You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/12/05 17:04:53 UTC

DO NOT REPLY [Bug 37791] New: - SEGV if the client is connection plain to a SSL enabled port

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=37791>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37791

           Summary: SEGV if the client is connection plain to a SSL enabled
                    port
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: Hartmut.Keil@adnovum.ch


Consider the following configuration:


ErrorDocument 400 /server_error.html

Listen  some.server.com:443 
<VirtualHost some.server.com:443>

ServerName   some.server.com:443

SSLEngine               On
SSLProtocol             +TLSv1 +SSLv3
SSLCipherSuite          !EXPORT56:RC4-MD5:DES-CBC3-SHA:EXP-RC4-MD5
SSLOptions              +OptRenegotiate +StdEnvVars
SSLCertificateFile      server-cert.pem

<Location / >
SSLCipherSuite DES-CBC3-SHA
</Location>

</VirtualHost>  

If a client is connection plain to the SSL port, the server cores with the
following stack: (debug build on solaris)

dummy_worker(opaque = 0x156088)
worker_thread(thd = 0x156088, dummy = 0x22b020)
process_socket(p = 0x23a4a8, sock = 0x23a4e0, my_child_num = 0, my_thread_num =
9, bucket_alloc = 0x23c4b0)
ap_process_connection(c = 0x23a5d0, csd = 0x23a4e0)
ap_run_process_connection(0x23a5d0, 0x23a4e0, 0x23a4e0, 0x9, 0x23a5c8, 0x23c4b0)
ap_process_http_connection(c = 0x23a5d0)
ap_read_request(conn = 0x23a5d0)
ap_die(type = 400, r = 0x244500)
ap_internal_redirect(new_uri = 0x150410 "/server_error.html", r = 0x244500)
ap_process_request_internal(r = 0x245388)
ap_run_access_checker(0x245388, 0xfee9630c, 0x245c92, 0xffffffff, 0xfffffff8,
0x245510)
ssl_hook_Access(r = 0x245388)
SSL_get_current_cipher(s = (nil))

The problems is that by ap_internal_redirect the ssl_hook_Access(..)
will now be called, and that method does not handle the case ssl == NULL.

Fix:
do not run the access-checker-hooks for the error handling

Config workaround:
Configure also 'SSSLRequire' if you configure 'SSLSLCipherSuite'
for any location.

We tested the described behaviour with apache/2.0.53 and apache/2.1.9

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org