[SOLVED] https openssl-1.1 php ? and curl ? problem in current

toodr · 05-12-2019, 09:46 AM

I have 4 machines running Slackware current + Eric's Plasma 5.
3 of them are updated to the latest upfates (11.5.2019)
1 is updated to 29.3.2019

All 3 machines (updated to the latest packages) cannot complete this command:
curl -L https://cpanmin.us | perl - --sudo App::cpanminus

it gives me the following log

Code:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.194.217...
* TCP_NODELAY set
* Connected to cpanmin.us (151.101.194.217) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/share/curl/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5054 bytes data]

The 4-th machine completes this command and here's the log:

Code:

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.66.217...
* TCP_NODELAY set
* Connected to cpanmin.us (151.101.66.217) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/share/curl/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5054 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=osff.map.fastly.net
*  start date: Feb 26 16:45:23 2019 GMT
*  expire date: Jan 23 00:27:00 2020 GMT
*  subjectAltName: host "cpanmin.us" matched cert's "cpanmin.us"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3
*  SSL certificate verify ok.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x1bb9f30)
} [5 bytes data]
> GET / HTTP/2
> Host: cpanmin.us
> User-Agent: curl/7.64.1
> Accept: */*
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200 
< content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< x-content-type-options: nosniff
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< etag: "8c7e1856a41eaf4c8eac9f094ad8c2e9ddab724a"
< content-type: text/plain; charset=utf-8
< cache-control: max-age=300
< x-geo-block-list: 
< x-github-request-id: E5EA:085E:4FCE0:63153:5CD7492D
< via: 1.1 varnish
< fastly-debug-digest: bba650958a21f2868bfac60b2c744937a01da1469e3f622a590ee63ad3806ab1
< access-control-allow-origin: *
< x-fastly-request-id: 9cae737c21490eb866cce7e9b4c3043e100544ee
< expires: Sat, 11 May 2019 22:19:10 GMT
< source-age: 0
< accept-ranges: bytes
< date: Sun, 12 May 2019 10:28:56 GMT
< via: 1.1 varnish
< age: 44087
< x-served-by: cache-hhn1547-HHN, cache-hhn1529-HHN
< x-cache: MISS, HIT
< x-cache-hits: 0, 1
< x-timer: S1557656937.721078,VS0,VE9
< vary: Authorization,Accept-Encoding
< content-length: 302780
< 
{ [2172 bytes data]
100  295k  100  295k    0     0   560k      0 --:--:-- --:--:-- --:--:--  562k
* Connection #0 to host cpanmin.us left intact
* Closing connection 0
--> Working on App::cpanminus
Fetching http://www.cpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-1.7044.tar.gz ... OK
Configuring App-cpanminus-1.7044 ... OK
Building and testing App-cpanminus-1.7044 ... OK
Successfully installed App-cpanminus-1.7044
1 distribution installed

Additionally one of the updated machines is a https server with nextcloud (https) instalation. It stopped servicing the https requests and fills the /var/log/messages log with the following messages :

kernel: traps: php[21750] general protection ip:7f9ca2608633 sp:7fffcc278b10 error:0 in libcrypto.so.1.1[7f9ca2506000+1aa000]

(a lot of them)

and in /var/log/httpd/error_log :

Code:

[Sun May 12 17:39:19.700428 2019] [ssl:info] [pid 22370] [client 192.168.1.1:44710] AH01964: Connection to child 6 established (server server:443)
[Sun May 12 17:39:19.701181 2019] [ssl:debug] [pid 22370] ssl_engine_kernel.c(2320): [client 192.168.1.1:44710] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.701282 2019] [ssl:debug] [pid 22370] ssl_engine_kernel.c(2320): [client 192.168.1.1:44710] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.701298 2019] [core:debug] [pid 22370] protocol.c(2314): [client 192.168.1.1:44710] AH03155: select protocol from , choices=h2,http/1.1 for server server
[Sun May 12 17:39:19.761667 2019] [ssl:info] [pid 22371] [client 192.168.1.1:44711] AH01964: Connection to child 8 established (server server:443)
[Sun May 12 17:39:19.762492 2019] [ssl:debug] [pid 22371] ssl_engine_kernel.c(2320): [client 192.168.1.1:44711] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.762608 2019] [ssl:debug] [pid 22371] ssl_engine_kernel.c(2320): [client 192.168.1.1:44711] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:19.762625 2019] [core:debug] [pid 22371] protocol.c(2314): [client 192.168.1.1:44711] AH03155: select protocol from , choices=h2,http/1.1 for server server
[Sun May 12 17:39:20.401493 2019] [ssl:info] [pid 22372] [client 192.168.1.1:47636] AH01964: Connection to child 9 established (server server:443)
[Sun May 12 17:39:20.402228 2019] [ssl:debug] [pid 22372] ssl_engine_kernel.c(2320): [client 192.168.1.1:47636] AH02043: SSL virtual host for servername server found
[Sun May 12 17:39:20.463327 2019] [core:notice] [pid 2463] AH00052: child pid 22370 exit signal Segmentation fault (11)
[Sun May 12 17:39:20.463392 2019] [core:notice] [pid 2463] AH00052: child pid 22371 exit signal Segmentation fault (11)
[Sun May 12 17:39:20.463401 2019] [core:notice] [pid 2463] AH00052: child pid 22372 exit signal Segmentation fault (11)

Some package should be recompiled but which one (or more ?)

dgrames · 05-13-2019, 08:30 AM

I'm not sure what half of those log entries mean, but this is what happens when I run curl -L https://cpanmin.us | perl - --sudo App::cpanminus

bash-5.0$ curl -L https://cpanmin.us | perl - --sudo App::cpanminus
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 295k 100 295k 0 0 265k 0 0:00:01 0:00:01 --:--:-- 265k
--> Working on App::cpanminus
Fetching http://www.cpan.org/authors/id/M/MI/...-1.7044.tar.gz ... OK
Configuring App-cpanminus-1.7044 ... OK
Building and testing App-cpanminus-1.7044 ... Password:

I didn't put the password in though.

The only log entry I could find was in /var/log/secure which said I wasn't in sudoers.
This maybe a configuration or installation error, I am running Slackware current also.

Don

toodr · 05-13-2019, 10:00 AM

Thanks dgrames.
I came across this because on my server machine, the httpd (apache2) stopped servicing the https requests. And these logs show segfaults in the threads servicing the https requests. The http requests are serviced ok, and as a whole the httpd server is working (the core process keeps going). But the nexcloud on that server cannot operate, because it's only https.

The server machine has some configuration specifics because of the httpd server, but the other 2 machines have no specific configuration at all. No configuration at least which can influence the curl command .
And another curl command leads to segfaulting of curl:

Code:

curl -v https://www.google.com

But

Code:

curl -v http://www.google.com

completes OK.
So it's nothing to do with Perl.

This is something between gnutls, openssl, mozilla-nss, curl, nghttpd2, httpd and the like.
I tried downgrading curl, php, httpd, but it didn't help.
The problem with me is that the server machine was last updated on 24.2.2019 (the last know good working state).
And then I updated it on 11.5.2019, and all this happened. I did not change any configurations since february.

I think something happens when handshaking for tls 1.3 certificates negotiation.

toodr · 05-14-2019, 12:48 PM

Thanks again dgrames!!! For making me aware that at your end things were OK.
I found it.
A bad configuration file /etc/openssl.cnf.
Nothing else is wrong.

SORRY GUYS!
I'm marking this thread SOLVED!