[Solved] Function not implemented loop
Added by mike1404 about 6 years ago
I am trying to upgrade from 1.4.35 to 1.4.48 on and embedded ARM926 board with a custom image (all packages are built from source). I am not trying to fix a specific issue using 1.4.35 but needed to make some modifications to the ciphers in the config and thought it a good chance to update.
Added the mod_openssl module to the config file. Package seems to build correctly without any errors. Using openssl v1.0.2n for ssl libraries.
Issue is when trying to connect via https on any browser (chrome, ie, firefox) using 1.4.48 I'm getting the following error message:
(connections.c.959) accept failed: Function not implemented 38
which will keep repeating until I kill the browser window. If I use 1.4.35 with the same config file (beside adding the mod_openssl module) I have no issues. I am still using my existing config file before I did any modifications to it. This config file has been working for awhile without any problems with 1.4.35
Config file:
server.document-root = "/home/www"
server.port = 443
server.max-request-size=32428800
server.upload-dirs=( "/tmp" )
ssl.engine="enable"
ssl.pemfile="/tmp/server.pem"
ssl.ca-file="/tmp/CA.pem"
ssl.use-sslv2="disable"
ssl.use-sslv3="disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL"
server.errorlog-use-syslog = "enable"
server.errorfile-prefix = "/home/www/status-"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "disable"
ssl.verifyclient.depth = 3
server.modules = (
"mod_indexfile",
"mod_cgi",
"mod_accesslog",
"mod_setenv",
"mod_auth",
"mod_openssl"
)
$HTTP["scheme"] == "https" {
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload")
}
index-file.names = ("login.cs", "index.cs")
mimetype.assign = (
".cs" => "text/html",
".css" => "text/css",
".html" => "text/html"
)
cgi.assign = (
"login.cs" => "/home/www/cgi-bin/login.cgi",
"menu.cs" => "/home/www/cgi-bin/menu.cgi",
".cs" => "/home/www/cgi-bin/ui.cgi",
".cgi" => "",
".sh" => "",
)
Am I missing an additional configuration setting required for 1.4.48? I did not do the initial package setup so am by no means an expert on the configs.
Mike
Replies (7)
RE: Function not implemented loop - Added by gstrauss about 6 years ago
Please try 'strace' on that test to see what system call is actually being made. My guess is that lighttpd is calling accept4() (not a typo) and there is a library stub for accept4() but it is not implemented in your kernel. If that is the case, it might work for you if I provide a patch that falls back to accept() if accept4() returns -1 with errno == ENOSYS
RE: Function not implemented loop - Added by mike1404 about 6 years ago
Thanks - output from strace. First couple of lines are at idle followed by the attempt to connect. The last four lines just keep repeating. Kernel is at 2.6.30 which I doubt we could change.
I did try updating to 1.4.41 and that worked without issues so somewhere between 41 and 48 we have an issue with our board. 41 looks to be the last version with security updates.
Mike
gettimeofday({tv_sec=1518643068, tv_usec=647464}, NULL) = 0
epoll_wait(5, [], 1025, 1000) = 0
gettimeofday({tv_sec=1518643069, tv_usec=646620}, NULL) = 0
epoll_wait(5, [], 1025, 1000) = 0
gettimeofday({tv_sec=1518643070, tv_usec=643809}, NULL) = 0
epoll_wait(5, [], 1025, 1000) = 0
gettimeofday({tv_sec=1518643071, tv_usec=647723}, NULL) = 0
epoll_wait(5, [], 1025, 1000) = 0
gettimeofday({tv_sec=1518643072, tv_usec=646632}, NULL) = 0
epoll_wait(5, [{EPOLLIN, {u32=3, u64=3}}], 1025, 1000) = 1
gettimeofday({tv_sec=1518643072, tv_usec=670815}, NULL) = 0
send(4, "<27>Feb 14 15:17:52 lighttpd[954"..., 98, MSG_NOSIGNAL) = 98
gettimeofday({tv_sec=1518643072, tv_usec=677722}, NULL) = 0
epoll_wait(5, [{EPOLLIN, {u32=3, u64=3}}], 1025, 1000) = 1
