-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have just moved our pound installation to new 2.6 based servers
and have run into this bug again.
If pound build for sarge is run under 2.6.x it will use NPTL and
the worker process will exit regularly with code non-zero exit code
values. None of the code values corresponds to anything in the code as
far as I can see.
The bug has no overall effect besides decreased performance on a
normal SSL session which uses only a server side certificate.
If client certificates are in use for authentication the session
is broken, because once pound exits the SSL context is lost and an
error is returned to the client. At least some clients (IE and
Mozilla) do not handle the condition gracefully. Mozilla fails to be
able to connect to the site any more and needs to be restarted. IE
shows partial breakage with items from the SSL enabled web pages being
broken.
How to reproduce:
Use the CAList and ValidateList directives to ensure that the
clients are asked for certificates.
CAlist /etc/pound/CA.pem
VerifyList /etc/pound/CA-verify.pem 2
Pass all traffic to a backend website (no need to make certs
mandatory). Access the website (best of all with konqueror which shows
the most adequate behaviour). First 1-2 times you will be asked for a
cert. Press cancel (possibly more then once). If set correctly you
should now see the site. Reload 10-20 times. At one point you will be
asked for the cert and password again. At the same time syslog (if
enabled) on the pound machine will show the worker thread exit and
restart. If the experiment is done with IE or Mozilla the session at
this point breaks completely. The same effect is also observed when
certs are mandatory.
How to workaround:
Setting LD to use linuxthreads instead of NPTL by setting
LD_ASSUME_KERNEL=2.4.27 solves the problem
I do not see any reason for it to barf in the code to be honest,
but it does. By the way the same behaviour has been described and
reproduced with recent pound on the suse mailing list.
A.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDFJnu/NpXLt3l5xURAsR0AJ9ilJKHUY4yvDdEhehe7XbPUOW9pgCfcLWa
+SqfTcNfPInq8si05tawl9Q=
=CIbF
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
