Welcome! Log In Create A New Profile

Re: nginx-0.8.54 и ssl

Forum List Message List New Topic Print View

Andrey Y. Ostanovsky

February 01, 2011 08:56AM

Igor Sysoev пишет:
> On Tue, Feb 01, 2011 at 03:32:25PM +0300, Andrey Y. Ostanovsky wrote:
>
>> Обновился из портов с nginx-0.7.67 на nginx-0.8.54 - сломался ssl с
>> диагностикой
>>
>> 2011/02/01 15:17:52 [alert] 90164#0: worker process 90171 exited on
>> signal 10
>>
>> Откатился обратно на 7-ю ветку.
>>
>
> nginx -V
>
nginx version: nginx/0.8.54
TLS SNI support disabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I
/usr/local/include' --with-ld-opt='-L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log --user=www --group=www
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
--http-log-path=/var/log/nginx-access.log --with-http_gzip_static_module
--with-http_realip_module --with-http_ssl_module
--with-http_stub_status_module --with-pcre

> и корки

Собрано без отладочных символов, поэтому корка фактически пустая:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging
symbols found)...
Core was generated by `nginx-0.8.54'.
Program terminated with signal 10, Bus error.
Reading symbols from /lib/libcrypt.so.4...(no debugging symbols
found)...done.
Loaded symbols for /lib/libcrypt.so.4
Reading symbols from /usr/local/lib/libpcre.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/local/lib/libpcre.so.0
Reading symbols from /usr/lib/libssl.so.5...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libssl.so.5
Reading symbols from /lib/libcrypto.so.5...(no debugging symbols
found)...done.
Loaded symbols for /lib/libcrypto.so.5
Reading symbols from /lib/libz.so.4...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.4
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols
found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x0000000800ecf416 in memcpy () from /lib/libc.so.7
(gdb) bt
#0 0x0000000800ecf416 in memcpy () from /lib/libc.so.7
#1 0x00000000004231d0 in ?? ()
#2 0x00000000004339ae in ?? ()

Ломается не весь протокол SSL, а редирект по коду ошибки в случае,
если клиентский сертификат нам не подошел:

....
ssl_verify_client on;
ssl_verify_depth 1;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
....
error_page 496 https://stat2.some...host.ru/location1/;
error_page 497 https://stat2.some...host.ru/location1/;

В логах - код ошибки 400 и пустая странца в браузере.

Этот же конфиг при смене бинаря на 0.7.67 работает

nginx version: nginx/0.7.67
TLS SNI support disabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I
/usr/local/include' --with-ld-opt='-L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
--error-log-path=/var/log/nginx-error.log --user=www --group=www
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-log-path=/var/log/nginx-access.log --with-http_flv_module
--with-http_gzip_static_module --with-http_realip_module
--with-http_ssl_module --with-http_stub_status_module --with-pcre

--
Best regards, Andrey Y. Ostanovsky
xmpp: aost@jabber.spb.ru
phone: +7 911 7006295
St.Petersburg, Russia

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://nginx.org/mailman/listinfo/nginx-ru

Reply Quote

RSS

Subject	Author	Posted
nginx-0.8.54 и ssl	Andrey Y. Ostanovsky	February 01, 2011 07:34AM
Re: nginx-0.8.54 и ssl	Igor Sysoev	February 01, 2011 08:00AM
Re: nginx-0.8.54 и ssl	Andrey Y. Ostanovsky	February 01, 2011 08:56AM
Re: nginx-0.8.54 и ssl	Maxim Dounin	February 01, 2011 09:10AM
Re: nginx-0.8.54 и ssl	Andrey Y. Ostanovsky	February 02, 2011 03:10AM
Re: nginx-0.8.54 и ssl	Kirill A. Korinskiy	February 01, 2011 08:56AM
Re: nginx-0.8.54 и ssl	Igor Sysoev	February 01, 2011 09:04AM
Re: nginx-0.8.54 и ssl	Maxim Dounin	February 01, 2011 09:18AM
Re: nginx-0.8.54 и ssl	Kirill A. Korinskiy	February 01, 2011 09:50AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 179

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018