gettimeofday({tv_sec=1518643072, tv_usec=679544}, NULL) = 0
send(4, "<27>Feb 14 15:17:52 lighttpd[954"..., 98, MSG_NOSIGNAL) = 98
gettimeofday({tv_sec=1518643072, tv_usec=681833}, NULL) = 0
epoll_wait(5, [{EPOLLIN, {u32=3, u64=3}}], 1025, 1000) = 1
gettimeofday({tv_sec=1518643072, tv_usec=683839}, NULL) = 0
send(4, "<27>Feb 14 15:17:52 lighttpd[954"..., 98, MSG_NOSIGNAL) = 98
gettimeofday({tv_sec=1518643072, tv_usec=686119}, NULL) = 0
epoll_wait(5, [{EPOLLIN, {u32=3, u64=3}}], 1025, 1000) = 1
gettimeofday({tv_sec=1518643072, tv_usec=687834}, NULL) = 0
send(4, "<27>Feb 14 15:17:52 lighttpd[954"..., 98, MSG_NOSIGNAL) = 98
gettimeofday({tv_sec=1518643072, tv_usec=690095}, NULL) = 0
epoll_wait(5, [{EPOLLIN, {u32=3, u64=3}}], 1025, 1000) = 1
gettimeofday({tv_sec=1518643072, tv_usec=691800}, NULL) = 0
RE: Function not implemented loop - Added by gstrauss about 6 years ago
That looks like your client, not the lighttpd server. Please strace the lighttpd process. If you have multiple lighttpd workers, please comment that out of your config and run and strace a single lighttpd process.
Also, your kernel, as you seem to know, is quite ancient. If the strace shows that accept4() is not implemented, then you'll have to modify the lighttpd code to avoid accept4().
RE: Function not implemented loop - Added by stbuehler about 6 years ago
If accept4 is just implemented as stub in libc you won't see it in the strace. The strace looks valid to me; epoll wakes up on always the same fd (3), tries to call accept4, fails, sends a message to syslog, goes back to epoll.
RE: Function not implemented loop - Added by mike1404 about 6 years ago
That should be the server. I ran the following from a command line:
strace lighttpd -Df /etc/lighttpd.conf
Thank you for the feedback; I at least have a place to start. Due to time constraints, I will update to 1.4.41 for now and work on either updating the kernel or looking at patching the server source as time permits in case we need to update to a newer version for security updates.
I know other threads have been marked [solved] but it may be a bit before I can dig into it. What should it be marked as?
If I do find a solution I will update and attach any patches used.
Mike
RE: Function not implemented loop - Added by gstrauss about 6 years ago
Untested patch for lighttpd 1.4.48 for your obscenely old kernel.
--- a/src/fdevent.c
+++ b/src/fdevent.c
@@ -568,6 +568,12 @@ int fdevent_accept_listenfd(int listenfd, struct sockaddr *addr, size_t *addrlen
fd = (use_sock_cloexec)
? accept4(listenfd, addr, &len, SOCK_CLOEXEC | SOCK_NONBLOCK)
: accept(listenfd, addr, &len);
+ if (fd < 0 && errno == ENOSYS) { /* && use_sock_cloexec */
+ fd = accept(listenfd, addr, &len);
+ if (fd >= 0) {
+ force_assert(-1 != fdevent_fcntl_set_nb_cloexec(NULL, fd));
+ }
+ }
#endif
#else
fd = accept(listenfd, addr, &len);
You talk about security updates in lighttpd, and you probably haven't read the lighttpd changelogs. Then again, if you're interested in security, you also shouldn't be running such an old kernel. Linux 2.6.30 was released on the 9th of June, 2009.
https://www.cvedetails.com/vulnerability-list.php?vendor_id=33&product_id=47&version_id=91559&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=230&sha=06eff2748331fd6c08901f4ed1b51ff62c1d0852
I am going to mark this "[Solved]" since a probable workaround has been provided, and the real answer is "don't do that", i.e. don't run such an obscenely old kernel and even suggest that you are secure.
RE: [Solved] Function not implemented loop - Added by mike1404 about 6 years ago
Thank you for the patch and the link.
Points well taken. Updating the kernel would be difficult due to the age of the hardware involved.
Difficult should never be used as an excuse though and I will see what can be done about getting the kernel updated.
Mike