherokee
 Temporal dir: /tmp

Plug-ins
 Built-in: 

Support
 IPv6: yes
 Pthreads: yes
 Tracing: yes
 sendfile(): yes
 syslog(): yes
 Polling methods: epoll poll select 
 SSL/TLS: libssl
 TLS SNI: yes
$ gdb cherokee
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/cherokee...(no debugging symbols found)...done.
Member

skinkie commented Jul 27, 2013

try gdb on cherokee-worker (if that doesn't work, the worker from your source dir)

cherokee-worker does not work, starting from the src dir shows no error, but does not bring up the webserver.

Member

skinkie commented Jul 27, 2013

My hunch is that you don't install cherokee after you have build it (don't know what checkinstall does). Is it possible that, it strips your program?

Seems as checkinstall strips the binaries, anyway I guess, this will not be very helpful:

gdb /usr/sbin/cherokee-worker
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/cherokee-worker...done.
(gdb) run
Starting program: /usr/sbin/cherokee-worker 
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff69bb700 (LWP 8311)]
[27/07/2013 15:29:55.663] (warning) spawner.c:91 - Could not open temporal file
    '/tmp/cherokee-spawner-8306': No such file or directory | It looks like the cherokee
    supervisor is not running, or it could not create the required temporal file.

[New Thread 0x7ffff20c8700 (LWP 8313)]
[New Thread 0x7ffff18c7700 (LWP 8314)]
[New Thread 0x7ffff10c6700 (LWP 8315)]
[New Thread 0x7ffff08c5700 (LWP 8316)]
[New Thread 0x7ffff00c4700 (LWP 8317)]
[New Thread 0x7fffef8c3700 (LWP 8318)]
[New Thread 0x7fffef0c2700 (LWP 8319)]
[New Thread 0x7fffee8c1700 (LWP 8320)]
[New Thread 0x7fffee0c0700 (LWP 8321)]
[New Thread 0x7fffed8bf700 (LWP 8322)]
[New Thread 0x7fffed0be700 (LWP 8323)]
[New Thread 0x7fffec8bd700 (LWP 8324)]
[New Thread 0x7fffec0bc700 (LWP 8325)]
[New Thread 0x7fffeb8bb700 (LWP 8326)]
[New Thread 0x7fffeb0ba700 (LWP 8327)]
[New Thread 0x7fffea8b9700 (LWP 8328)]
[New Thread 0x7fffea0b8700 (LWP 8329)]
[New Thread 0x7fffe98b7700 (LWP 8330)]
[New Thread 0x7fffe90b6700 (LWP 8331)]
Cherokee Web Server 1.2.103 (Jul 27 2013): Listening on ports ALL:443(TLS),
ALL:80, with TLS support via libssl, IPv6 enabled, using epoll, 4096 fds system
limit, max. 2041 connections, 20 threads, 102 connections per thread, standard
scheduling policy
*** stack smashing detected ***: /usr/sbin/cherokee-worker terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7ffff6ebc287]
/lib/libc.so.6(__fortify_fail+0x0)[0x7ffff6ebc250]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0(+0x86df2)[0x7ffff73c4df2]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0(+0x87457)[0x7ffff73c5457]
======= Memory map: ========
00400000-00403000 r-xp 00000000 09:00 2991234                            /usr/sbin/cherokee-worker
00603000-00604000 rw-p 00003000 09:00 2991234                            /usr/sbin/cherokee-worker
00604000-009f7000 rw-p 00000000 00:00 0                                  [heap]
7fffe4000000-7fffe4030000 rw-p 00000000 00:00 0 
7fffe4030000-7fffe8000000 ---p 00000000 00:00 0 
7fffe86a0000-7fffe86b6000 r-xp 00000000 09:00 2991164                    /lib/libgcc_s.so.1
