OpenSSL Modul 1.0.2g crasht in Apache 2.2.31

Started by Dungeonwatcher, March 05, 2016, 08:43:24 AM

Previous topic - Next topic

Dungeonwatcher

Hi!  8)

Thanks for the continued support for Apache 2.2.

I use Apache 2.2.31 (32-bit) with PHP 5.2.17 (32-bit) on a Windows 7 (64-bit) computer. The OpenSSL 1.0.2g update to the module crashes mod_ssl.so. There is no error message. Apache simply ceases to start and there is a phperror.log without entry.  ???

Furthermore OpenSSL reports the version number 1.0.2e.

Why is it?



Bye

Gregg

Good morning,

Looking into this. Will let you know what I find out.

Gregg

Strange, I am not finding this.

I've downloaded httpd-2.2.31-x86-r3.zip and openssl-1.0.2g-update-2.2.31-x86.zip from both mirrors.
All ssleay32.dll & libeay32.dll files (the OpenSSL libraries) report being version 1.0.2.7 (1.0.2g).

So I have to ask knowing we would be running into this as soon as I stopped providing OpenSSL 0.9.8, are you trying to load php5apache2_2.dll from your php 5.2 into the server?

If so, this can no longer be done because php5.2 was built linking to OpenSSL 0.9.8. This would easily explain why Apache simply will not start. This doesn't explain why you would be seeing 1.0.2e, I do not see us making 1.0.2e an option ever. 1.0.2f & g are all for Apache 2.2.31.

Anyhow, at the command prompt

cd to Apache's .bin folder
type: httpd -V and post the part down to Architecture
type: httpd -t -e info and see what if anything it tells you.

I have to leave for a couple hours but will check back in as soon as I get back home.

Dungeonwatcher

#3
Hi!  8)

Quote..\Apache\bin>httpd -V

Server version: Apache/2.2.31 (Win32)
Server built:   Dec  3 2015 21:36:59
Distributed by: The Apache Haus (http://www.apachehaus.com)
Compiled with:  Visual Studio 2008
Server's Module Magic Number: 20051115:40
Server loaded:  APR 1.5.2, APR-Util 1.5.4
Compiled using: APR 1.5.2, APR-Util 1.5.4
Architecture:   32-bit
Server MPM:     WinNT
  threaded:     yes (fixed thread count)
    forked:     no

Server compiled with....
-D APACHE_MPM_DIR="server/mpm/winnt"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/Apache22"
-D HTTPD_EXEC="/Apache22/bin/httpd.exe"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error.log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

and

Quote..\Apache\bin>httpd -t -e info

httpd: Syntax error on line 138 of ../Apache/conf/httpd.conf: Cannot load ../Apache/modules/mod_ssl.so into server: Das Betriebssystem kann %1 nicht ausführen.

Quote from: GreggSo I have to ask knowing we would be running into this as soon as I stopped providing OpenSSL 0.9.8, are you trying to load php5apache2_2.dll from your php 5.2 into the server?

Hmm, if I go back to 1.0.2f. the correct version number is displayed. But:

Quote..\Apache\bin>httpd -t -e info
httpd: Syntax error on line 138 of ../Apache/conf/httpd.conf: Cannot load ../Apache/modules/mod_ssl.so into server: Das Betriebssystem kann %1 nicht ausführen.

TLS works but?

Bye

Gregg

Das Betriebssystem kann %1 nicht ausführen.

Ok, the English version of this error says:
Quotehttpd: Syntax error on line 121 of D:/Apache22/conf/httpd.conf: Cannot load d:/A
pache22/modules/mod_ssl.so into server: %1 is not a valid Win32 application.

This can mean a couple things.
1. The download was somehow corrupted.
2. You are trying to load a 64bit module in a 32bit Apache, this is how I got the english version of the error.

So, my suggestion is look at mod_ssl file size, if it is ~150k you have downloaded the 64bit module. If it is ~123k then it is the 32bit module but may have been corrupted in transit.

