Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236164 - openssl RAND_poll segfault when fd >= FD_SETSIZE (affects apache2 startup with many SSL vhosts)
Summary: openssl RAND_poll segfault when fd >= FD_SETSIZE (affects apache2 startup wit...
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssl
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-12 07:19 UTC by Joe Miller
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-1003
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-11-15 14:58:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:1003 normal SHIPPED_LIVE Moderate: openssl security and bug fix update 2007-11-15 14:58:46 UTC

Description Joe Miller 2007-04-12 07:19:56 UTC
Description of problem:
OpenSSL can segfault or deadlock if RAND_poll is called on a fd when >=
FD_SETSIZE.  This primarily affects apache2 with many SSL vhosts in use

More information (including a patch) can be found here:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install httpd, install mod_ssl
2. create at least 6000 Virtualhosts, each should have a logfile.  It also helps
to have many of the vhosts listening on a unique port, as this will open more fd's
3. start apache.  segfault will occur
Actual results:

Expected results:

Additional info:

Comment 1 Joe Miller 2007-04-12 07:24:33 UTC
additional steps to help recreate the problem.

1) setup httpd.conf as normal.  make sure mod_ssl is loaded

2) add a lot of vhosts with this simple perl script:


$num_vhosts = 10000;
my $i = 0;

while ( $i < $num_vhosts ) {

        my $port = 10000 + $i;

        print <<EOF;
        ServerName shared-test$i.something.dom
        ServerAdmin support\@something.dom
        DocumentRoot /web/htdocs
        CustomLog /tmp/shared-test-log-$i.log combined

Listen $port
        ServerName shared-test$i-$port.something.dom
        ServerAdmin support\@something.dom
        DocumentRoot /web/htdocs
        CustomLog /tmp/shared-test-log-ssl-$i.log combined


# perl >> httpd.conf
# ulimit -n 128000
# /usr/sbin/httpd.worker

Comment 2 Tomas Mraz 2007-04-12 08:49:28 UTC
We have this patched in RHEL-5 and Fedora openssl.

Comment 4 Joe Miller 2007-04-12 14:43:30 UTC
Excellent.  Will it be patched for RHEL3 or 4 as well?

Comment 5 Tomas Mraz 2007-04-12 14:59:32 UTC
RHEL3 - probably not.

RHEL4 - it depends on further evaluation.

Comment 6 RHEL Product and Program Management 2007-05-09 04:52:54 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 11 J. Nick Koston 2007-10-17 13:21:07 UTC
This is a pretty serious problem as it takes a lot less then 6000 vhosts.  In
some cases with log files it can be < 1000 which is pretty common.

Comment 12 Xavier 2007-11-08 19:16:21 UTC
It has been 7 months since this bug was first submitted.  6 months since
management said they would look into it further.  Can we please get an update on
the status of a fix?  I am hoping Redhat hasn't abandoned users who are still
using RHEL 4.  I look forward to an update from the Redhat team shortly.


Comment 13 Tomas Mraz 2007-11-08 20:07:37 UTC
As you can see from bug status the bug fix errata for this is in the release
pending state to be released within RHEL 4.6 update release.

Comment 14 errata-xmlrpc 2007-11-15 14:58:48 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.