On 08/01/12 09:08, PaX Team wrote:
> On 1 Aug 2012 at 8:41, Michael Orlitzky wrote:
>> Thanks, here are strace -f logs from both the hardened box (where it
>> fails) and a vanilla gentoo x86 VM (where it works).
> mmap2(NULL, 307200000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = -1 ENOMEM (Cannot allocate memory)
> this can fail for several reasons, not enough RAM (depends on how overcommit is set),
> not enough address space (hardened/PIE and ASLR together change how big the holes in
> the address space end up, SEGMEXEC halves the address space), etc.
Hmm.. I think this indirectly solves the problem. I've got,
# cat /etc/security/limits.d/50-clamd.conf
#<domain> <type> <item> <value>
clamav - stack 512000
But it isn't taking effect:
# cat /proc/25394/limits | grep stack
Max stack size 307200000 307200000 bytes
So, clamd is likely running out of stack just like the test program. I
can probably figure that one out.
But, I'd ruled out the stack size limitation because resource oversteps
are supposed to be reported:
# cat /proc/config.gz | gunzip | grep GRKERNSEC_RESLOG
I've got nothing logged, even after the failures.
Wed Aug 1 16:30:01 2012
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIM_SIGNED,FSL_RCVD_USER,
RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
Received: from bendel.debian.org (bendel.debian.org [126.96.36.199])
by eagle542.startdedicated.com (Postfix) with ESMTP id BA04420E0287
for <email@example.com>; Wed, 1 Aug 2012 16:00:56 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
by bendel.debian.org (Postfix) with QMQP
id 3BF02287; Wed, 1 Aug 2012 14:00:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by bendel.debian.org (Postfix) with ESMTP id 23C1E258
for <firstname.lastname@example.org>; Wed, 1 Aug 2012 14:00:24 +0000 (UTC)
X-Virus-Scanned: at lists.debian.org with policy bank en-ht
X-Amavis-Spam-Status: No, score=-7 tagged_above=-10000 required=5.3
tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FOURLA=0.1, LDO_WHITELIST=-5] autolearn=ham
Received: from bendel.debian.org ([127.0.0.1])
by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525)
with ESMTP id aarasubY6oEi for <email@example.com>;
Wed, 1 Aug 2012 14:00:14 +0000 (UTC)
X-policyd-weight: DYN_NJABL=ERR(0) NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR(0) CL_IP_EQ_FROM_MX=-3.1; rate: -6.1
Received: from mail.ddt-consult.de (mail.ddt-consult.de [188.8.131.52])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by bendel.debian.org (Postfix) with ESMTPS id 8B5DD274
for <firstname.lastname@example.org>; Wed, 1 Aug 2012 14:00:02 +0000 (UTC)
Received: from ddt-filter.ddt-consult.intern (ddt-filter.ddt-consult.intern [192.168.1.116])
by mail.ddt-consult.de (Postfix) with ESMTP id 14E5B2C9580
for <email@example.com>; Wed, 1 Aug 2012 15:59:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
:received:received; s=lpm; t=1343829641; bh=DBFexEd3ukWlPWAnUq4o
X-Virus-Scanned: Debian amavisd-new at ns1
Received: from mail.ddt-consult.de ([192.168.1.101])
by ddt-filter.ddt-consult.intern (ddt-filter.ddt-consult.intern [192.168.1.116]) (amavisd-new, port 20024)
with LMTP id J4xUprtxbJ8J for <firstname.lastname@example.org>;
Wed, 1 Aug 2012 16:00:41 +0200 (CEST)
Received: from legolas.home.ddt.intern (p5DC3799C.dip.t-dialin.net [184.108.40.206])
(Authenticated sender: email@example.com)
by mail.ddt-consult.de (Postfix) with ESMTPSA id EBD2C2C957E
for <firstname.lastname@example.org>; Wed, 1 Aug 2012 15:59:55 +0200 (CEST)
Date: Wed, 01 Aug 2012 15:59:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0
Subject: Re: SSL problem/help
Content-Type: text/plain; charset=ISO-8859-1
X-Mailing-List: <email@example.com> archive/latest/636721
Resent-Date: Wed, 1 Aug 2012 14:00:33 +0000 (UTC)
01.08.2012 14:30, Benjamin Martin:
> I am having trouble connecting to a https url from machine A but not
> from machine B.
> Both machines are on the same network, but machine A is debian-testing
> and machine B is ubuntu 10.04. (both 64bit)
The important difference between the two machines is probably the
different versions of OpenSSL. Wheezy has OpenSSL 1.0.1 which introduces
new TLS protocols (TLS v1.1, v1.2).
The server seems to be unable to cope with those new protocols.
> It is a perl script that is doing the connecting (same script on both
> machines), on machine A it was reporting:
> "500 Can't connect to api.channeladvisor.com:443 "
> ... but not failing at all on B
> After doing some investigating, it seems the error message is abit
> misleading, as I CAN connect to the host on port 443 .. some more
> investigation shows that when I run this:
> openssl s_client -host api.channeladvisor.com -port 443
> .. on machine B, I see nothing worrying and I can "GET /" the html page.
> (it's a forbidden page, but it returns none the less)
> .. but on machine A, I get the following error:
> no peer certificate available
> After some more investigation I found that if I add "-cipher 3DES" to
> the command so it becomes:
> openssl s_client -host api.channeladvisor.com -port 443 -cipher 3DES
> It works!
As would adding -tls1 which sets the protocol to TLSv1 (which means v1.x
is not offered).
> So this leaves me with a few questions/concerns.
> Why do I have to add the "-cipher" switch to get this to work?
> I am guessing there is slight problem with the cert at
> "api.channeladvisor.com" as not all https sites have this problem ...
> with that in mind I guess "testing" has been updated with stricter SSL
> processing.... or is this a bug?
> If this is a bug I would like to report it
> .. or ...
> Does anyone know how to the "loosen" the SSL processing rules so the
> cert at api.channeladvisor.com is deemed valid?
As said above, it's probably not a cert but a protocol issue.
I don't know how to tell Perl to not use specific TLS versions, sorry.
> I don't really know what I am doing but I can use google and the command
> line.. so sorry if I missed any important detail or broke a list rule
> somehow... i am just abit stuck
You have obviously tried to understand the problem, you have even come
up with a workaround, you have described pretty decently what exactly
you did - I don't see what else could be expected from you.
> PS. I have tried this on gentoo and centos and all seem to be ok .. just
> "testing" seems to display this problem
I'd bet the Gentoo and CentOS systems you tried that on, come with an
OpenSSL version < 1.0.1.
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org