Dungeonwatcher

Hi!  8)

Understood, I have everything checked again. In Version 1.0.2f I had the wrong module. Now it is also loaded clean.
In version 1.0.2g it will not work.

I have the update 1.0.2g (32bit) again downloaded and checked at virustotal.com. The file is in order.
The mod_ssl.so is large 125,952 bytes. But as soon as I use the mod, crashes the server.

Therefore a question to understand. I'm sure you mean SSL test looked at. Is it urgent to switch to version 1.0.2g?

Bye

mario

Quote from: Dungeonwatcher on March 06, 2016, 12:40:53 PM
Is it urgent to switch to version 1.0.2g?

There is an urgent security issue. So yes you should upgrade as soons as possible.

I also wonder why you still use PHP 5.2. That is very out dated. The oldest supported version ist 5.5.x
The changes from 5.2 to 5.5 are not so big. The chances that your PHP code will run without changes on 5.5 is very high. Give it a trial.

Gregg

#7
Works for me.

Technically it shouldn't work at all, especially if you are using php_openssl extension.
I notice on mine, 1.0.2g silently disables php_openssl. It is still configured to load in php.ini but it no longer shows in phpinfo(). OpenSSL 1.0.2f does not do this.

This may be due to the security fix in OpenSSL 1.0.2g which removed anything and everything SSLv2.

Try disabling php_openssl extension in php.ini and see if Apache starts with 1.0.2g.

I also notice a difference between your php and mine, yours does not have the php logo. Is yours some kind of 3rd party build?



Dungeonwatcher

Hi!  8)

Quote from: mario on March 06, 2016, 05:08:10 PM
There is an urgent security issue. So yes you should upgrade as soons as possible.

I have already started several attempts, unfortunately, all to no avail. My phpBB2 Forum then does not work. I would have to start from scratch. Given me simply lack the time.

My server is in the living room under the desk and is used as a normal workstation. The forum is more of a gimmick for work colleagues and me. It has grown in recent years and now no longer so easy to switch to newer versions. Now that would be a completely new start. That is why I am happy and grateful that there is still someone gives support does.  :)

Bye

Dungeonwatcher

Hi!  8)

Quote from: Gregg on March 06, 2016, 09:58:22 PM
Try disabling php_openssl extension in php.ini and see if Apache starts with 1.0.2g.

I have openssl disabled in PHP.INI, Apache crashes at start without error. openssl but is required by PHP Forum.

QuoteI also notice a difference between your php and mine, yours does not have the php logo. Is yours some kind of 3rd party build?

I use have only original Apache from Apache House.

Bye

Gregg

Hi,

I was thinking about this last night.

If you do not load php, will mod_ssl load then?

Dungeonwatcher

Hi!  8)

I will test next week and gradually disable all mods and re-enable it.
I report. Now calls the job.

Bye

Dungeonwatcher

Good morning from rainy Berlin.  8)

I have the cause found. I use PHP 5.2.17. If I crasht the php5apache2_2.dll activate Apache.
Unfortunately I can not upgrade to a newer PHP version. The forum software then stopped working.  :'(

Bye

Gregg

Good morning,

This is what I assumed. When I tried it worked for me but php_openssl would no longer show up in phpinfo.

I think the best way for you to move forward is to use mod_fcgid. It will allow you to run any PHP that the computer will run. It also runs PHP is separate processes, not in Apache's process. So if PHP crashes, because of this separation, Apache will not go down with it.

Also with mod_fcgid, you could run Apache 2.4 64bit and still keep your PHP 5.2 32bit. You can also run more than one version of PHP. Keep 5.2.17 just for the forum and use something newer for the rest of the sites, ever.

I have not experimented with just how fine grained mod_fcgid will allow, but it is enough to use different PHPs per vhost.

Dungeonwatcher

Hi!  8)

Yes, I'll mod_fcgid install in the next few days.
I understand it correctly, Apache 64-bit can then use PHP 32-bit? That would be cool.

Bye and thanks for the help.