You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/12/09 19:31:21 UTC
[Bug 57334] New: Segmentation fault in SSL_renegotiate at
ssl_lib.c:1032
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
Bug ID: 57334
Summary: Segmentation fault in SSL_renegotiate at
ssl_lib.c:1032
Product: Apache httpd-2
Version: 2.4.10
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: reto.ischi@ergon.ch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
Michael Kaufmann <ap...@michael-kaufmann.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |apache-bugzilla@michael-kau
| |fmann.ch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
--- Comment #8 from Yann Ylavic <yl...@gmail.com> ---
Proposed for backport in r1644501.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ylavic.dev@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
nada <ap...@valgronda.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |apache_bugzilla@valgronda.c
| |om
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #5 from Yann Ylavic <yl...@gmail.com> ---
All right, got it.
It only happens if I remove SSLCACertificateFile (which is not part of your
minimal configuration...), hence the forbidden path is indeed involved.
Let me take a look at the core file.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
--- Comment #6 from Yann Ylavic <yl...@gmail.com> ---
Created attachment 32281
--> https://issues.apache.org/bugzilla/attachment.cgi?id=32281&action=edit
Don't crash on redirected SSL handshake failure
This patched fixed the issue for me.
Can you give it a try?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
--- Comment #1 from reto.ischi@ergon.ch ---
To reproduce the segmentation fault the following configuration prerequisites
must be met:
- SNI setup: Two VH on the same IP
- SSLVerifyClient require or optional and OptRenegotiate set on the *second*
virtual host
- SSLInsecureRenegotiation on
Minimal httpd.conf:
===================
ServerRoot /opt/airlock/ext-apache
PidFile /var/run/airlock-ext-apache/httpd.pid
CoreDumpDirectory /var/airlock/core/airlock-ext-apache
User extwww
Group extwww
LoadModule ssl_module bin/mod_ssl.so
Listen 10.0.0.10
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
ErrorDocument 403 /error_path/403.html
SSLInsecureRenegotiation on
<Location /error_path>
</Location>
<VirtualHost 10.0.0.10:443>
ServerName serverA
SSLEngine on
</VirtualHost>
<VirtualHost 10.0.0.10:443>
ServerName serverB
SSLEngine on
SSLVerifyClient require
SSLOptions +OptRenegotiate
</VirtualHost>
===================
Now every request with a client certificate and without the TLS SNI extension
set (like with IE7/XP) in the ClientHello message will cause the segmentation
fault. This can be reproduced with openssl s_client without the "-servername"
Option:
openssl s_client -connect serverB:443 -cert clientCert.pem -key clientKey.pem
-tls1 -crlf
GDB backtrace and additional infos:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe37eb700 (LWP 13480)]
0x00007ffff00000b8 in ?? ()
(gdb) bt
#0 0x00007ffff00000b8 in ?? ()
#1 0x00007ffff615746b in SSL_renegotiate (s=0x7ffff0038e10) at ssl_lib.c:1032
#2 0x00007ffff63a5add in ssl_hook_Access (r=0x7ffff003e7a0) at
ssl_engine_kernel.c:801
#3 0x00007ffff7fa1897 in ap_run_access_checker (r=0x7ffff003e7a0) at
request.c:87
#4 0x00007ffff7fa28a8 in ap_process_request_internal (r=0x7ffff003e7a0) at
request.c:229
#5 0x00007ffff7fd7c13 in ap_internal_redirect (new_uri=0x7ffff8273f98
"/error_path/403.html", r=0x7ffff003cde0) at http_request.c:642
#6 0x00007ffff7fd6162 in ap_die (type=403, r=0x7ffff003cde0) at
http_request.c:202
#7 0x00007ffff7fd6b9a in ap_process_async_request (r=0x7ffff003cde0) at
http_request.c:350
#8 0x00007ffff7fd6bd1 in ap_process_request (r=0x7ffff003cde0) at
http_request.c:363
#9 0x00007ffff7fd26e3 in ap_process_http_sync_connection (c=0x7fffdc000c48) at
http_core.c:190
#10 0x00007ffff7fd280d in ap_process_http_connection (c=0x7fffdc000c48) at
http_core.c:231
#11 0x00007ffff7fbe5df in ap_run_process_connection (c=0x7fffdc000c48) at
connection.c:41
#12 0x00007ffff7fbeb0a in ap_process_connection (c=0x7fffdc000c48,
csd=0x7fffdc000a30) at connection.c:203
#13 0x00007ffff5ad1b5d in process_socket (thd=0x7ffff8241e70, dummy=Unhandled
dwarf expression opcode 0xf3
(gdb) frame 1
#1 0x00007ffff615746b in SSL_renegotiate (s=0x7fffdc0028d0) at ssl_lib.c:1032
1032 return(s->method->ssl_renegotiate(s));
(gdb) print s->method->ssl_renegotiate
$1 = (int (*)(SSL *)) 0x7fffdc0000b8
(gdb) disassemble 0x7fffdc0000b8
No function contains specified address.
Thanks for your help
Reto
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
--- Comment #4 from Yann Ylavic <yl...@gmail.com> ---
I still can't reproduce, even with ErrorDocument configured.
Should ErrorDocument play a role here, maybe the renegotiation fails somehow
(as opposed to a crash in SSL_renegotiate(), like in the provided backtrace),
so that mod_ssl hits the HTTP_FORBIDDEN path.
Can you please provide the log with LogLevel TRACE8 (and fake certificates) and
also the backtrace of all the threads?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
--- Comment #7 from Reto Ischi <re...@ergon.ch> ---
Patch works for me as well.
Thank you Yann!
Reto
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
--- Comment #3 from reto.ischi@ergon.ch ---
We have openssl-1.0.1j as well.
I'm using this expect script to reproduce it:
#!/usr/bin/expect
set HOST serverB
set CERT myCert.pem
set KEY mykey.pem
spawn openssl s_client -connect $HOST:443 -cert $CERT -key $KEY -tls1 -crlf
expect -- "---"
send "GET / HTTP/1.1\n"
send "Host: $HOST\n"
send "\n"
expect eof
Note that the lines:
ErrorDocument 403 /error_path/403.html
<Location /error_path>
</Location>
from the minimal httpd.conf are also necessary to reproduce the segfault
(independent whether 403.html exists or not).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #2 from Yann Ylavic <yl...@gmail.com> ---
I can't reproduce here with openssl-1.0.1j, the regegotiation works expected.
Which version of openssl are you using?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org