7fffe86b6000-7fffe88b5000 ---p 00016000 09:00 2991164                    /lib/libgcc_s.so.1
7fffe88b5000-7fffe88b6000 rw-p 00015000 09:00 2991164                    /lib/libgcc_s.so.1
7fffe88b6000-7fffe88b7000 ---p 00000000 00:00 0 
7fffe88b7000-7fffe90b7000 rw-p 00000000 00:00 0 
7fffe90b7000-7fffe90b8000 ---p 00000000 00:00 0 
7fffe90b8000-7fffe98b8000 rw-p 00000000 00:00 0 
7fffe98b8000-7fffe98b9000 ---p 00000000 00:00 0 
7fffe98b9000-7fffea0b9000 rw-p 00000000 00:00 0 
7fffea0b9000-7fffea0ba000 ---p 00000000 00:00 0 
7fffea0ba000-7fffea8ba000 rw-p 00000000 00:00 0 
7fffea8ba000-7fffea8bb000 ---p 00000000 00:00 0 
7fffea8bb000-7fffeb0bb000 rw-p 00000000 00:00 0 
7fffeb0bb000-7fffeb0bc000 ---p 00000000 00:00 0 
7fffeb0bc000-7fffeb8bc000 rw-p 00000000 00:00 0 
7fffeb8bc000-7fffeb8bd000 ---p 00000000 00:00 0 
7fffeb8bd000-7fffec0bd000 rw-p 00000000 00:00 0 
7fffec0bd000-7fffec0be000 ---p 00000000 00:00 0 
7fffec0be000-7fffec8be000 rw-p 00000000 00:00 0 
7fffec8be000-7fffec8bf000 ---p 00000000 00:00 0 
7fffec8bf000-7fffed0bf000 rw-p 00000000 00:00 0 
7fffed0bf000-7fffed0c0000 ---p 00000000 00:00 0 
7fffed0c0000-7fffed8c0000 rw-p 00000000 00:00 0 
7fffed8c0000-7fffed8c1000 ---p 00000000 00:00 0 
7fffed8c1000-7fffee0c1000 rw-p 00000000 00:00 0 
7fffee0c1000-7fffee0c2000 ---p 00000000 00:00 0 
7fffee0c2000-7fffee8c2000 rw-p 00000000 00:00 0 
7fffee8c2000-7fffee8c3000 ---p 00000000 00:00 0 
7fffee8c3000-7fffef0c3000 rw-p 00000000 00:00 0 
7fffef0c3000-7fffef0c4000 ---p 00000000 00:00 0 
7fffef0c4000-7fffef8c4000 rw-p 00000000 00:00 0 
7fffef8c4000-7fffef8c5000 ---p 00000000 00:00 0 
7fffef8c5000-7ffff00c5000 rw-p 00000000 00:00 0 
7ffff00c5000-7ffff00c6000 ---p 00000000 00:00 0 
7ffff00c6000-7ffff08c6000 rw-p 00000000 00:00 0 
7ffff08c6000-7ffff08c7000 ---p 00000000 00:00 0 
7ffff08c7000-7ffff10c7000 rw-p 00000000 00:00 0 
7ffff10c7000-7ffff10c8000 ---p 00000000 00:00 0 
7ffff10c8000-7ffff18c8000 rw-p 00000000 00:00 0 
7ffff18c8000-7ffff18c9000 ---p 00000000 00:00 0 
7ffff18c9000-7ffff20c9000 rw-p 00000000 00:00 0 
7ffff20c9000-7ffff20cb000 r-xp 00000000 09:00 6348835                    /usr/lib/cherokee/libplugin_target_ip.so
7ffff20cb000-7ffff22ca000 ---p 00002000 09:00 6348835                    /usr/lib/cherokee/libplugin_target_ip.so
7ffff22ca000-7ffff22cb000 rw-p 00001000 09:00 6348835                    /usr/lib/cherokee/libplugin_target_ip.so
7ffff22cb000-7ffff22d4000 r-xp 00000000 09:00 6348847                    /usr/lib/cherokee/libplugin_server_info.so
7ffff22d4000-7ffff24d3000 ---p 00009000 09:00 6348847                    /usr/lib/cherokee/libplugin_server_info.so
7ffff24d3000-7ffff24d4000 rw-p 00008000 09:00 6348847                    /usr/lib/cherokee/libplugin_server_info.so
7ffff24d4000-7ffff24dc000 r-xp 00000000 09:00 6348853                    /usr/lib/cherokee/libplugin_cgi.so
7ffff24dc000-7ffff26dc000 ---p 00008000 09:00 6348853                    /usr/lib/cherokee/libplugin_cgi.so
7ffff26dc000-7ffff26dd000 rw-p 00008000 09:00 6348853                    /usr/lib/cherokee/libplugin_cgi.so
7ffff26dd000-7ffff26e0000 r-xp 00000000 09:00 6348897                    /usr/lib/cherokee/libplugin_htdigest.so
7ffff26e0000-7ffff28df000 ---p 00003000 09:00 6348897                    /usr/lib/cherokee/libplugin_htdigest.so
7ffff28df000-7ffff28e0000 rw-p 00002000 09:00 6348897                    /usr/lib/cherokee/libplugin_htdigest.so
7ffff28e0000-7ffff28e1000 r-xp 00000000 09:00 6348812                    /usr/lib/cherokee/libplugin_fullpath.so
7ffff28e1000-7ffff2ae1000 ---p 00001000 09:00 6348812                    /usr/lib/cherokee/libplugin_fullpath.so
7ffff2ae1000-7ffff2ae2000 rw-p 00001000 09:00 6348812                    /usr/lib/cherokee/libplugin_fullpath.so
7ffff2ae2000-7ffff2ae4000 r-xp 00000000 09:00 6348839                    /usr/lib/cherokee/libplugin_evhost.so
7ffff2ae4000-7ffff2ce3000 ---p 00002000 09:00 6348839                    /usr/lib/cherokee/libplugin_evhost.so
7ffff2ce3000-7ffff2ce4000 rw-p 00001000 09:00 6348839                    /usr/lib/cherokee/libplugin_evhost.so
7ffff2ce4000-7ffff2ce6000 r-xp 00000000 09:00 6348877                    /usr/lib/cherokee/libplugin_error_redir.so
7ffff2ce6000-7ffff2ee5000 ---p 00002000 09:00 6348877                    /usr/lib/cherokee/libplugin_error_redir.so
7ffff2ee5000-7ffff2ee6000 rw-p 00001000 09:00 6348877                    /usr/lib/cherokee/libplugin_error_redir.so
7ffff2ee6000-7ffff2ee8000 r-xp 00000000 09:00 6348806                    /usr/lib/cherokee/libplugin_header.so
7ffff2ee8000-7ffff30e7000 ---p 00002000 09:00 6348806                    /usr/lib/cherokee/libplugin_header.so
7ffff30e7000-7ffff30e8000 rw-p 00001000 09:00 6348806                    /usr/lib/cherokee/libplugin_header.so
7ffff30e8000-7ffff30e9000 r-xp 00000000 09:00 6348824                    /usr/lib/cherokee/libplugin_and.so
7ffff30e9000-7ffff32e9000 ---p 00001000 09:00 6348824                    /usr/lib/cherokee/libplugin_and.so
7ffff32e9000-7ffff32ea000 rw-p 00001000 09:00 6348824                    /usr/lib/cherokee/libplugin_and.so
7ffff32ea000-7ffff32ec000 r-xp 00000000 09:00 6348804                    /usr/lib/cherokee/libplugin_request.so
7ffff32ec000-7ffff34eb000 ---p 00002000 09:00 6348804                    /usr/lib/cherokee/libplugin_request.so
7ffff34eb000-7ffff34ec000 rw-p 00001000 09:00 6348804                    /usr/lib/cherokee/libplugin_request.so
7ffff34ec000-7ffff34ee000 r-xp 00000000 09:00 6348887                    /usr/lib/cherokee/libplugin_deflate.so
7ffff34ee000-7ffff36ed000 ---p 00002000 09:00 6348887                    /usr/lib/cherokee/libplugin_deflate.so
7ffff36ed000-7ffff36ee000 rw-p 00001000 09:00 6348887                    /usr/lib/cherokee/libplugin_deflate.so
7ffff36ee000-7ffff36f0000 r-xp 00000000 09:00 6348901                    /usr/lib/cherokee/libplugin_authlist.so
7ffff36f0000-7ffff38ef000 ---p 00002000 09:00 6348901                    /usr/lib/cherokee/libplugin_authlist.so
7ffff38ef000-7ffff38f0000 rw-p 00001000 09:00 6348901                    /usr/lib/cherokee/libplugin_authlist.so
7ffff38f0000-7ffff38f1000 r-xp 00000000 09:00 6348893                    /usr/lib/cherokee/libplugin_combined.so
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff18c7700 (LWP 8314)]
0x00007ffff6e0a1b5 in raise () from /lib/libc.so.6
Member

