----- Forwarded message from Barry Brachman <barry.brach...@gmail.com> -----
Date: Sun, 28 May 2017 12:35:44 -0700 From: Barry Brachman <barry.brach...@gmail.com> Reply-to: barry.brach...@gmail.com To: Christoph Berg <m...@debian.org> Subject: Re: ssl_hook_Fixup needed? Hi Christoph -- >Debian has again run into the "undefined symbol: ssl_hook_Fixup" >problem. Historically, we've simply been removing the function call >and I'm not aware of any problems with the instances we are running at >a customer and on debian.org. > >I have to admit though that I don't have any idea what that code is >supposed to be doing. Is it ok to remove it? After all, it's a >non-exported private function in openssl. This problem has shown up from time to time, although I don't see it on my development system anymore. It is mentioned in dacs.install(7) along with some solutions. https://dacs.dss.ca/man/dacs.install.7.html The call to ssl_hook_Fixup (see Apache's modules/ssl/ssl_engine_kernel.c) has been in DACS for a very long time. That function call from mod_auth_dacs.c appears to ensure that SSL/TLS environment variables for an HTTP request have been initialized so that DACS can export them to dacs_acs(8) so that access control rules can inspect them if they desire. https://dacs.dss.ca/man/dacs_acs.8.html If you make an SSL/TLS request to a DACS wrapped resource, such as dacs_prenv(8), you should see a large number of environment variables associated with SSL/TLS processing. https://dacs.dss.ca/man/dacs_prenv.8.html (I'll paste some sample output at the end of this.) So if you remove the function call I'm not sure if those variables will still be available to mod_auth_dacs at that instant. It may depend on some random processing order within Apache. But if you don't care about the ability to inspect these variables you can give it a try. >Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863395 > >Patch: https://anonscm.debian.org/cgit/collab-maint/dacs.git/tree/debian/patch > es/ssl_hook_Fixup I hope this helps. Let me know if you have anymore questions. Barry SSL_CIPHER="ECDHE-RSA-AES128-GCM-SHA256" SSL_CIPHER_ALGKEYSIZE="128" SSL_CIPHER_EXPORT="false" SSL_CIPHER_USEKEYSIZE="128" SSL_CLIENT_A_KEY="rsaEncryption" SSL_CLIENT_A_SIG="sha256WithRSAEncryption" SSL_CLIENT_CERT="-----BEGIN CERTIFICATE----- MIIE+jCCA+KgAwIBAgIBGTANBgkqhkiG9w0BAQsFADCBpTELMAkGA1UEBhMCQ0Ex ... -----END CERTIFICATE----- " SSL_CLIENT_CERT_RFC4523_CEA="{ serialNumber 25, issuer rdnSequence:"CN=Distributed Systems Software Certificate Authority,O=Distributed Systems Software Inc.,L=Victoria,ST=British Columbia,C=CA" }" SSL_CLIENT_I_DN="CN=Distributed Systems Software Certificate Authority,O=Distributed Systems Software Inc.,L=Victoria,ST=British Columbia,C=CA" SSL_CLIENT_I_DN_C="CA" SSL_CLIENT_I_DN_CN="Distributed Systems Software Certificate Authority" SSL_CLIENT_I_DN_L="Victoria" SSL_CLIENT_I_DN_O="Distributed Systems Software Inc." SSL_CLIENT_I_DN_ST="British Columbia" SSL_CLIENT_M_SERIAL="19" SSL_CLIENT_M_VERSION="3" SSL_CLIENT_SAN_Email_0="brach...