LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-12-2019, 09:46 AM   #1
toodr
Member
 
Registered: Jul 2004
Location: Haskovo, Bulgaria
Distribution: Slackware64-current
Posts: 50

Rep: Reputation: 11
https openssl-1.1 php ? and curl ? problem in current


I have 4 machines running Slackware current + Eric's Plasma 5.
3 of them are updated to the latest upfates (11.5.2019)
1 is updated to 29.3.2019

All 3 machines (updated to the latest packages) cannot complete this command:
curl -L https://cpanmin.us | perl - --sudo App::cpanminus

it gives me the following log


Code:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.194.217...
* TCP_NODELAY set
* Connected to cpanmin.us (151.101.194.217) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/share/curl/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5054 bytes data]
The 4-th machine completes this command and here's the log:

Code:
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.66.217...
* TCP_NODELAY set
* Connected to cpanmin.us (151.101.66.217) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/share/curl/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5054 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=osff.map.fastly.net
*  start date: Feb 26 16:45:23 2019 GMT
*  expire date: Jan 23 00:27:00 2020 GMT
*  subjectAltName: host "cpanmin.us" matched cert's "cpanmin.us"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3
*  SSL certificate verify ok.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x1bb9f30)
} [5 bytes data]
> GET / HTTP/2
> Host: cpanmin.us
> User-Agent: curl/7.64.1
> Accept: */*
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200 
< content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< x-content-type-options: nosniff
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< etag: "8c7e1856a41eaf4c8eac9f094ad8c2e9ddab724a"
< content-type: text/plain; charset=utf-8
< cache-control: max-age=300
< x-geo-block-list: 
< x-github-request-id: E5EA:085E:4FCE0:63153:5CD7492D
< via: 1.1 varnish
< fastly-debug-digest: bba650958a21f2868bfac60b2c744937a01da1469e3f622a590ee63ad3806ab1
< access-control-allow-origin: *
< x-fastly-request-id: 9cae737c21490eb866cce7e9b4c3043e100544ee
< expires: Sat, 11 May 2019 22:19:10 GMT
< source-age: 0
< accept-ranges: bytes
< date: Sun, 12 May 2019 10:28:56 GMT
< via: 1.1 varnish
< age: 44087
< x-served-by: cache-hhn1547-HHN, cache-hhn1529-HHN
< x-cache: MISS, HIT
< x-cache-hits: 0, 1
< x-timer: S1557656937.721078,VS0,VE9
< vary: Authorization,Accept-Encoding
< content-length: 302780
< 
{ [2172 bytes data]
100  295k  100  295k    0     0   560k      0 --:--:-- --:--:-- --:--:--  562k
* Connection #0 to host cpanmin.us left intact
* Closing connection 0
--> Working on App::cpanminus
Fetching http://www.cpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-1.7044.tar.gz ... OK
Configuring App-cpanminus-1.7044 ... OK
Building and testing App-cpanminus-1.7044 ... OK
Successfully installed App-cpanminus-1.7044
1 distribution installed
Additionally one of the updated machines is a https server with nextcloud (https) instalation. It stopped servicing the https requests and fills the /var/log/messages log with the following messages :

kernel: traps: php[21750] general protection ip:7f9ca2608633 sp:7fffcc278b10 error:0 in libcrypto.so.1.1[7f9ca2506000+1aa000]

(a lot of them)


and in /var/log/httpd/error_log :