skinkie commented Jul 27, 2013

press b hit enter

(gdb) b
Breakpoint 1 at 0x7ffff6e0a1b5

The only difference is, that the webserver crashes completely after the fault.

Member

skinkie commented Jul 27, 2013

sorry i ment bt enter

*** stack smashing detected ***: /usr/sbin/cherokee-worker terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7ffff6ebc287]
/lib/libc.so.6(__fortify_fail+0x0)[0x7ffff6ebc250]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0(+0x86df2)[0x7ffff73c4df2]
======= Memory map: ========
00400000-00403000 r-xp 00000000 09:00 2991247                            /usr/sbin/cherokee-worker
00603000-00604000 rw-p 00003000 09:00 2991247                            /usr/sbin/cherokee-worker
00604000-00904000 rw-p 00000000 00:00 0                                  [heap]
7fffe45db000-7fffe45f1000 r-xp 00000000 09:00 2991164                    /lib/libgcc_s.so.1
7fffe45f1000-7fffe47f0000 ---p 00016000 09:00 2991164                    /lib/libgcc_s.so.1
7fffe47f0000-7fffe47f1000 rw-p 00015000 09:00 2991164                    /lib/libgcc_s.so.1
7fffe47f1000-7fffe47f2000 ---p 00000000 00:00 0 
7fffe47f2000-7fffe4ff2000 rw-p 00000000 00:00 0 
7fffe4ff2000-7fffe4ff3000 ---p 00000000 00:00 0 
7fffe4ff3000-7fffe57f3000 rw-p 00000000 00:00 0 
7fffe57f3000-7fffe57f4000 ---p 00000000 00:00 0 
7fffe57f4000-7fffe5ff4000 rw-p 00000000 00:00 0 
7fffe5ff4000-7fffe5ff5000 ---p 00000000 00:00 0 
7fffe5ff5000-7fffe67f5000 rw-p 00000000 00:00 0 
7fffe67f5000-7fffe67f6000 ---p 00000000 00:00 0 
7fffe67f6000-7fffe6ff6000 rw-p 00000000 00:00 0 
7fffe6ff6000-7fffe6ff7000 ---p 00000000 00:00 0 
7fffe6ff7000-7fffe77f7000 rw-p 00000000 00:00 0 
7fffe77f7000-7fffe77f8000 ---p 00000000 00:00 0 
7fffe77f8000-7fffe7ff8000 rw-p 00000000 00:00 0 
7fffe7ff8000-7fffe7ff9000 ---p 00000000 00:00 0 
7fffe7ff9000-7fffe87f9000 rw-p 00000000 00:00 0 
7fffe87f9000-7fffe87fa000 ---p 00000000 00:00 0 
7fffe87fa000-7fffe8ffa000 rw-p 00000000 00:00 0 
7fffe8ffa000-7fffe8ffb000 ---p 00000000 00:00 0 
7fffe8ffb000-7fffe97fb000 rw-p 00000000 00:00 0 
7fffe97fb000-7fffe97fc000 ---p 00000000 00:00 0 
7fffe97fc000-7fffe9ffc000 rw-p 00000000 00:00 0 
7fffe9ffc000-7fffe9ffd000 ---p 00000000 00:00 0 
7fffe9ffd000-7fffea7fd000 rw-p 00000000 00:00 0 
7fffea7fd000-7fffea7fe000 ---p 00000000 00:00 0 
7fffea7fe000-7fffeaffe000 rw-p 00000000 00:00 0 
7fffeaffe000-7fffeafff000 ---p 00000000 00:00 0 
7fffeafff000-7fffeb7ff000 rw-p 00000000 00:00 0 
7fffeb7ff000-7fffeb800000 ---p 00000000 00:00 0 
7fffeb800000-7fffec000000 rw-p 00000000 00:00 0 
7fffec000000-7fffec08a000 rw-p 00000000 00:00 0 
7fffec08a000-7ffff0000000 ---p 00000000 00:00 0 
7ffff00c5000-7ffff00c6000 ---p 00000000 00:00 0 
7ffff00c6000-7ffff08c6000 rw-p 00000000 00:00 0 
7ffff08c6000-7ffff08c7000 ---p 00000000 00:00 0 
7ffff08c7000-7ffff10c7000 rw-p 00000000 00:00 0 
7ffff10c7000-7ffff10c8000 ---p 00000000 00:00 0 
7ffff10c8000-7ffff18c8000 rw-p 00000000 00:00 0 
7ffff18c8000-7ffff18c9000 ---p 00000000 00:00 0 
7ffff18c9000-7ffff20c9000 rw-p 00000000 00:00 0 
7ffff20c9000-7ffff20cb000 r-xp 00000000 09:00 6348835                    /usr/lib/cherokee/libplugin_target_ip.so
7ffff20cb000-7ffff22ca000 ---p 00002000 09:00 6348835                    /usr/lib/cherokee/libplugin_target_ip.so
7ffff22ca000-7ffff22cb000 rw-p 00001000 09:00 6348835                    /usr/lib/cherokee/libplugin_target_ip.so
7ffff22cb000-7ffff22d4000 r-xp 00000000 09:00 6348847                    /usr/lib/cherokee/libplugin_server_info.so
7ffff22d4000-7ffff24d3000 ---p 00009000 09:00 6348847                    /usr/lib/cherokee/libplugin_server_info.so
7ffff24d3000-7ffff24d4000 rw-p 00008000 09:00 6348847                    /usr/lib/cherokee/libplugin_server_info.so
7ffff24d4000-7ffff24dc000 r-xp 00000000 09:00 6348853                    /usr/lib/cherokee/libplugin_cgi.so
7ffff24dc000-7ffff26dc000 ---p 00008000 09:00 6348853                    /usr/lib/cherokee/libplugin_cgi.so
7ffff26dc000-7ffff26dd000 rw-p 00008000 09:00 6348853                    /usr/lib/cherokee/libplugin_cgi.so
7ffff26dd000-7ffff26e0000 r-xp 00000000 09:00 6348897                    /usr/lib/cherokee/libplugin_htdigest.so
7ffff26e0000-7ffff28df000 ---p 00003000 09:00 6348897                    /usr/lib/cherokee/libplugin_htdigest.so
7ffff28df000-7ffff28e0000 rw-p 00002000 09:00 6348897                    /usr/lib/cherokee/libplugin_htdigest.so
7ffff28e0000-7ffff28e1000 r-xp 00000000 09:00 6348812                    /usr/lib/cherokee/libplugin_fullpath.so
7ffff28e1000-7ffff2ae1000 ---p 00001000 09:00 6348812                    /usr/lib/cherokee/libplugin_fullpath.so
7ffff2ae1000-7ffff2ae2000 rw-p 00001000 09:00 6348812                    /usr/lib/cherokee/libplugin_fullpath.so
7ffff2ae2000-7ffff2ae4000 r-xp 00000000 09:00 6348839                    /usr/lib/cherokee/libplugin_evhost.so
7ffff2ae4000-7ffff2ce3000 ---p 00002000 09:00 6348839                    /usr/lib/cherokee/libplugin_evhost.so
7ffff2ce3000-7ffff2ce4000 rw-p 00001000 09:00 6348839                    /usr/lib/cherokee/libplugin_evhost.so
7ffff2ce4000-7ffff2ce6000 r-xp 00000000 09:00 6348877                    /usr/lib/cherokee/libplugin_error_redir.so
7ffff2ce6000-7ffff2ee5000 ---p 00002000 09:00 6348877                    /usr/lib/cherokee/libplugin_error_redir.so
7ffff2ee5000-7ffff2ee6000 rw-p 00001000 09:00 6348877                    /usr/lib/cherokee/libplugin_error_redir.so
7ffff2ee6000-7ffff2ee8000 r-xp 00000000 09:00 6348806                    /usr/lib/cherokee/libplugin_header.so
7ffff2ee8000-7ffff30e7000 ---p 00002000 09:00 6348806                    /usr/lib/cherokee/libplugin_header.so
7ffff30e7000-7ffff30e8000 rw-p 00001000 09:00 6348806                    /usr/lib/cherokee/libplugin_header.so
7ffff30e8000-7ffff30e9000 r-xp 00000000 09:00 6348824                    /usr/lib/cherokee/libplugin_and.so
7ffff30e9000-7ffff32e9000 ---p 00001000 09:00 6348824                    /usr/lib/cherokee/libplugin_and.so
7ffff32e9000-7ffff32ea000 rw-p 00001000 09:00 6348824                    /usr/lib/cherokee/libplugin_and.so
7ffff32ea000-7ffff32ec000 r-xp 00000000 09:00 6348804                    /usr/lib/cherokee/libplugin_request.so
7ffff32ec000-7ffff34eb000 ---p 00002000 09:00 6348804                    /usr/lib/cherokee/libplugin_request.so
7ffff34eb000-7ffff34ec000 rw-p 00001000 09:00 6348804                    /usr/lib/cherokee/libplugin_request.so
7ffff34ec000-7ffff34ee000 r-xp 00000000 09:00 6348887                    /usr/lib/cherokee/libplugin_deflate.so
7ffff34ee000-7ffff36ed000 ---p 00002000 09:00 6348887                    /usr/lib/cherokee/libplugin_deflate.so
7ffff36ed000-7ffff36ee000 rw-p 00001000 09:00 6348887                    /usr/lib/cherokee/libplugin_deflate.so
7ffff36ee000-7ffff36f0000 r-xp 00000000 09:00 6348901                    /usr/lib/cherokee/libplugin_authlist.so
7ffff36f0000-7ffff38ef000 ---p 00002000 09:00 6348901                    /usr/lib/cherokee/libplugin_authlist.so
7ffff38ef000-7ffff38f0000 rw-p 00001000 09:00 6348901                    /usr/lib/cherokee/libplugin_authlist.so
7ffff38f0000-7ffff38f1000 r-xp 00000000 09:00 6348893                    /usr/lib/cherokee/libplugin_combined.so
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffea7fc700 (LWP 6888)]
0x00007ffff6e0a1b5 in raise () from /lib/libc.so.6
(gdb) bt
#0  0x00007ffff6e0a1b5 in raise () from /lib/libc.so.6
#1  0x00007ffff6e0cfc0 in abort () from /lib/libc.so.6
#2  0x00007ffff6e405bb in ?? () from /lib/libc.so.6
#3  0x00007ffff6ebc287 in __fortify_fail () from /lib/libc.so.6
#4  0x00007ffff6ebc250 in __stack_chk_fail () from /lib/libc.so.6
#5  0x00007ffff73c4df2 in HMAC_Final () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#6  0x0000000000000000 in ?? ()

