You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/12/09 20:00:56 UTC
[Bug 57334] Segmentation fault in SSL_renegotiate at ssl_lib.c:1032
https://issues.apache.org/bugzilla/show_bug.cgi?id=57334
--- Comment #1 from reto.ischi@ergon.ch ---
To reproduce the segmentation fault the following configuration prerequisites
must be met:
- SNI setup: Two VH on the same IP
- SSLVerifyClient require or optional and OptRenegotiate set on the *second*
virtual host
- SSLInsecureRenegotiation on
Minimal httpd.conf:
===================
ServerRoot /opt/airlock/ext-apache
PidFile /var/run/airlock-ext-apache/httpd.pid
CoreDumpDirectory /var/airlock/core/airlock-ext-apache
User extwww
Group extwww
LoadModule ssl_module bin/mod_ssl.so
Listen 10.0.0.10
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
ErrorDocument 403 /error_path/403.html
SSLInsecureRenegotiation on
<Location /error_path>
</Location>
<VirtualHost 10.0.0.10:443>
ServerName serverA
SSLEngine on
</VirtualHost>
<VirtualHost 10.0.0.10:443>
ServerName serverB
SSLEngine on
SSLVerifyClient require
SSLOptions +OptRenegotiate
</VirtualHost>
===================
Now every request with a client certificate and without the TLS SNI extension
set (like with IE7/XP) in the ClientHello message will cause the segmentation
fault. This can be reproduced with openssl s_client without the "-servername"
Option:
openssl s_client -connect serverB:443 -cert clientCert.pem -key clientKey.pem
-tls1 -crlf
GDB backtrace and additional infos:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe37eb700 (LWP 13480)]
0x00007ffff00000b8 in ?? ()
(gdb) bt
#0 0x00007ffff00000b8 in ?? ()
#1 0x00007ffff615746b in SSL_renegotiate (s=0x7ffff0038e10) at ssl_lib.c:1032
#2 0x00007ffff63a5add in ssl_hook_Access (r=0x7ffff003e7a0) at
ssl_engine_kernel.c:801
#3 0x00007ffff7fa1897 in ap_run_access_checker (r=0x7ffff003e7a0) at
request.c:87
#4 0x00007ffff7fa28a8 in ap_process_request_internal (r=0x7ffff003e7a0) at
request.c:229
#5 0x00007ffff7fd7c13 in ap_internal_redirect (new_uri=0x7ffff8273f98
"/error_path/403.html", r=0x7ffff003cde0) at http_request.c:642
#6 0x00007ffff7fd6162 in ap_die (type=403, r=0x7ffff003cde0) at
http_request.c:202
#7 0x00007ffff7fd6b9a in ap_process_async_request (r=0x7ffff003cde0) at
http_request.c:350
#8 0x00007ffff7fd6bd1 in ap_process_request (r=0x7ffff003cde0) at
http_request.c:363
#9 0x00007ffff7fd26e3 in ap_process_http_sync_connection (c=0x7fffdc000c48) at
http_core.c:190
#10 0x00007ffff7fd280d in ap_process_http_connection (c=0x7fffdc000c48) at
http_core.c:231
#11 0x00007ffff7fbe5df in ap_run_process_connection (c=0x7fffdc000c48) at
connection.c:41
#12 0x00007ffff7fbeb0a in ap_process_connection (c=0x7fffdc000c48,
csd=0x7fffdc000a30) at connection.c:203
#13 0x00007ffff5ad1b5d in process_socket (thd=0x7ffff8241e70, dummy=Unhandled
dwarf expression opcode 0xf3
(gdb) frame 1
#1 0x00007ffff615746b in SSL_renegotiate (s=0x7fffdc0028d0) at ssl_lib.c:1032
1032 return(s->method->ssl_renegotiate(s));
(gdb) print s->method->ssl_renegotiate
$1 = (int (*)(SSL *)) 0x7fffdc0000b8
(gdb) disassemble 0x7fffdc0000b8
No function contains specified address.
Thanks for your help
Reto
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org