Code:
[Sun May 12 17:39:19.700428 2019] [ssl:info] [pid 22370] [client 192.168.1.1:44710] AH01964: Connection to child 6 established (server server:443)
[Sun May 12 17:39:19.701181 2019] [ssl:debug] [pid 22370] ssl_engine_kernel.c(2320): [client 192.168.1.1:44710] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.701282 2019] [ssl:debug] [pid 22370] ssl_engine_kernel.c(2320): [client 192.168.1.1:44710] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.701298 2019] [core:debug] [pid 22370] protocol.c(2314): [client 192.168.1.1:44710] AH03155: select protocol from , choices=h2,http/1.1 for server server
[Sun May 12 17:39:19.761667 2019] [ssl:info] [pid 22371] [client 192.168.1.1:44711] AH01964: Connection to child 8 established (server server:443)
[Sun May 12 17:39:19.762492 2019] [ssl:debug] [pid 22371] ssl_engine_kernel.c(2320): [client 192.168.1.1:44711] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.762608 2019] [ssl:debug] [pid 22371] ssl_engine_kernel.c(2320): [client 192.168.1.1:44711] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.762625 2019] [core:debug] [pid 22371] protocol.c(2314): [client 192.168.1.1:44711] AH03155: select protocol from , choices=h2,http/1.1 for server server
[Sun May 12 17:39:20.401493 2019] [ssl:info] [pid 22372] [client 192.168.1.1:47636] AH01964: Connection to child 9 established (server server:443)
[Sun May 12 17:39:20.402228 2019] [ssl:debug] [pid 22372] ssl_engine_kernel.c(2320): [client 192.168.1.1:47636] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:20.463327 2019] [core:notice] [pid 2463] AH00052: child pid 22370 exit signal Segmentation fault (11)
[Sun May 12 17:39:20.463392 2019] [core:notice] [pid 2463] AH00052: child pid 22371 exit signal Segmentation fault (11)
[Sun May 12 17:39:20.463401 2019] [core:notice] [pid 2463] AH00052: child pid 22372 exit signal Segmentation fault (11)
Some package should be recompiled but which one (or more ?)
 
Old 05-13-2019, 08:30 AM   #2
dgrames
Member
 
Registered: Jul 2007
Distribution: Slackware
Posts: 74

Rep: Reputation: 13
I'm not sure what half of those log entries mean, but this is what happens when I run curl -L https://cpanmin.us | perl - --sudo App::cpanminus

bash-5.0$ curl -L https://cpanmin.us | perl - --sudo App::cpanminus
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 295k 100 295k 0 0 265k 0 0:00:01 0:00:01 --:--:-- 265k
--> Working on App::cpanminus
Fetching http://www.cpan.org/authors/id/M/MI/...-1.7044.tar.gz ... OK
Configuring App-cpanminus-1.7044 ... OK
Building and testing App-cpanminus-1.7044 ... Password:

I didn't put the password in though.

The only log entry I could find was in /var/log/secure which said I wasn't in sudoers.
This maybe a configuration or installation error, I am running Slackware current also.

Don
 
Old 05-13-2019, 10:00 AM   #3
toodr
Member
 
Registered: Jul 2004
Location: Haskovo, Bulgaria
Distribution: Slackware64-current
Posts: 50

Original Poster
Rep: Reputation: 11
Thanks dgrames.
I came across this because on my server machine, the httpd (apache2) stopped servicing the https requests. And these logs show segfaults in the threads servicing the https requests. The http requests are serviced ok, and as a whole the httpd server is working (the core process keeps going). But the nexcloud on that server cannot operate, because it's only https.

The server machine has some configuration specifics because of the httpd server, but the other 2 machines have no specific configuration at all. No configuration at least which can influence the curl command .
And another curl command leads to segfaulting of curl:
Code:
curl -v https://www.google.com
But
Code:
curl -v http://www.google.com
completes OK.
So it's nothing to do with Perl.

This is something between gnutls, openssl, mozilla-nss, curl, nghttpd2, httpd and the like.
I tried downgrading curl, php, httpd, but it didn't help.
The problem with me is that the server machine was last updated on 24.2.2019 (the last know good working state).
And then I updated it on 11.5.2019, and all this happened. I did not change any configurations since february.

I think something happens when handshaking for tls 1.3 certificates negotiation.
 
Old 05-14-2019, 12:48 PM   #4
toodr
Member
 
Registered: Jul 2004
Location: Haskovo, Bulgaria
Distribution: Slackware64-current
Posts: 50

Original Poster
Rep: Reputation: 11
Thanks again dgrames!!! For making me aware that at your end things were OK.
I found it.
A bad configuration file /etc/openssl.cnf.
Nothing else is wrong.

SORRY GUYS!
I'm marking this thread SOLVED!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] RHEL5.9 curl to https openssl/heartbleed issue MensaWater Red Hat 4 04-23-2014 03:50 PM
[SOLVED] Need suggestion:->>Failed HTTPS transfer to https://supportfiles.sun.com/curl manalisharmabe Solaris / OpenSolaris 11 01-10-2014 12:58 AM
Unexpected "Unsupported protocol: HTTPS" error in Apache/PHP/curl bions Linux - Server 6 11-29-2010 10:51 AM
Curl HTTPS OpenSSL Certificate issue Manjunath1847 Linux - General 1 08-09-2010 10:13 PM
cURL: Server has many IPs, how would I make a cURL script use those IPs to send data? guest Programming 0 04-11-2009 11:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration