Bug #116346 for Net-SSLeay: Under mod_perl, first client connection fails in CTX

Wed Jul 20 15:58:57 2016 ivan-pause [...] 420.am - Ticket created

Subject:

Under mod_perl, first client connection fails in CTX_new, but subsequent connections work

Running in a (preforking) mod_perl context, the first client conneciton attempted (during each process lifetime) fails. Subsequent connections work. Occurs in Debian stable (v8) with and in Debian unstable (using a mod_perl 2.0.9 prerelease / Apache 2.4.10 and mod_perl 2.0.9 / Apache 2.4.23, respectively). Have not attempted other OSes or versions yet. Example script: #!/usr/bin/perl use Net::SSLeay qw(post_https make_form); $Net::SSLeay::trace = 0; my $host = 'secure.authorize.net'; my ($page, $response, %reply_headers) = post_https($host, 443, '/', '', make_form(var1 => 'one', var2 => 'two' )); print "response $response\n"; #again, it'll work... ($page, $response, %reply_headers) = post_https($host, 443, '/', '', make_form(var1 => 'one', var2 => 'two' )); print "response $response\n"; Example Apache config: AddHandler perl-script .cgi PerlHandler ModPerl::Registry Options +ExecCGI In a non-mod_perl context, this returns (e.g., depending on $host): ivan@fleetpaw:/var/www/html$ perl testssl.cgi response HTTP/1.1 303 See Other response HTTP/1.1 303 See Other In a mod_perl context, the first time this is called in a process (i.e. after a restart), this returns: response HTTP/1.0 900 NET OR SSL ERROR CTX_new 30723: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line CTX_new 30723: 2 - error:0906D06C:PEM routines:PEM_read_bio:no start line response HTTP/1.1 303 See Other Full trace of failing connection: do_httpx3(POST,1,secure.authorize.net:443) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/do_httpx3.al) line 1318. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/do_httpx3.al):1318) httpx_cat: usessl=1 (secure.authorize:443) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/httpx_cat.al) line 1227. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/httpx_cat.al):1227) Opening connection to secure.authorize.net:443 (64.94.118.32) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 486. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al):486) next connect at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 491. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al):491) connected to secure.authorize.net, 443 at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 494. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al):494) Creating SSL 0 context... (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al):1126) CTX_new 30717: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422) CTX_new 30717: 2 - error:0906D06C:PEM routines:PEM_read_bio:no start line (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422) Changing $host between connections has no effect, so it isn't a per-host failure/cache. Changing $ssl_version has no effect. This does not appear to be specific to ModPerl::Registry (originally observed in an HTML::Mason app). As a workaround, I'm using the following code per-process to trigger the one-time context creation error so all subsequent real connections work: { use Net::SSLeay; package Net::SSLeay; initialize(); my $bad_ctx = new_x_ctx(); while ( ERR_get_error() ) {}; #print_errs('CTX_new'); CTX_free($bad_ctx); } Oddly, retrieving the errors is necessary to make this work. ref http://bugs.debian.org/830152 -- Ivan Kohler President and Head Geek, Freeside Internet Services, Inc. http://freeside.biz/ Debian GNU/Linux developer | CPAN author | cat person | ski addict

Thu Jul 21 22:41:35 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #116346] Under mod_perl, first client connection fails in CTX_new, but subsequent connections work
Date:	Fri, 22 Jul 2016 12:41:17 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hello Ivan, thanks for your report. I havent been able to reproduce this on OpenSuse 13.2, but have not tried yet on Debian. Would it be possible to get a dump of the environment variables that are passed your perl test script? Cheers. On Wednesday, July 20, 2016 03:58:58 PM you wrote: Show quoted text

