Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 150611

Summary: openssl-0.9.8d and sse2 useflag instability
Product: Gentoo Linux Reporter: Guillaume Castagnino <casta>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: VERIFIED WORKSFORME    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Guillaume Castagnino 2006-10-09 12:42:30 UTC 
Hi, sse2 USE flag seems to be problematic here too, but recompiling openssh/apache/openldap/cyrus-sasl does not solve the problem. Here it is :

System is hardened ~x86 up to date, openssl-0.9.8d.

First situation : openssl with USE sse2, progs rebuild againts this version (revdep-rebuild --library lib[ssl|crypto].so.0.9.8)
RANDOMLY, I get this error (either via openssl s_client or via ldapsearch/web browser) :

SSL_connect:SSLv3 write finished A
 SSL_connect:SSLv3 flush data
 read from 0x1263a588 [0x12640b58] (5 bytes => 5 (0x5))
 0000 - 15 03 01 00 02 .....
 read from 0x1263a588 [0x12640b5d] (2 bytes => 2 (0x2))
 0000 - 02 14 ..
 SSL3 alert read:fatal:bad record mac
 SSL_connect:failed in SSLv3 read finished A
 18547:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1057:SSL alert number 20
 18547:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Tried with apache/slapd, each using a different well signed certificate. Error message and last bytes transfered are exactly the same with all the ssl aware server tested.
I insist on the point that it is completly random, and may happen only on one time on 10 or 20 (or even more or less)

Then after recompiling openssl without sse2 useflag, (and revdep-rebuild to keep linking sane against some ABI problems), the problem has COMPLETLY vanished !

My conclusion is that sse2 useflag leads to unstable openssl and should be reasonably disable on the ebuild.

Here is the emerge info of the box where the tests where made :
Portage 2.1.2_pre2-r7 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17-xwing-r2 i686)
=================================================================
System uname: 2.6.17-xwing-r2 i686 Intel(R) Celeron(R) CPU 2.53GHz
Gentoo Base System version 1.12.5
Last Sync: Mon, 09 Oct 2006 06:00:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache distlocks fixpackages metadata-transfer sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://r2d2.v6.xwing.info/ ftp://ftp.ipv6.uni-muenster.de/pub/linux/distributions/gentoo/ http://vlaai.snt.ipv6.utwente.nl/pub/os/linux/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.heanet.ie/pub/gentoo/ http://mirror.switch.ch/ftp/mirror/gentoo/ http://ftp.gentoo.skynet.be/pub/gentoo/"
LANG="fr_FR.UTF-8"
LC_ALL="fr_FR.UTF-8"
LINGUAS="fr"
MAKEOPTS="-j2"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
PORTDIR_OVERLAY="/usr/local/gcpan-portage /usr/local/portage"
SYNC="rsync://r2d2.v6.xwing.info/gentoo-portage"
USE="x86 4kstacks acl acpi acpi4linux apache2 async bash-completion berkdb bzip2 clamav crypt dba dbx devmap dga dlloader elibc_glibc enscript expat extensions fbcon freetype fs gd gdbm gif gmp hardened idled idn imagemagick imap imlib2 input_devices_keyboard input_devices_mouse iproute2 ipv6 ithreads jpeg kernel_linux l7filter ldap linguas_fr maildir md5sum mhash mmx ncurses nls nptl nptlonly pam pcre perl php pic png posix python readline rrdtool sasl slang soap sockets spf sse sse2 ssl sysfs syslog tcpd threads tiff truetype truetype-fonts type1 type1-fonts udev unicode usb userland_GNU xml2 xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS


Regards
Comment 1 Pawel Madej aka Nysander 2008-11-24 23:49:35 UTC 
is this valid for current versions of openssl? if not please close this bug.
Comment 2 Guillaume Castagnino 2008-11-25 06:47:15 UTC 
You are right, no more instability with the last version (stable or unstable)