You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/10/07 22:26:52 UTC
[Bug 60223] New: Non-blocking SSL reads fail when OpenSSL errors are
already queued
https://bz.apache.org/bugzilla/show_bug.cgi?id=60223
Bug ID: 60223
Summary: Non-blocking SSL reads fail when OpenSSL errors are
already queued
Product: Apache httpd-2
Version: 2.4.16
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: paul.spangler@ni.com
Created attachment 34335
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34335&action=edit
Trunk patch to clear the error queue when SSL_get_error is needed
mod_ssl doesn't clear the OpenSSL error queue prior to calling SSL_read,
SSL_write, or SSL_accept. It then relies on SSL_get_error to be notified of
errors such as SSL_ERROR_WANT_READ. Modules such as mod_websocket that perform
non-blocking IO may receive errors if some other OpenSSL error is already
queued.
One specific series of events where I run into errors:
1. The server is configured to use mod_session_crypto with the OpenSSL APR
crypto provider.
2. The client connects over TLS and requests a WebSocket upgrade.
3. The client's session data is either corrupt or encrypted using an old key.
4. mod_session_crypto attempts to decrypt the session, which results in a call
to the OpenSSL function EVP_EncryptFinal_ex.
5. The decryption fails, and the EVP function queues an error to the thread's
OpenSSL error queue. The session is discarded, but APR never retrieves the
error.
6. The WebSocket upgrade is accepted, and mod_websocket begins a non-blocking
read on the input brigade.
7. mod_ssl calls SSL_read and the bio_filter_in_read reports no data is
available by calling BIO_set_retry_read and returning -1.
8. mod_ssl then calls SSL_get_error, but instead of getting
SSL_ERROR_WANT_READ, it gets the SSL_ERROR_SSL that was queued in step 5.
9. mod_websocket closes the connection due to the error returned by
ap_get_brigade.
The attached patch to mod_ssl simply calls ERR_clear_error() prior to calling
those three SSL_* functions. Patch was tested with a 2.4.16 64-bit Windows
build according to the sequence of events noted previously.
See https://www.openssl.org/docs/manmaster/ssl/SSL_get_error.html#DESCRIPTION
for reference.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60223] Non-blocking SSL reads fail when OpenSSL errors are
already queued
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60223
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60223] Non-blocking SSL reads fail when OpenSSL errors are
already queued
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60223
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Eric Covener <co...@gmail.com> ---
Fixed in 2.4.25
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60223] Non-blocking SSL reads fail when OpenSSL errors are
already queued
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60223
--- Comment #1 from Jacob Champion <ch...@gmail.com> ---
Committed in r1769332 (plus a couple explanatory comments), and proposed for
backport to 2.4.x.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60223] Non-blocking SSL reads fail when OpenSSL errors are
already queued
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60223
Paul Spangler <pa...@ni.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
Keywords| |PatchAvailable
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org