> Wed Jul 20 15:58:57 2016: Request 116346 was acted upon. > Transaction: Ticket created by IVAN > Queue: Net-SSLeay > Subject: Under mod_perl, first client connection fails in CTX_new, but > subsequent connections work > Broken in: 1.65, 1.66, 1.67, 1.68, 1.69, 1.70, 1.71, 1.72, 1.73, 1.74 > Severity: Important > Owner: Nobody > Requestors: ivan-pause@420.am > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116346 > > > > Running in a (preforking) mod_perl context, the first client conneciton > attempted (during each process lifetime) fails. Subsequent connections > work. > > Occurs in Debian stable (v8) with and in Debian unstable (using a mod_perl > 2.0.9 prerelease / Apache 2.4.10 and mod_perl 2.0.9 / Apache 2.4.23, > respectively). Have not attempted other OSes or versions yet. > > Example script: > > #!/usr/bin/perl > use Net::SSLeay qw(post_https make_form); > $Net::SSLeay::trace = 0; > > my $host = 'secure.authorize.net'; > > my ($page, $response, %reply_headers) = post_https($host, 443, '/', '', > make_form(var1 => 'one', var2 => 'two' )); print "response $response\n"; > > #again, it'll work... > ($page, $response, %reply_headers) = post_https($host, 443, '/', '', > make_form(var1 => 'one', var2 => 'two' )); print "response $response\n"; > > Example Apache config: > > AddHandler perl-script .cgi > PerlHandler ModPerl::Registry > Options +ExecCGI > > In a non-mod_perl context, this returns (e.g., depending on $host): > > ivan@fleetpaw:/var/www/html$ perl testssl.cgi > response HTTP/1.1 303 See Other > response HTTP/1.1 303 See Other > > In a mod_perl context, the first time this is called in a process (i.e. > after a restart), this returns: > > response HTTP/1.0 900 NET OR SSL ERROR > > CTX_new 30723: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line > CTX_new 30723: 2 - error:0906D06C:PEM routines:PEM_read_bio:no start line > > response HTTP/1.1 303 See Other > > Full trace of failing connection: > > do_httpx3(POST,1,secure.authorize.net:443) at blib/lib/Net/SSLeay.pm > (autosplit into blib/lib/auto/Net/SSLeay/do_httpx3.al) line 1318. > (blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/do_httpx3.al):1318) httpx_cat: usessl=1 > (secure.authorize:443) at blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/httpx_cat.al) line 1227. (blib/lib/Net/SSLeay.pm > (autosplit into blib/lib/auto/Net/SSLeay/httpx_cat.al):1227) Opening > connection to secure.authorize.net:443 (64.94.118.32) at > blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 486. > (blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/open_tcp_connection.al):486) next connect at > blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 491. > (blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/open_tcp_connection.al):491) connected to > secure.authorize.net, 443 at blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 494. > (blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/open_tcp_connection.al):494) Creating SSL 0 > context... (blib/lib/Net/SSLeay.pm (autosplit into > blib/lib/auto/Net/SSLeay/https_cat.al):1126) CTX_new 30717: 1 - > error:0906D06C:PEM routines:PEM_read_bio:no start line > (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422) CTX_new 30717: 2 - > error:0906D06C:PEM routines:PEM_read_bio:no start line > (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422) > > Changing $host between connections has no effect, so it isn't a per-host > failure/cache. Changing $ssl_version has no effect. This does not appear > to be specific to ModPerl::Registry (originally observed in an HTML::Mason > app). > > As a workaround, I'm using the following code per-process to trigger the > one-time context creation error so all subsequent real connections work: > > { > use Net::SSLeay; > package Net::SSLeay; > initialize(); > my $bad_ctx = new_x_ctx(); > while ( ERR_get_error() ) {}; #print_errs('CTX_new'); > CTX_free($bad_ctx); > } > > Oddly, retrieving the errors is necessary to make this work. > > ref http://bugs.debian.org/830152

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Thu Jul 21 22:41:37 2016 The RT System itself - Status changed from 'new' to 'open'

Fri Jul 22 05:39:24 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #116346] Under mod_perl, first client connection fails in CTX_new, but subsequent connections work
Date:	Fri, 22 Jul 2016 19:39:02 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hello again. Tested your sample code OK on 8.5 Jessie with mod-perl2 2.0.9 and default apache My request for environment variables stands Cheers. On Friday, July 22, 2016 12:41:17 PM Mike McCauley wrote: Show quoted text