I tried a benchmark on cherokee, but no failure. It seems as this only happens on the "Testing renegotiation" stage on this test. See https://www.ssllabs.com/ssltest/analyze.html?d=secure.anonsphere.com

Member

skinkie commented Jul 27, 2013

What troubles me is that this happens inside openssl...

@skinkie skinkie reopened this Jul 27, 2013

OpenSSL ist the most recent version for Squeeze:

$ openssl version
OpenSSL 1.0.1c 10 May 2012
Member

skinkie commented Jul 27, 2013

I think you could try a few things:

  1. compile openssl yourself with, with support for valgrind and debugging
  2. run valgrind on cherokee-worker see what happens

You might be able to get away without step one, but may give a lot of false positives

I compiled 1.0.1e but the error persists. The valgrind process does not even start because of another problem:

valgrind /usr/sbin/cherokee-worker 
==23527== Memcheck, a memory error detector
==23527== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==23527== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==23527== Command: /usr/sbin/cherokee-worker
==23527== 
--23527-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x2a

valgrind: m_debuginfo/readdwarf.c:2329 (copy_convert_CfiExpr_tree): Assertion 'srcix >= 0 && srcix < VG_(sizeXA)(srcxa)' failed.
==23527==    at 0x3802B0A7: report_and_quit (m_libcassert.c:191)
==23527==    by 0x3802B2E0: vgPlain_assert_fail (m_libcassert.c:265)
==23527==    by 0x3809C7BF: copy_convert_CfiExpr_tree (readdwarf.c:2329)
==23527==    by 0x3809CB05: summarise_context (readdwarf.c:2129)
==23527==    by 0x3809F1BD: run_CF_instructions (readdwarf.c:3541)
==23527==    by 0x380A0DDC: vgModuleLocal_read_callframe_info_dwarf3 (readdwarf.c:4079)
==23527==    by 0x38058A85: vgModuleLocal_read_elf_debug_info (readelf.c:2077)
==23527==    by 0x38054229: vgPlain_di_notify_mmap (debuginfo.c:818)
==23527==    by 0x38071689: vgModuleLocal_generic_PRE_sys_mmap (syswrap-generic.c:2039)
==23527==    by 0x38092BC9: vgSysWrap_amd64_linux_sys_mmap_before (syswrap-amd64-linux.c:995)
==23527==    by 0x38067EE7: vgPlain_client_syscall (syswrap-main.c:1442)
==23527==    by 0x38064A4D: handle_syscall (scheduler.c:895)
==23527==    by 0x380658B9: vgPlain_scheduler (scheduler.c:1091)
==23527==    by 0x3808F194: run_a_thread_NORETURN (syswrap-linux.c:94)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==23527==    at 0x40160AA: mmap (syscall-template.S:82)
==23527==    by 0x4006507: _dl_map_object_from_fd (dl-load.c:1331)
==23527==    by 0x4007839: _dl_map_object (dl-load.c:2329)
==23527==    by 0x400CF31: openaux (dl-deps.c:65)
==23527==    by 0x400D905: _dl_catch_error (dl-error.c:178)
==23527==    by 0x400C033: _dl_map_object_deps (dl-deps.c:247)
==23527==    by 0x40032B6: dl_main (rtld.c:1792)
==23527==    by 0x4014A76: _dl_sysdep_start (dl-sysdep.c:243)
==23527==    by 0x4001422: _dl_start (rtld.c:338)
==23527==    by 0x4000AF7: ??? (in /lib/ld-2.11.3.so)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

The main problem is, that this is a production server, I cannot take it offline. My testserver is not reachable for public, so I cannot test with ssllabs. I will try to install into another jail and temporary switch to this cherokee. But I cannot switch permanently because of a stupid depencency on PHP 5.3 which is not available for wheezy.

Member

skinkie commented Jul 27, 2013

Do I see this correctly? Are you testing this on a RaspberryPi?

Nope, Debian Squeeze inside a chroot jail.

Member

skinkie commented Jul 27, 2013

What is that vg stuff?

← No C programmer. :-/

I just installed valgrind with apt and started it.

Ok, I installed a complete clean of debian wheezy inside another jail, installed the needed depencies. Turned of the old jail, started php-fpm and cherokee in the new jail and got exactly the same error. Seems to be a debian problem, but I don't know, how to solve it.

I tried it on a complete different server (Debian Wheezy) and got the same problem. It has to do something with the ECDHE Ciphers, because if I remove them from the ciphers, e. g. AES256-SHA256:RC4-SHA:AES256-SHA:AES128-SHA everything works fine.

Member

skinkie commented Jul 27, 2013

Do you have any idea how to trigger the bug locally? Without using their tool. That would help much. I'm now on a system with openssl-1.0.0 too, so that must be able to reproduce it.

@skinkie How do you test ECDHE on openssl < 1.0. This feature was intruduced in Version 1.0.0!?

Locally only a dynamic dns might work.

Member

skinkie commented Jul 27, 2013

I say that i'm running openssl-1.0.0 where do you see less than 1.0? the point is, that I am not able to run any remote tests at this point.

Just understand it this way. Sorry! Currently I have no public test server, I could provide. To test locally you can use something like http://free.domain.name/. The invalid certificate should not matter for testing.

