touch-packages team mailing list archive

Thread
Date
[Bug 795355] Re: Intermittent SSL connection faults when using TLSv1

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jason Robinson <mail@xxxxxxxxxxxxxxxx>
Date: Sun, 10 May 2015 19:02:06 -0000
Reply-to: Bug 795355 <795355@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug has been driving me insane lately - or if it is not the same
bug then the symptoms are identical.

What I have is a 14.04.2 LTS server that has had a Rails app running for
some time without this problem. Now, approx a month ago, I started
seeing this problem where on Firefox I intermittently get the
'sec_error_bad_signature' error. I have not tried to reproduce it in
Chrom(e/ium) since as said it happens only sometimes. When it happens on
Firefox, a few reloads solve the problem.

BUT it's not only Firefox. I have a monitoring system by my host which
gives me downtime on an HTTPS check approx 20 times a day, typically in
two batches - probably because at some point Apache restarts and the
error goes away for a while. The error it gets from the check is:

> Exception: #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0
state=SSLv3 read server key exchange B: bad signature>

Also, I monitor sites with Uptimerobot too, which also gives a failure
at same time. During a few hours it gives 10-20 up/down notifications as
the web site is flaky.

In the Apache error log, I can see this:

> [Sun May 10 06:25:20.149372 2015] [ssl:warn] [pid 32429:tid 140264803096448] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
> [Sun May 10 06:25:20.149467 2015] [mpm_event:notice] [pid 32429:tid 140264803096448] AH00489: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.4 Python/2.7.6 configured -- resuming normal operations
> [Sun May 10 06:25:20.149478 2015] [core:notice] [pid 32429:tid 140264803096448] AH00094: Command line: '/usr/sbin/apache2'
> [Sun May 10 07:29:00.154618 2015] [core:notice] [pid 32429:tid 140264803096448] AH00051: child pid 19109 exit signal Segmentation fault (11), possible coredump in /etc/apache2
*** Error in `/usr/sbin/apache2': double free or corruption (!prev): 0x00007f91b80096c0 ***
> [Sun May 10 07:42:06.978787 2015] [core:notice] [pid 32429:tid 140264803096448] AH00051: child pid 20347 exit signal Aborted (6), possible coredump in /etc/apache2
> [Sun May 10 14:53:43.497375 2015] [mpm_event:notice] [pid 32429:tid 140264803096448] AH00491: caught SIGTERM, shutting down
> [Sun May 10 14:53:44.534805 2015] [mpm_event:notice] [pid 28764:tid 140143992375168] AH00489: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.4 Python/2.7.6 configured -- resuming normal operations
> [Sun May 10 14:53:44.534899 2015] [core:notice] [pid 28764:tid 140143992375168] AH00094: Command line: '/usr/sbin/apache2'
> [Sun May 10 15:39:34.413988 2015] [core:notice] [pid 28764:tid 140143992375168] AH00051: child pid 28768 exit signal Segmentation fault (11), possible coredump in /etc/apache2
*** Error in `/usr/sbin/apache2': double free or corruption (!prev): 0x00007f75b0006f80 ***
> [Sun May 10 16:31:14.678905 2015] [core:notice] [pid 28764:tid 140143992375168] AH00051: child pid 30167 exit signal Aborted (6), possible coredump in /etc/apache2
*** Error in `/usr/sbin/apache2': double free or corruption (!prev): 0x00007f75ac009780 ***
> [Sun May 10 19:46:56.937817 2015] [core:notice] [pid 28764:tid 140143992375168] AH00051: child pid 32308 exit signal Aborted (6), possible coredump in /etc/apache2
*** Error in `/usr/sbin/apache2': double free or corruption (!prev): 0x00007f75b0006f80 ***
> [Sun May 10 20:31:54.754358 2015] [core:notice] [pid 28764:tid 140143992375168] AH00051: child pid 6829 exit signal Aborted (6), possible coredump in /etc/apache2

Initially I suspected the problem was caused by adding another SSL site
(Django) to the same server as a VirtualHost, at which point SNI comes
into play. However, I have tried for a few days disabling SSL on the
other site and the problem does not go away.

The first time I reported this problem to my users was 12th April - so
it started around that time for sure. This has been steadily happening
for the whole time, more or less depending on days.

Apache2 - 2.4.7-1ubuntu4.4
openssl - 1.0.1f-1ubuntu2.11

Anything I could provide for debugging? Attaching "ubuntu-bug apache"
output. Is there a good PPA for an updated Apache available? Considering
how little I can find information about this problem on the internet
(only this old bug really that matches perfectly!), it doesn't seem to
be a major issue for many.

I'm going to try prefork anyway as suggested here. If that fails,
switching to nginx :P

** Attachment added: "apache.bug"
   https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/795355/+attachment/4395056/+files/apache.bug

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/795355

Title:
  Intermittent SSL connection faults when using TLSv1

Status in OEM Priority Project:
  Won't Fix
Status in OEM Priority Project lucid series:
  Won't Fix
Status in apache package in Ubuntu:
  Confirmed
Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: openssl

  Reported intermittent SSL connection issue on some apache mod_ssl
  vhosts.

  Platform:  Ubuntu 10.04.2 LTS
  Tested: Apache2-2.2.14-5ubuntu8.4 and backported 2.2.17-1ubuntu1 from Natty

  Firefox client will intermittently report:
  Secure Connection Failed
  An error occurred during a connection to oem-ibs.canonical.com.
  Peer's certificate has an invalid signature.
  (Error code: sec_error_bad_signature)

  Condition will clear on reload.

  Occassionally the server will alternately serve a good page followed
  by an SSL error until Apache is restarted. I am unable to reproduce
  the condition on demand, but have output from when the fault occurs.
  When the fault condition occurs it can be reproduced with any SSL
  client.

  The fault presents on multiple distinct servers.

  Initially suspected to be a bug with mod_ssl
  https://issues.apache.org/bugzilla/show_bug.cgi?id=46952, backport has
  eliminated this as has anecdotal reports of this same error presented
  from Dovecot.

  Tested with SSL certs from different CAs.

  Example:

  $ openssl s_client -connect oem-ibs.canonical.com:443
  CONNECTED(00000003)
  depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
  verify error:num=20:unable to get local issuer certificate
  verify return:0
  14563:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
  14563:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:697:
  14563:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1449:

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/795355/+subscriptions