> Hello Ivan, > > thanks for your report. > > I havent been able to reproduce this on OpenSuse 13.2, but have not tried > yet on Debian. > > Would it be possible to get a dump of the environment variables that are > passed your perl test script? > > Cheers. > > On Wednesday, July 20, 2016 03:58:58 PM you wrote:

> > Wed Jul 20 15:58:57 2016: Request 116346 was acted upon. > > Transaction: Ticket created by IVAN > > > > Queue: Net-SSLeay > > > > Subject: Under mod_perl, first client connection fails in CTX_new, > > but > > > > subsequent connections work > > > > Broken in: 1.65, 1.66, 1.67, 1.68, 1.69, 1.70, 1.71, 1.72, 1.73, 1.74 > > > > Severity: Important > > > > Owner: Nobody > > > > Requestors: ivan-pause@420.am > > > > Status: new > > > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116346 > > > > > Running in a (preforking) mod_perl context, the first client conneciton > > attempted (during each process lifetime) fails. Subsequent connections > > work. > > > > Occurs in Debian stable (v8) with and in Debian unstable (using a mod_perl > > 2.0.9 prerelease / Apache 2.4.10 and mod_perl 2.0.9 / Apache 2.4.23, > > respectively). Have not attempted other OSes or versions yet. > > > > Example script: > > #!/usr/bin/perl > > use Net::SSLeay qw(post_https make_form); > > $Net::SSLeay::trace = 0; > > > > my $host = 'secure.authorize.net'; > > > > my ($page, $response, %reply_headers) = post_https($host, 443, '/', '', > > > > make_form(var1 => 'one', var2 => 'two' )); print "response $response\n"; > > > > #again, it'll work... > > ($page, $response, %reply_headers) = post_https($host, 443, '/', '', > > > > make_form(var1 => 'one', var2 => 'two' )); print "response $response\n"; > > > > Example Apache config: > > AddHandler perl-script .cgi > > PerlHandler ModPerl::Registry > > Options +ExecCGI > > > > In a non-mod_perl context, this returns (e.g., depending on $host): > > ivan@fleetpaw:/var/www/html$ perl testssl.cgi > > response HTTP/1.1 303 See Other > > response HTTP/1.1 303 See Other > > > > In a mod_perl context, the first time this is called in a process (i.e. > > > > after a restart), this returns: > > response HTTP/1.0 900 NET OR SSL ERROR > > > > CTX_new 30723: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start > > line > > CTX_new 30723: 2 - error:0906D06C:PEM routines:PEM_read_bio:no start > > line > > > > response HTTP/1.1 303 See Other > > > > Full trace of failing connection: > > do_httpx3(POST,1,secure.authorize.net:443) at blib/lib/Net/SSLeay.pm > > > > (autosplit into blib/lib/auto/Net/SSLeay/do_httpx3.al) line 1318. > > (blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/do_httpx3.al):1318) httpx_cat: usessl=1 > > (secure.authorize:443) at blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/httpx_cat.al) line 1227. (blib/lib/Net/SSLeay.pm > > (autosplit into blib/lib/auto/Net/SSLeay/httpx_cat.al):1227) Opening > > connection to secure.authorize.net:443 (64.94.118.32) at > > blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 486. > > (blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/open_tcp_connection.al):486) next connect at > > blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 491. > > (blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/open_tcp_connection.al):491) connected to > > secure.authorize.net, 443 at blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 494. > > (blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/open_tcp_connection.al):494) Creating SSL 0 > > context... (blib/lib/Net/SSLeay.pm (autosplit into > > blib/lib/auto/Net/SSLeay/https_cat.al):1126) CTX_new 30717: 1 - > > error:0906D06C:PEM routines:PEM_read_bio:no start line > > (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422) CTX_new 30717: 2 > > - > > error:0906D06C:PEM routines:PEM_read_bio:no start line > > (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422) > > > > Changing $host between connections has no effect, so it isn't a per-host > > failure/cache. Changing $ssl_version has no effect. This does not appear > > to be specific to ModPerl::Registry (originally observed in an HTML::Mason > > app). > > > > As a workaround, I'm using the following code per-process to trigger the > > > > one-time context creation error so all subsequent real connections work: > > { > > > > use Net::SSLeay; > > package Net::SSLeay; > > initialize(); > > my $bad_ctx = new_x_ctx(); > > while ( ERR_get_error() ) {}; #print_errs('CTX_new'); > > CTX_free($bad_ctx); > > > > } > > > > Oddly, retrieving the errors is necessary to make this work. > > > > ref http://bugs.debian.org/830152