Member

skinkie commented Jul 27, 2013

Are you able to crash it just by visiting the Cherokee server with Chrome? That easy? What should I configure for that? Because before I merged/pushed it, I have tested it locally if it worked.

I wasn't able to crash it with a browser or a benchmark tool. Just the multiple renegotiation seems to be a problem. I cannot tell, if this will be a problem in real live, but I think, it is an unexpected behaviour.

Member

skinkie commented Jul 27, 2013

Again: how to reproduce?

The only way to reproduce, that I know is the ssllabs test.

Member

skinkie commented Jul 27, 2013

Could you ask them, about the specific test? If they have an offline tool?

Member

skinkie commented Jul 27, 2013

I am also puzzled about something. Because when I use http://www.thc.org/thc-ssl-dos/ I even get: ERROR: Target has disabled renegotiations.

So now I do wonder if it is related to something that I configured differently.

I will ask for the testcode and …

$ thc-ssl-dos --accept 81.30.152.22
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/
            http://www.thc.org

          Twitter @hackerschoice

Greetingz: the french underground

Waiting for script kiddies to piss off................
The force is with those who read the source...
Handshakes 0 [0.00 h/s], 1 Conn, 0 Err
Handshakes 0 [0.00 h/s], 343 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
Handshakes 0 [0.00 h/s], 400 Conn, 0 Err
ERROR: Target has disabled renegotiations.
Use your own skills to modify the source to test/attack
the target [hint: TCP reconnect for every handshake].

Oh and this was WITH the ECDHE ciphers turned on.

I opened a ticket in their forum
https://community.qualys.com/message/19505

I tested a few things out and the problem is there:

ECDHE-RSA-AES256-GCM-SHA384

If I remove it from the ciphers to:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA256:RC4-SHA:AES256-SHA:AES128-SHA

everything works fine. And I have no idea what the problem is. Maybe a problem for the openssl mailing list?

To be more exact, whenever I add one of these ciphers, the process crashes on the ssl test.

$ openssl ciphers SHA384
ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384
Member

skinkie commented Jul 27, 2013

Maybe this requires an initialisation we do not (yet) do?

Maybe related to: http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html ?

Hm, I'm confused. I have a second server with exact the same openssl version (self compiled), same cherokee version (self compiled) and it crashes on all ECDHE ciphers.

Another problem. I updated to the latest snapshot openssl 1.0.2 and all ECDHE ciphers are ignored.

Ok, I found out two things. First nginx has the same problem:
https://www.ssllabs.com/ssltest/analyze.html?d=hidemyass.com&hideResults=on

And second:
The problem only applies without SNI support. If the domain falls back to the ip adress with the same certificate, the openssl process crashes. Most browser will not fall back to the ip (every except IE on WinXP).

But I still don't know, if this is a problem of the test, the protocol, cherokee or openssl :-(

Contributor

alanswanson commented Jul 28, 2013

No problems here, my server is running Gentoo compiled with GCC 4.7.3 and OpenSSL 1.0.1e without problems including the SSL Labs test.

Not sure what's wrong with AnonSpheres servers if ciphers using SHA384 with ECHD[E] was causing the problem on one server versus all ECDHE ciphers on another similar system. Certainly looks a OpenSSL problem anyway, possibly due to a compiler bug? Could temporarily test to see if it works bypassing disabling glibc heap corruption with "MALLOC_CHECK_=0".

Member

skinkie commented Jul 29, 2013

Would you have some time to investigate the issue a bit deeper?

I would, if there was a way to debug openssl. The problem lies there. If I connect using ECDHE-RSA-AES256-GCM-SHA384 it crashes immediately. But there is no debug information to find out why.

Member

skinkie commented Jul 31, 2013

I order to debug openssl you have to compile it in a special way as @alanswanson already pointed out. Without that gdb and/or valgrind can't do anything with it.

I already HAVE done it, but openssl does not give me more information than I already have posted.

Member

skinkie commented Jul 31, 2013

Any feedback on the openssl list? If you compile the latest openssl, same error?

If I use 1.0.2, all ECDHE Ciphers are ignored.

Backtrace information is:

#0  0x00007ffff6e301b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff6e32fc0 in *__GI_abort () at abort.c:92
#2  0x00007ffff6e665bb in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff6ee2287 in *__GI___fortify_fail (msg=0x7ffff6f25d12 "stack smashing detected") at fortify_fail.c:32
#4  0x00007ffff6ee2250 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x00007ffff73eadf2 in HMAC_Final () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#6  0x00007ffff73eb457 in ?? () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#7  0x0000000000000000 in ?? ()

openssl is compiled with debug information.

