Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 150611 - openssl-0.9.8d and sse2 useflag instability
Summary: openssl-0.9.8d and sse2 useflag instability
Status: VERIFIED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-09 12:42 UTC by Guillaume Castagnino
Modified: 2008-11-25 06:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Guillaume Castagnino 2006-10-09 12:42:30 UTC
Hi, sse2 USE flag seems to be problematic here too, but recompiling openssh/apache/openldap/cyrus-sasl does not solve the problem. Here it is :

System is hardened ~x86 up to date, openssl-0.9.8d.

First situation : openssl with USE sse2, progs rebuild againts this version (revdep-rebuild --library lib[ssl|crypto].so.0.9.8)
RANDOMLY, I get this error (either via openssl s_client or via ldapsearch/web browser) :

SSL_connect:SSLv3 write finished A
 SSL_connect:SSLv3 flush data
 read from 0x1263a588 [0x12640b58] (5 bytes => 5 (0x5))
 0000 - 15 03 01 00 02 .....
 read from 0x1263a588 [0x12640b5d] (2 bytes => 2 (0x2))
 0000 - 02 14 ..
 SSL3 alert read:fatal:bad record mac
 SSL_connect:failed in SSLv3 read finished A
 18547:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1057:SSL alert number 20
 18547:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Tried with apache/slapd, each using a different well signed certificate. Error message and last bytes transfered are exactly the same with all the ssl aware server tested.
I insist on the point that it is completly random, and may happen only on one time on 10 or 20 (or even more or less)

Then after recompiling openssl without sse2 useflag, (and revdep-rebuild to keep linking sane against some ABI problems), the problem has COMPLETLY vanished !

My conclusion is that sse2 useflag leads to unstable openssl and should be reasonably disable on the ebuild.

Here is the emerge info of the box where the tests where made :
Portage 2.1.2_pre2-r7 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17-xwing-r2 i686)
=================================================================
System uname: 2.6.17-xwing-r2 i686 Intel(R) Celeron(R) CPU 2.53GHz
Gentoo Base System version 1.12.5
Last Sync: Mon, 09 Oct 2006 06:00:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache distlocks fixpackages metadata-transfer sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://r2d2.v6.xwing.info/ ftp://ftp.ipv6.uni-muenster.de/pub/linux/distributions/gentoo/ http://vlaai.snt.ipv6.utwente.nl/pub/os/linux/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.heanet.ie/pub/gentoo/ http://mirror.switch.ch/ftp/mirror/gentoo/ http://ftp.gentoo.skynet.be/pub/gentoo/"
LANG="fr_FR.UTF-8"
LC_ALL="fr_FR.UTF-8"
LINGUAS="fr"
MAKEOPTS="-j2"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
PORTDIR_OVERLAY="/usr/local/gcpan-portage /usr/local/portage"
SYNC="rsync://r2d2.v6.xwing.info/gentoo-portage"
USE="x86 4kstacks acl acpi acpi4linux apache2 async bash-completion berkdb bzip2 clamav crypt dba dbx devmap dga dlloader elibc_glibc enscript expat extensions fbcon freetype fs gd gdbm gif gmp hardened idled idn imagemagick imap imlib2 input_devices_keyboard input_devices_mouse iproute2 ipv6 ithreads jpeg kernel_linux l7filter ldap linguas_fr maildir md5sum mhash mmx ncurses nls nptl nptlonly pam pcre perl php pic png posix python readline rrdtool sasl slang soap sockets spf sse sse2 ssl sysfs syslog tcpd threads tiff truetype truetype-fonts type1 type1-fonts udev unicode usb userland_GNU xml2 xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS


Regards
Comment 1 Pawel Madej aka Nysander 2008-11-24 23:49:35 UTC
is this valid for current versions of openssl? if not please close this bug.
Comment 2 Guillaume Castagnino 2008-11-25 06:47:15 UTC
You are right, no more instability with the last version (stable or unstable)