[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=57334

--- Comment #1 from reto.ischi@ergon.ch ---
To reproduce the segmentation fault the following configuration prerequisites
must be met:
- SNI setup: Two VH on the same IP
- SSLVerifyClient require or optional and OptRenegotiate set on the *second*
virtual host
- SSLInsecureRenegotiation on

Minimal httpd.conf:
===================
ServerRoot           /opt/airlock/ext-apache
PidFile              /var/run/airlock-ext-apache/httpd.pid
CoreDumpDirectory    /var/airlock/core/airlock-ext-apache
User                 extwww
Group                extwww

LoadModule ssl_module        bin/mod_ssl.so

Listen     10.0.0.10

SSLCertificateFile       conf/ssl.crt/server.crt
SSLCertificateKeyFile    conf/ssl.key/server.key

ErrorDocument 403 /error_path/403.html
SSLInsecureRenegotiation on

<Location /error_path>
</Location>

<VirtualHost 10.0.0.10:443>
ServerName               serverA
SSLEngine                on
</VirtualHost>

<VirtualHost 10.0.0.10:443>
ServerName               serverB
SSLEngine                on
SSLVerifyClient          require
SSLOptions               +OptRenegotiate
</VirtualHost>
===================

Now every request with a client certificate and without the TLS SNI extension
set (like with IE7/XP) in the ClientHello message will cause the segmentation
fault. This can be reproduced with openssl s_client without the "-servername"
Option:

openssl s_client -connect serverB:443 -cert clientCert.pem -key clientKey.pem
-tls1 -crlf

GDB backtrace and additional infos:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe37eb700 (LWP 13480)]
0x00007ffff00000b8 in ?? ()
(gdb) bt
#0  0x00007ffff00000b8 in ?? ()
#1  0x00007ffff615746b in SSL_renegotiate (s=0x7ffff0038e10) at ssl_lib.c:1032
#2  0x00007ffff63a5add in ssl_hook_Access (r=0x7ffff003e7a0) at
ssl_engine_kernel.c:801
#3  0x00007ffff7fa1897 in ap_run_access_checker (r=0x7ffff003e7a0) at
request.c:87
#4  0x00007ffff7fa28a8 in ap_process_request_internal (r=0x7ffff003e7a0) at
request.c:229
#5  0x00007ffff7fd7c13 in ap_internal_redirect (new_uri=0x7ffff8273f98
"/error_path/403.html", r=0x7ffff003cde0) at http_request.c:642
#6  0x00007ffff7fd6162 in ap_die (type=403, r=0x7ffff003cde0) at
http_request.c:202
#7  0x00007ffff7fd6b9a in ap_process_async_request (r=0x7ffff003cde0) at
http_request.c:350
#8  0x00007ffff7fd6bd1 in ap_process_request (r=0x7ffff003cde0) at
http_request.c:363
#9  0x00007ffff7fd26e3 in ap_process_http_sync_connection (c=0x7fffdc000c48) at
http_core.c:190
#10 0x00007ffff7fd280d in ap_process_http_connection (c=0x7fffdc000c48) at
http_core.c:231
#11 0x00007ffff7fbe5df in ap_run_process_connection (c=0x7fffdc000c48) at
connection.c:41
#12 0x00007ffff7fbeb0a in ap_process_connection (c=0x7fffdc000c48,
csd=0x7fffdc000a30) at connection.c:203
#13 0x00007ffff5ad1b5d in process_socket (thd=0x7ffff8241e70, dummy=Unhandled
dwarf expression opcode 0xf3

(gdb) frame 1
#1  0x00007ffff615746b in SSL_renegotiate (s=0x7fffdc0028d0) at ssl_lib.c:1032
1032            return(s->method->ssl_renegotiate(s));

(gdb) print s->method->ssl_renegotiate
$1 = (int (*)(SSL *)) 0x7fffdc0000b8

(gdb) disassemble 0x7fffdc0000b8
No function contains specified address.

Thanks for your help

Reto

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org