Member

skinkie commented Jul 31, 2013

libcrypto doesn't seem to be compiled with debugging... is it?

libcrypto should be part of openssl. openssl was configured with

./config -d --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared

as mentioned there

http://stackoverflow.com/questions/11129826/build-openssl-on-linux-with-g-for-debugging

Member

skinkie commented Jul 31, 2013

Your distribution is playing tricks on your: /usr/lib/x86_64-linux-gnu/ != /usr

I think, this will help more:

#0  0x00007ffff6d7f1e5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6d82398 in __GI_abort () at abort.c:90
#2  0x00007ffff6dba7cb in __libc_message (do_abort=2, fmt=0x7ffff6eb4895 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3  0x00007ffff6e46d17 in __GI___fortify_fail (msg=0x7ffff6eb487d "stack smashing detected") at fortify_fail.c:31
#4  0x00007ffff6e46ce0 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00007ffff737fbbf in HMAC_Final (ctx=0x7fffb0019590, md=0x7ffff082c740 "", len=0x7ffff082c590) at hmac.c:185
#6  0x00007ffff73803ca in hmac_signctx (ctx=0x80, sig=0x7ffff082c740 "", siglen=0x7ffff082c6d0, mctx=0x7ffff082c5e0) at hm_pmeth.c:172
#7  0x0000000000000000 in ?? ()
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
Contributor

kinnison commented Jan 31, 2014

I have been testing recently and current git master on wheezy seems to support PFS in a 'robust' way according to SSL Labs. I think this issue might have been fixed by a related tweak which made various SSL handshakes function properly again when going near SHA512.

Member

skinkie commented Feb 5, 2014

@AnonSphere and now you will share how you got to the A+... I do want to know!! :P Or are you saying that this is out of the box behavior ;)

Cipher: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-SHA
Server Preference: Check
Compression: Not checked
Enable HSTS: Check

This configuration will lock out all Windows XP/IE6 to IE8 users. But for this side it is less than 1 in 2000, so we can do that now.

Contributor

kinnison commented Feb 5, 2014

@AnonSphere, I'm glad to hear things are working for you.

So you got A+ by disabling plain DHE?

Contributor

kinnison commented Feb 5, 2014

Either way, I'm super-glad this issue is resolved now.

DHE is damn slow, so I never used it. The only change I made was deactivating RC4 on the ip address.

Contributor

kinnison commented Feb 5, 2014

Interesting. I shall have to look at that. I'm not sure I can knock out that wide a range of crappy old browsers though :-(

As I think of it, as < IE8 is not supported anyway it may be a good idea to remove AES256-SHA too.

Firefox, Opera and Chrome bring their own TLS Libs, so it's only the combination XP/IE. It is time to move on. IE8 is now 4 years old. And support for XP ends in 60 days.

Contributor

kinnison commented Feb 5, 2014

Sounds like I should do a browser survey at some point. Thanks for the tips.

@skinkie -- wanna mark this done?

Member

skinkie commented Feb 5, 2014

Quite happy to do so @kinnison! @AnonSphere thanks for reporting it :)

@skinkie skinkie closed this Feb 5, 2014

I don't want to open a new ticket, so I ask here first. In Apache I can chose the ciphers and protocols seperately. So I can say use ECDHE-RSA-AES256-SHA but do not use SSLv3. Is this possible in cherokee?

SSLProtocol all -SSLv2 -SSLv3

Member

skinkie commented Feb 6, 2014

I don't really know how the 'magic' string works from OpenSSL perspective. So I don't know if you can do this by defining that string. What I do know is that if you specify anything other than the default, it will completely override the default.

I only know, it is not possible with the cipher list:

openssl ciphers -v 'TLSv1:!SSLv3'

Error in cipher list
139714591569576:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:

@kinnison Do you know, if this is possible?

Member

skinkie commented Feb 6, 2014

If you know a way to configure it on openssl level either with some flags, do tell me. Can be added to the admin (but I recall in the advanced section we we already same something similar).

image

@skarcha SSLv2 is no big problem as this can be determined in the cipher list and it is not supported by most openssl version anymore. The main problem is if you define it in the cipher list you only have ciphers with SHA256, but non with SHA1. That means, you will kick out a lot of browser. What I want to do is use ECDHE-RSA-AES256-SHA, but only in the TLSv1 protocol context and not in the SSLv3 protocol context.

I think this is easy to fix, as there should be just an option for adding SSL_OP_NO_SSLv3 to the SSL option in https://github.com/cherokee/webserver/blob/master/cherokee/cryptor_libssl.c if SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 is forbidden, the server will be forced to send a TLSv1 hello to the client.

Something like:

if (! cryp->allow_SSLv3) {
    options |= SSL_OP_NO_SSLv3;
}

should do the trick. See http://openssl.6102.n7.nabble.com/FW-Negotiating-TLS-1-0-from-1-2-td39516.html and https://www.openssl.org/docs/ssl/SSL_CTX_new.html.

Member

skinkie commented Feb 6, 2014

If you file the new issue for it ;) I'll implement within an hour ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment