Well, it is still doing it. I think it is the cf-server actually causing the
illegal cipher length in the client. I am using openSSL 0.9.8l. I don't have
the client side dialog, as it is very random on which host does it (and when).
I do have the server debug session from the core dump. Ooops, I don't. I just
modified the server code, now the core is not valid anymore (more on that
below).
I did see something interesting in SSL though. I wish I had the traceback to
show, but it was a value passed to from one function to another. Somehow the
value changed, although I can't see how that can be possible. As a desperate
stab, I kept the thread locked in server.c (as it is coring in the
RSA_public_encrypt). I have no idea if it is valid or not (I am weak on thread
programming), but I'll let it run, see what happens.
ThreadLock(cft_system);
if ((out = malloc(encrypted_len+1)) == NULL)
{
FatalError("memory failure");
}
/* ThreadUnlock(cft_system);*/ << moved to after the RSA_public_encrypt
if (RSA_public_encrypt(nonce_len,in,out,newkey,RSA_PKCS1_PADDING) <= 0)
{
err = ERR_get_error();
CfOut(cf_error,"","Public encryption failed =
%s\n",ERR_reason_error_string(err));
RSA_free(newkey);
free(out);
return false;
}
ThreadUnlock(cft_system); << moved it here
On Dec 11, 2009, at 7:40 AM, Mark Burgess wrote:
>
> Your email is like the scene in Alice in Wonderland where she is walking down
> a corridor
> that gets smaller and smaller...the font size seems to disappear into
> oblivion with each
> line ;-)
>
> Any chance you could capture one of these sessions in debug mode (cut out the
> relevant
> dialogue)?
>
> My colleague here has discovered some problems with openSSL beta 1, and had
> to revert to
> 0.9.8 something. What version of SSL are you using?
>
> M
>
>
> Matt Richards wrote:
>> Well some good news and some bad news. cf-serverd did core dump last
>> night on the policy host. I did get output from two clients at the same
>> time.
>>
>> one was from a regular cf-agent regular run (06:22:02 am):
>>
>> Protocol transaction sent illegal cipher length
>> !! Authentication dialogue with x.xx.xx.xxx failed
>>
>> and one was from a bootstrap (06:22:23am):
>>
>> Challenge response from server x.xx.xx.xxx/x.xx.xx.xxx was incorrect!
>> I: Made in version 'not specified' of '/var/cfengine/inputs/failsafe.cf'
>> near line 127
>> I: Comment: Copy inputs files from server
>> !! Authentication dialogue with x.xx.xx.xxx failed
>>
>> I re-ran these by hand and they went fine. I am not sure why I am
>> getting these as the ppkeys appear to be correct since they work when rerun.
>>
>> I am not sure which one caused it, but I believe the bootstrap was the
>> culprit as the time is closer to the core dump (06:22:27am, dies in the
>> same spot as it normally does before the change). Although that does not
>> make sense.
>>
>> On Dec 9, 2009, at 2:30 PM, Mark Burgess wrote:
>>
>>>
>>> Matt, could you try svn and see if this helps please.
>>
>
> --
> Mark Burgess
>
> -------------------------------------------------
> Professor of Network and System Administration
> Oslo University College, Norway
>
> Personal Web: http://www.iu.hio.no/~mark
> Office Telf : +47 22453272
> -------------------------------------------------
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
