You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/07/25 14:50:18 UTC
DO NOT REPLY [Bug 42972] New: - Certificate list in mod_ssl module context are not sorted
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42972>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42972
Summary: Certificate list in mod_ssl module context are not
sorted
Product: Apache httpd-2
Version: 2.2.4
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: pascal.buchbinder@united-security-providers.ch
mod_ssl re-uses its module context for each request/connection.
Example:
static void ssl_init_ctx_cipher_suite(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
SSL_CTX *ctx = mctx->ssl_ctx;
This context is accessed as "read only" and can therefore been shared between
threads. OpenSSL uses mutexes when accessing global objects (e.g. random
generation).
The problem I encounter: the server certificates are stored in OpenSSL stacks.
The objects in this stack need to be sorted when they get accessed the very
first time (sk_find() brings the objects in the right order using qsort()).
Stack trace:
ssl_io_filter_input()
ssl_io_filter_connect()
SSL_accept()
ssl23_accept()
ssl23_get_client_hello()
SSL_accept()
ssl3_accept()
ssl3_send_server_certificate()
ssl3_output_cert_chain()
X509_STORE_get_by_subject()
X509_OBJECT_retrieve_by_subject()
X509_OBJECT_idx_by_subject()
sk_find()
internal_find()
sk_sort()
qsort()
x509_object_cmp()
When starting multiple requests (new ssl handshakes) in parallel right after a
server restart, the server might crash due multiple threads are accessing the
certificate stack which has not been sorted yet (segmentation fault in
x509_object_cmp() due the move of the certificate objects in the stack order).
Possible workaround:
Manual sort of the stacks in the ssl context at server startup, e.g. in mod_ssl
ssl_init_ctx_verify()
Example:
if(ctx->cert_store->objs->comp) {
sk_sort(ctx->cert_store->objs);
}
Impact of this issue is not very high due:
- it can only happen after a server restart
- may cause a crash of one single server child process
- happens only in a multithreaded environment (MPM worker)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42972] - Certificate list in mod_ssl module context are not sorted, causes segfault
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42972>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42972
------- Additional Comments From rpluem@apache.org 2007-09-27 01:07 -------
It would be helpful to have one with line numbers and the parameters supplied to
the functions.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42972] - Certificate list in mod_ssl module context are not sorted, causes segfault
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42972>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42972
------- Additional Comments From pascal.buchbinder@united-security-providers.ch 2007-09-27 00:36 -------
ssl_io_filter_input()
ssl_io_filter_connect()
SSL_accept()
ssl23_accept()
ssl23_get_client_hello()
SSL_accept()
ssl3_accept()
ssl3_send_server_certificate()
ssl3_output_cert_chain()
X509_STORE_get_by_subject()
X509_OBJECT_retrieve_by_subject()
X509_OBJECT_idx_by_subject()
sk_find()
internal_find()
sk_sort()
qsort()
=> x509_object_cmp()
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42972] - Certificate list in mod_ssl module context are not sorted, causes segfault
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42972>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42972
pascal.buchbinder@united-security-providers.ch changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Certificate list in mod_ssl |Certificate list in mod_ssl
|module context are not |module context are not
|sorted |sorted, causes segfault
------- Additional Comments From pascal.buchbinder@united-security-providers.ch 2007-09-27 00:07 -------
change subject from "Certificate list in mod_ssl module context are not sorted"
to "Certificate list in mod_ssl module context are not sorted, causes segfault"
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42972] - Certificate list in mod_ssl module context are not sorted, causes segfault
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42972>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42972
------- Additional Comments From pascal.buchbinder@united-security-providers.ch 2007-09-27 06:34 -------
Well, it does not matter where the segmentation fault happens. The problem is,
that the object (openssl stack objects withn the ssl context) is shared between
processes/threads. This object is accessed readonly only, therefore no mutex is
required when accessing it. The problem is, that openssl does a sort (changing
the order of the objects within the stack for fast access) when accessing the
stack the very first time. In order to prevent this sort when accessing the
stack from multiple parallel request, I suggest to force a stack sort at server
startup (right after all certificates has been loaded), e.g. in the function
ssl_init_ctx_verify().
Well, this is a minor change request at all (the worst thing that happens is
probably a segfault by some child processes at sever startup).
Many thanks...
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42972] - Certificate list in mod_ssl module context are not sorted, causes segfault
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42972>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42972
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From rpluem@apache.org 2007-09-27 00:13 -------
Can you please provide a backtrace of the crash (see
http://httpd.apache.org/dev/debugging.html)?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org