@dss.ca" SSL_CLIENT_S_DN="CN=Barry Brachman,O=Distributed Systems Software Inc.,L=Victoria,ST=British Columbia,C=CA" SSL_CLIENT_S_DN_C="CA" SSL_CLIENT_S_DN_CN="Barry Brachman" SSL_CLIENT_S_DN_L="Victoria" SSL_CLIENT_S_DN_O="Distributed Systems Software Inc." SSL_CLIENT_S_DN_ST="British Columbia" SSL_CLIENT_VERIFY="SUCCESS" SSL_CLIENT_V_END="Mar 1 01:06:08 2025 GMT" SSL_CLIENT_V_REMAIN="2834" SSL_CLIENT_V_START="Mar 4 01:06:08 2015 GMT" SSL_COMPRESS_METHOD="NULL" SSL_PROTOCOL="TLSv1.2" SSL_SECURE_RENEG="true" SSL_SERVER_A_KEY="rsaEncryption" SSL_SERVER_A_SIG="sha256WithRSAEncryption" SSL_SERVER_CERT="-----BEGIN CERTIFICATE----- MIIE7zCCA9egAwIBAgIBFzANBgkqhkiG9w0BAQsFADCBpTELMAkGA1UEBhMCQ0Ex GTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZlcjEq MCgGA1UEChMhRGlzdHJpYnV0ZWQgU3lzdGVtcyBTb2Z0d2FyZSBJbmMuMTswOQYD VQQDEzJEaXN0cmlidXRlZCBTeXN0ZW1zIFNvZnR3YXJlIENlcnRpZmljYXRlIEF1 dGhvcml0eTAeFw0xNTAzMDQwMTAxNTBaFw0yNTAzMDEwMTAxNTBaMGoxCzAJBgNV BAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMSowKAYDVQQKEyFEaXN0 cmlidXRlZCBTeXN0ZW1zIFNvZnR3YXJlIEluYy4xFDASBgNVBAMTC2JzZDkuZHNz LmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqFb/oHVOK2gKlLp/ Ig0qVySH5Ym3Tn13jBjcoJ8aLs1x4FkfRCLqXnuBUr/7RA1hJdpC/LY8sQ1ehhw9 4ct+GmkjbxXe5yD7MoiUA81p7iDxwD/7odfytOMD0+/npPQwgufP2OhrYQ333xWQ du12g1uqymWb8riF6C9rPo+F/z95Z8x37TwA+G+Mc5KH5XwRyr0JYu08MC3xaSY8 a23a3zIvOZtyovGPkFOZGpsYUU9tPEnePpjjSjSXw3w4OTYXtTEwKeCnBxmNwq2n untuMMIJulklKKvglQBy5pXgerwffRO1EILIXUNPCcxjPWM8QSKk3H1imoL0jJM2 2k/eRwIDAQABo4IBYjCCAV4wCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAxr3Y+sZdx0sXGB gLGccjy0K1ZXMIHaBgNVHSMEgdIwgc+AFHK2f4s4h2fbtTFRNndmioYEqdUFoYGr pIGoMIGlMQswCQYDVQQGEwJDQTEZMBcGA1UECBMQQnJpdGlzaCBDb2x1bWJpYTES MBAGA1UEBxMJVmFuY291dmVyMSowKAYDVQQKEyFEaXN0cmlidXRlZCBTeXN0ZW1z IFNvZnR3YXJlIEluYy4xOzA5BgNVBAMTMkRpc3RyaWJ1dGVkIFN5c3RlbXMgU29m dHdhcmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAmtHg+3pByn8wGgYDVR0RBBMw EYEPYnJhY2htYW5AZHNzLmNhMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQsFAAOC AQEAGPTjNV9bcd6WN2LUwcP0vahJaanQ4bJS/XafP+EVIy/0zbkN9eblO9oXMoe7 zJBqDTyMLvyZavGCvkyP9LvgxR5X+IY1/enIGZD17pS1reNJTQC9KNPAZTQT5qrg 8T/7OZ38/3s6BN7ngPIxnb/ZkHtJksS6A3TBw+GC1p6fG7m/WTXsf60W2pW/YNlp V60K2jLiBOd5Ofw0/a77v5p4w1t202OHhd4kDLkoXuQ85c/NnKr2lEP8VSoENqLs 5TCc3r2E8mHz8PatVwNTy304YHqcV4HIay2/z7uUYFr682DOuaa701WuR8h2FJCT +qrMxZcVcdO4f1vIqfLa9qpcFA== -----END CERTIFICATE----- " SSL_SERVER_I_DN="CN=Distributed Systems Software Certificate Authority,O=Distributed Systems Software Inc.,L=Victoria,ST=British Columbia,C=CA" SSL_SERVER_I_DN_C="CA" SSL_SERVER_I_DN_CN="Distributed Systems Software Certificate Authority" SSL_SERVER_I_DN_L="Victoria" SSL_SERVER_I_DN_O="Distributed Systems Software Inc." SSL_SERVER_I_DN_ST="British Columbia" SSL_SERVER_M_SERIAL="17" SSL_SERVER_M_VERSION="3" SSL_SERVER_SAN_Email_0="brach...@dss.ca" SSL_SERVER_S_DN="CN=bsd9.dss.ca,O=Distributed Systems Software Inc.,ST=British Columbia,C=CA" SSL_SERVER_S_DN_C="CA" SSL_SERVER_S_DN_CN="bsd9.dss.ca" SSL_SERVER_S_DN_O="Distributed Systems Software Inc." SSL_SERVER_S_DN_ST="British Columbia" SSL_SERVER_V_END="Mar 1 01:01:50 2025 GMT" SSL_SERVER_V_START="Mar 4 01:01:50 2015 GMT" SSL_SESSION_RESUMED="Initial" SSL_TLS_SNI="bsd9.dss.ca" SSL_VERSION_INTERFACE="mod_ssl/2.4.25" SSL_VERSION_LIBRARY="OpenSSL/1.0.2l"