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Fri Jul 22 16:57:21 2016 ivan-pause [...] 420.am - Correspondence added

On Thu Jul 21 22:41:35 2016, mikem@airspayce.com wrote: Show quoted text

> > Would it be possible to get a dump of the environment variables > that are passed your perl test script?

Here are the environment variables in a successful, command-line run: $ENV{XDG_SESSION_DESKTOP}: KDE $ENV{XAUTHORITY}: /tmp/xauth-1000-_0 $ENV{QT_LINUX_ACCESSIBILITY_ALWAYS_ON}: 1 $ENV{XCURSOR_THEME}: oxy-oxygen $ENV{XDG_CURRENT_DESKTOP}: KDE $ENV{USER}: ivan $ENV{KDE_FULL_SESSION}: true $ENV{XDG_SESSION_TYPE}: x11 $ENV{COLORFGBG}: 0;15 $ENV{TERM}: xterm $ENV{KDE_SESSION_VERSION}: 5 $ENV{KDE_MULTIHEAD}: false $ENV{SSH_AUTH_SOCK}: /tmp/ssh-NnejOw4evFyf/agent.3424 $ENV{DEBFULLNAME}: Ivan Kohler $ENV{DISPLAY}: :0 $ENV{XDG_SESSION_COOKIE}: (redacted) $ENV{GTK_RC_FILES}: /etc/gtk/gtkrc:/home/ivan/.gtkrc:/home/ivan/.config/gtkrc $ENV{_}: /usr/bin/perl $ENV{KDE_SESSION_UID}: 1000 $ENV{HOME}: /home/ivan $ENV{SHELL_SESSION_ID}: 6db9b5daa5534000a1f0e665e8a5d556 $ENV{DESKTOP_SESSION}: /usr/share/xsessions/plasma $ENV{XDG_SESSION_CLASS}: user $ENV{LANGUAGE}: $ENV{PROFILEHOME}: $ENV{KONSOLE_DBUS_SERVICE}: :1.45 $ENV{LOGNAME}: ivan $ENV{PATH}: /usr/local/bin:/usr/bin:/bin:/usr/games $ENV{KONSOLE_PROFILE_NAME}: Shell $ENV{PWD}: /var/www/html $ENV{XDG_RUNTIME_DIR}: /run/user/1000 $ENV{DBIMON_PAGER}: less -X $ENV{XDG_VTNR}: 7 $ENV{EDITOR}: vim $ENV{XDG_SESSION_ID}: 6 $ENV{XDG_SESSION_PATH}: /org/freedesktop/DisplayManager/Session1 $ENV{GS_LIB}: /home/ivan/.fonts $ENV{OLDPWD}: /var/www/html $ENV{XCURSOR_SIZE}: 0 $ENV{DBUS_SESSION_BUS_ADDRESS}: unix:abstract=/tmp/dbus-XAFtFBIdnW,guid=6455bbd8d110296137b4cd795771e3b6 $ENV{QT_ACCESSIBILITY}: 1 $ENV{SHELL}: /bin/zsh $ENV{WINDOWID}: 39847836 $ENV{XDG_DATA_DIRS}: /usr/share:/usr/share:/usr/local/share $ENV{KONSOLE_DBUS_WINDOW}: /Windows/231 $ENV{PAGER}: /usr/bin/less $ENV{GTK2_RC_FILES}: /etc/gtk-2.0/gtkrc:/home/ivan/.gtkrc-2.0:/home/ivan/.config/gtkrc-2.0 $ENV{PAM_KWALLET5_LOGIN}: /tmp/kwallet5_ivan.socket $ENV{PS1}: %n@%m:%~%(#.#.$) $ENV{KONSOLE_DBUS_SESSION}: /Sessions/231 $ENV{SSH_AGENT_PID}: 3468 $ENV{XDG_SEAT}: seat0 $ENV{XDG_SEAT_PATH}: /org/freedesktop/DisplayManager/Seat0 $ENV{LANG}: en_US.UTF-8 $ENV{DEBEMAIL}: ivan-debian@420.am $ENV{SESSION_MANAGER}: local/fleetpaw:@/tmp/.ICE-unix/3540,unix/fleetpaw:/tmp/.ICE-unix/3540 $ENV{SHLVL}: 1 Here are the environment variables from a problematic run under mod_perl: $ENV{HTTP_ACCEPT_LANGUAGE}: en-US,en;q=0.5 $ENV{SERVER_PROTOCOL}: HTTP/1.1 $ENV{SERVER_ADMIN}: webmaster@localhost $ENV{HTTP_CACHE_CONTROL}: max-age=0 $ENV{HTTP_COOKIE}: FS::AuthCookieHandler24_Freeside=oNQ9w7TUXAU2k9IxadW1vqW4hoKKwRH38dAhlwpp; org.cups.sid=890ba63851f3b66347d8e24063075765 $ENV{REQUEST_SCHEME}: http $ENV{SERVER_NAME}: localhost $ENV{CONTEXT_PREFIX}: $ENV{SCRIPT_NAME}: /testssl.cgi $ENV{HTTP_CONNECTION}: keep-alive $ENV{CONTEXT_DOCUMENT_ROOT}: /var/www/html $ENV{SCRIPT_FILENAME}: /var/www/html/testssl.cgi $ENV{MOD_PERL}: mod_perl/2.0.9 $ENV{SERVER_SOFTWARE}: Apache/2.4.23 (Debian) $ENV{MOD_PERL_API_VERSION}: 2 $ENV{HTTP_ACCEPT_ENCODING}: gzip, deflate $ENV{PATH}: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ENV{GATEWAY_INTERFACE}: CGI/1.1 $ENV{HTTP_ACCEPT}: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 $ENV{REMOTE_PORT}: 59040 $ENV{SERVER_PORT}: 80 $ENV{DOCUMENT_ROOT}: /var/www/html $ENV{REMOTE_ADDR}: 127.0.0.1 $ENV{HTTP_REFERER}: http://localhost/ $ENV{REQUEST_METHOD}: GET $ENV{HTTP_HOST}: localhost $ENV{HTTP_USER_AGENT}: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 $ENV{REQUEST_URI}: /testssl.cgi $ENV{QUERY_STRING}: $ENV{SERVER_ADDR}: 127.0.0.1 $ENV{SERVER_SIGNATURE}: <address>Apache/2.4.23 (Debian) Server at localhost Port 80</address>

Fri Jul 22 17:31:56 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #116346] Under mod_perl, first client connection fails in CTX_new, but subsequent connections work
Date:	Sat, 23 Jul 2016 07:31:38 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi Ivan, thanks, nothing there to explain your problem. Given that your test case works ok on OpenSuSE and Debian 8.5, Im inclined to think the problem you are seeing is due to some other difference in your test OS. Perhaps one of these has changes in your OS that account for it: OpenSSL Perl mod_perl OS socket IO system of those I would think the likely one is Perl, but maybe OpenSSL Are the versions of those different in your case to say Debian 8.5? Cheers. On Friday, July 22, 2016 04:57:22 PM Ivan Kohler via RT wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116346 > > > On Thu Jul 21 22:41:35 2016, mikem@airspayce.com wrote:

> > Would it be possible to get a dump of the environment variables > > that are passed your perl test script?

> > Here are the environment variables in a successful, command-line run: > > $ENV{XDG_SESSION_DESKTOP}: KDE > $ENV{XAUTHORITY}: /tmp/xauth-1000-_0 > $ENV{QT_LINUX_ACCESSIBILITY_ALWAYS_ON}: 1 > $ENV{XCURSOR_THEME}: oxy-oxygen > $ENV{XDG_CURRENT_DESKTOP}: KDE > $ENV{USER}: ivan > $ENV{KDE_FULL_SESSION}: true > $ENV{XDG_SESSION_TYPE}: x11 > $ENV{COLORFGBG}: 0;15 > $ENV{TERM}: xterm > $ENV{KDE_SESSION_VERSION}: 5 > $ENV{KDE_MULTIHEAD}: false > $ENV{SSH_AUTH_SOCK}: /tmp/ssh-NnejOw4evFyf/agent.3424 > $ENV{DEBFULLNAME}: Ivan Kohler > $ENV{DISPLAY}: :0 > $ENV{XDG_SESSION_COOKIE}: (redacted) > $ENV{GTK_RC_FILES}: > /etc/gtk/gtkrc:/home/ivan/.gtkrc:/home/ivan/.config/gtkrc $ENV{_}: > /usr/bin/perl > $ENV{KDE_SESSION_UID}: 1000 > $ENV{HOME}: /home/ivan > $ENV{SHELL_SESSION_ID}: 6db9b5daa5534000a1f0e665e8a5d556 > $ENV{DESKTOP_SESSION}: /usr/share/xsessions/plasma > $ENV{XDG_SESSION_CLASS}: user > $ENV{LANGUAGE}: > $ENV{PROFILEHOME}: > $ENV{KONSOLE_DBUS_SERVICE}: :1.45 > $ENV{LOGNAME}: ivan > $ENV{PATH}: /usr/local/bin:/usr/bin:/bin:/usr/games > $ENV{KONSOLE_PROFILE_NAME}: Shell > $ENV{PWD}: /var/www/html > $ENV{XDG_RUNTIME_DIR}: /run/user/1000 > $ENV{DBIMON_PAGER}: less -X > $ENV{XDG_VTNR}: 7 > $ENV{EDITOR}: vim > $ENV{XDG_SESSION_ID}: 6 > $ENV{XDG_SESSION_PATH}: /org/freedesktop/DisplayManager/Session1 > $ENV{GS_LIB}: /home/ivan/.fonts > $ENV{OLDPWD}: /var/www/html > $ENV{XCURSOR_SIZE}: 0 > $ENV{DBUS_SESSION_BUS_ADDRESS}: > unix:abstract=/tmp/dbus-XAFtFBIdnW,guid=6455bbd8d110296137b4cd795771e3b6 > $ENV{QT_ACCESSIBILITY}: 1 > $ENV{SHELL}: /bin/zsh > $ENV{WINDOWID}: 39847836 > $ENV{XDG_DATA_DIRS}: /usr/share:/usr/share:/usr/local/share > $ENV{KONSOLE_DBUS_WINDOW}: /Windows/231 > $ENV{PAGER}: /usr/bin/less > $ENV{GTK2_RC_FILES}: > /etc/gtk-2.0/gtkrc:/home/ivan/.gtkrc-2.0:/home/ivan/.config/gtkrc-2.0 > $ENV{PAM_KWALLET5_LOGIN}: /tmp/kwallet5_ivan.socket > $ENV{PS1}: %n@%m:%~%(#.#.$) > $ENV{KONSOLE_DBUS_SESSION}: /Sessions/231 > $ENV{SSH_AGENT_PID}: 3468 > $ENV{XDG_SEAT}: seat0 > $ENV{XDG_SEAT_PATH}: /org/freedesktop/DisplayManager/Seat0 > $ENV{LANG}: en_US.UTF-8 > $ENV{DEBEMAIL}: ivan-debian@420.am > $ENV{SESSION_MANAGER}: > local/fleetpaw:@/tmp/.ICE-unix/3540,unix/fleetpaw:/tmp/.ICE-unix/3540 > $ENV{SHLVL}: 1 > > > Here are the environment variables from a problematic run under mod_perl: > > $ENV{HTTP_ACCEPT_LANGUAGE}: en-US,en;q=0.5 > $ENV{SERVER_PROTOCOL}: HTTP/1.1 > $ENV{SERVER_ADMIN}: webmaster@localhost > $ENV{HTTP_CACHE_CONTROL}: max-age=0 > $ENV{HTTP_COOKIE}: > FS::AuthCookieHandler24_Freeside=oNQ9w7TUXAU2k9IxadW1vqW4hoKKwRH38dAhlwpp; > org.cups.sid=890ba63851f3b66347d8e24063075765 $ENV{REQUEST_SCHEME}: http > $ENV{SERVER_NAME}: localhost > $ENV{CONTEXT_PREFIX}: > $ENV{SCRIPT_NAME}: /testssl.cgi > $ENV{HTTP_CONNECTION}: keep-alive > $ENV{CONTEXT_DOCUMENT_ROOT}: /var/www/html > $ENV{SCRIPT_FILENAME}: /var/www/html/testssl.cgi > $ENV{MOD_PERL}: mod_perl/2.0.9 > $ENV{SERVER_SOFTWARE}: Apache/2.4.23 (Debian) > $ENV{MOD_PERL_API_VERSION}: 2 > $ENV{HTTP_ACCEPT_ENCODING}: gzip, deflate > $ENV{PATH}: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > $ENV{GATEWAY_INTERFACE}: CGI/1.1 > $ENV{HTTP_ACCEPT}: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > $ENV{REMOTE_PORT}: 59040 > $ENV{SERVER_PORT}: 80 > $ENV{DOCUMENT_ROOT}: /var/www/html > $ENV{REMOTE_ADDR}: 127.0.0.1 > $ENV{HTTP_REFERER}: http://localhost/ > $ENV{REQUEST_METHOD}: GET > $ENV{HTTP_HOST}: localhost > $ENV{HTTP_USER_AGENT}: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) > Gecko/20100101 Firefox/45.0 $ENV{REQUEST_URI}: /testssl.cgi > $ENV{QUERY_STRING}: > $ENV{SERVER_ADDR}: 127.0.0.1 > $ENV{SERVER_SIGNATURE}: <address>Apache/2.4.23 (Debian) Server at localhost > Port 80</address>

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Fri Jul 22 17:59:04 2016 ivan-pause [...] 420.am - Correspondence added

On Fri Jul 22 17:31:56 2016, mikem@airspayce.com wrote: Show quoted text

> Hi Ivan, > > thanks, nothing there to explain your problem. > > Given that your test case works ok on OpenSuSE and Debian 8.5,

I don't think "works ok on Debian 8.5" is accurate. The test case fails for me on Debian 8 (8.5) as well as Debian unstable. It seems unlikely that the failure is a result of a one-off non-OS modification to a single system. I believe there must be something else that is preventing you from reproducing the problem. Show quoted text

> Im > inclined to > think the problem you are seeing is due to some other difference in > your test > OS. Perhaps one of these has changes in your OS that account for it: > > OpenSSL > Perl > mod_perl > > of those I would think the likely one is Perl, but maybe OpenSSL > > Are the versions of those different in your case to say Debian 8.5?

I am using the standard versions of all of these from the OS. I did not install them separately from . I have reproduced the failure on Debian 8 as well as Debian unstable so far and the versions of Apache and mod_perl in each were reported in the original bug report. OpenSSL versions are 1.0.1t-1+deb8u2 in Debian 8 and 1.0.2h-1 in Debian unstable. Show quoted text

> OS socket IO system

I don't know what you mean by "OS socket IO system", specifically. I don't believe anything was changed from OS defaults, and the failure was reproduced on separate systems running Debian 8 and unstable so far. -- Ivan Kohler President and Head Geek, Freeside Internet Services, Inc. http://freeside.biz/ Debian GNU/Linux developer | CPAN author | cat person | ski addict

Fri Jul 22 18:11:21 2016 ivan-pause [...] 420.am - Correspondence added

I believe I may have found something that may help you reproduce this. The problem only occurs if mod_ssl is enabled (Debian: a2enmod ssl; service apache restart)

Fri Jul 22 18:16:29 2016 ivan-pause [...] 420.am - Correspondence added

On Fri Jul 22 18:11:21 2016, IVAN wrote: Show quoted text

> I believe I may have found something that may help you reproduce this. > The problem only occurs if mod_ssl is enabled (Debian: a2enmod ssl; > service apache restart)

That should of course be "service apache2 restart". :)

Fri Jul 22 20:09:00 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #116346] Under mod_perl, first client connection fails in CTX_new, but subsequent connections work
Date:	Sat, 23 Jul 2016 10:08:44 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi Ivan, interesting suggestion, but I have now tried that and still its working fine from the first attempt. Cheers. On Friday, July 22, 2016 06:16:29 PM Ivan Kohler via RT wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116346 > > > On Fri Jul 22 18:11:21 2016, IVAN wrote:

> > I believe I may have found something that may help you reproduce this. > > The problem only occurs if mod_ssl is enabled (Debian: a2enmod ssl; > > service apache restart)

> > That should of course be "service apache2 restart". :)

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Sun Sep 11 21:14:23 2016 ivan-pause [...] 420.am - Correspondence added

On Fri Jul 22 20:09:00 2016, mikem@airspayce.com wrote: Show quoted text

> Hi Ivan, > > interesting suggestion, but I have now tried that and still its > working fine > from the first attempt.

I haven't yet been able to narrow down the issue to a more specific test case that I can give you to reproduce. I'll keep working on that as time permits and see what I can do. I did want to let you know that this is an issue we saw with our Perl application "in the wild" on multiple customer production machines as well as our development testbed, not an isolated one-off. The workaround indicated earlier did fix it. I'll reiterate that we're using the Perl and OpenSSL components from Debian stable (not anything unusual or self-built), Thanks for taking the time to correspond with me concerning this. If anything at all about the detail I provided earlier (trace, error message, workaround) provides any hints as to what the problem might be, or if they suggest any further detail as to where I could continue to look into this, please do let me know. -- Ivan Kohler President and Head Geek, Freeside Internet Services, Inc. http://freeside.biz/ Debian GNU/Linux developer | CPAN author | cat person | ski addict

Mon Sep 12 01:05:00 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #116346] Under mod_perl, first client connection fails in CTX_new, but subsequent connections work
Date:	Mon, 12 Sep 2016 07:04:29 +0200
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi Ivan Thanks I'm travelling at the moment and won't be able to look at this again until mid October Cheers Sent from my iPhone Show quoted text

> On 12 Sep 2016, at 3:14 AM, Ivan Kohler via RT <bug-Net-SSLeay@rt.cpan.org> wrote: > > Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116346 > >

>> On Fri Jul 22 20:09:00 2016, mikem@airspayce.com wrote: >> Hi Ivan, >> >> interesting suggestion, but I have now tried that and still its >> working fine >> from the first attempt.

> > I haven't yet been able to narrow down the issue to a more specific test case that I can give you to reproduce. I'll keep working on that as time permits and see what I can do. > > I did want to let you know that this is an issue we saw with our Perl application "in the wild" on multiple customer production machines as well as our development testbed, not an isolated one-off. The workaround indicated earlier did fix it. I'll reiterate that we're using the Perl and OpenSSL components from Debian stable (not anything unusual or self-built), > > Thanks for taking the time to correspond with me concerning this. If anything at all about the detail I provided earlier (trace, error message, workaround) provides any hints as to what the problem might be, or if they suggest any further detail as to where I could continue to look into this, please do let me know. > > -- > Ivan Kohler > President and Head Geek, Freeside Internet Services, Inc. http://freeside.biz/ > Debian GNU/Linux developer | CPAN author | cat person | ski addict >

Bug #116346 for Net-SSLeay: Under mod_perl, first client connection fails in CTX_new, but subsequent connections work