[Bug 63256] New: mod_ssl segmentation fault after 2.4.29

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug 63256] New: mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

            Bug ID: 63256
           Summary: mod_ssl segmentation fault after 2.4.29
           Product: Apache httpd-2
           Version: 2.4.38
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: regression
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Hello,

I have a config that was working in 2.4.29 but now causes worker threads to
SEGV.

It experiences a segmentation fault at ssl_engine_kernel.c at line 1727:

It is in the function
ssl_callback_SSLVerify

on the line:
int crl_check_mode = mctx->crl_check_mask & ~ SSL_CRLCHECK_MASK;

gdb indicates that mctx (declared on the previous line) is incorrectly
constructed, and so trying to access the field crl_check_mask results in trying
to access unavailable memory.

It seems to me like this is a regression after 2.4.29. I experience the same
behavior in both 2.4.35 and 2.4.38, but not in 2.4.29.

I'm using a reverse proxy and client certificates. Here are the relevant parts
of my two configs:

Backend server (host01):
==================================================================
<Files "file.xml">
</Files>

<LocationMatch "^/bob/(bob)">
   SSLVerifyClient require
   RewriteEngine on
   RewriteRule /bob/bob /file.xml
</LocationMatch>

<Location />
  Require all granted
</Location>

SSLEngine on
Listen 443
SSLPassPhraseDialog builtin
SSLOptions +ExportCertData +StdEnvVars +LegacyDNStringFormat
====================================================================



Reverse proxy server (host02)
===================================================================
SSLProxyEngine on
SSLProxyMachineCertificateFile /path/to/cert.crt_and_key ProxyPreserveHost off

ExtendedStatus on

Listen 443

<VirtualHost _default_:443>
SSLEngine on
SSLOptions +ExportCertData +StdEnvVars +LegacyDNStringFormat SSLProtocol all
+TLSv1 +SSLv3 +TLSv1.1 +TLSv1.2

SSLCertificateFile /path/to/server/cert/cert.pem SSLCertificateKeyFile
/path/to/server/key.nopass.pem SSLCACertificateFile /path/to/ca.pem

SSLVerifyDepth 4
</VirtualHost>

<Location /host01>
  ProxyPass https://host01
  ProxyPassReverse https://host01

  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"

   SSLVerifyClient require
</Location>
========================================================

The proxy server SEGV's with the following stack on every third or fourth
request (!) for https://host02/host01/bob/bob. It appears to be having trouble
with the client cert.


#0  0x00007f29c8400132 in ssl_callback_SSLVerify () from
/var/www/modules/mod_ssl.so
#1  0x0000003c90521730 in X509_verify_cert () from /usr/lib64/libcrypto.so.10
#2  0x0000003c93c46d88 in ssl_verify_cert_chain () from /usr/lib64/libssl.so.10
#3  0x0000003c93c2569c in ssl3_get_server_certificate () from
/usr/lib64/libssl.so.10
#4  0x0000003c93c27d62 in ssl3_connect () from /usr/lib64/libssl.so.10
#5  0x0000003c93c2cbe3 in ssl3_read_bytes () from /usr/lib64/libssl.so.10
#6  0x0000003c93c28260 in ?? () from /usr/lib64/libssl.so.10
#7  0x00007f29c83fc99c in ssl_io_input_read () from /var/www/modules/mod_ssl.so
#8  0x00007f29c83ff6bd in ssl_io_filter_input () from
/var/www/modules/mod_ssl.so
#9  0x0000000000438b2e in ap_rgetline_core ()
#10 0x00007f29c86238c8 in ap_proxygetline () at mod_proxy_http.c:1161
#11 0x00007f29c8623d2b in ap_proxy_http_process_response.isra.2 () at
mod_proxy_http.c:1279
#12 0x00007f29c8626802 in proxy_http_handler () at mod_proxy_http.c:2011
#13 0x00007f29c8a3a63c in proxy_run_scheme_handler () from
/var/www/modules/mod_proxy.so
#14 0x00007f29c8a3b7d6 in proxy_handler () from /var/www/modules/mod_proxy.so
#15 0x0000000000450820 in ap_run_handler ()
#16 0x0000000000450db6 in ap_invoke_handler ()
#17 0x0000000000465fa3 in ap_process_async_request ()
#18 0x0000000000462561 in ap_process_http_connection ()
#19 0x0000000000459d50 in ap_run_process_connection ()
#20 0x000000000046f8c5 in process_socket () at event.c:1050
#21 0x000000000047018a in worker_thread () at event.c:2083
#22 0x0000003c84007aa1 in start_thread () from /lib64/libpthread.so.0
#23 0x0000003c83ce8c4d in clone () from /lib64/libc.so.6


If I remove +ExportCertData from SSLOptions it works. But I need the cert data.

Please let me know if there is a workaround or if there is more data I can
provide to help.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #1 from Ruediger Pluem <[hidden email]> ---
Can you please compile your httpd with debug symbols (probably you already did
because you told us the line where the crash happened) and deliver a

bt full
info locals

from the thread that crashed?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #2 from [hidden email] ---
here is the full stack trace:

#0  0x00007f943d057c1b in ssl_callback_SSLVerify (ok=0, ctx=0x7f943a1900b0) at
ssl_engine_kernel.c:1727
        ssl = 0x7f942002b9f0
        conn = 0x7f9420026e48
        r = 0x0
        s = 0x197b4c8
        sc = 0x197f8b8
        sslconn = 0x7f9420027190
        dc = 0x7f942001a838
        mctx = 0x577769544c0a435a
        crl_check_mode = 32660
        errnum = 1
        errdepth = 0
        depth = 469800880
        verify = 32660
#1  0x0000003c90521730 in X509_verify_cert () from /usr/lib64/libcrypto.so.10
No symbol table info available.
#2  0x0000003c93c46d88 in ssl_verify_cert_chain () from /usr/lib64/libssl.so.10
No symbol table info available.
#3  0x0000003c93c2569c in ssl3_get_server_certificate () from
/usr/lib64/libssl.so.10
No symbol table info available.
#4  0x0000003c93c27d62 in ssl3_connect () from /usr/lib64/libssl.so.10
No symbol table info available.
#5  0x0000003c93c2cbe3 in ssl3_read_bytes () from /usr/lib64/libssl.so.10
No symbol table info available.
#6  0x0000003c93c28260 in ?? () from /usr/lib64/libssl.so.10
No symbol table info available.
#7  0x00007f943d04b683 in ssl_io_input_read (inctx=0x7f942002eea8,
    buf=0x7f942002eef0 "<name>This is host01</name>\n 12 Mar 2019 20:53:03
GMT\r\nServer: Apache/2.4.38 (Unix) OpenSSL/1.0.1e-fips\r\nLast-Modified: Tue,
26 Feb 2019 20:17:09 GMT\r\nETag: \"1b-582d1bdec225c\"\r\nAccept-Ranges:
bytes\r\nCo"..., len=0x7f943a190490) at ssl_engine_io.c:669
        wanted = 8192
        bytes = 0
        rc = 537031056
#8  0x00007f943d04bc58 in ssl_io_input_getline (inctx=0x7f942002eea8,
    buf=0x7f942002eef0 "<name>This is host01</name>\n 12 Mar 2019 20:53:03
GMT\r\nServer: Apache/2.4.38 (Unix) OpenSSL/1.0.1e-fips\r\nLast-Modified: Tue,
26 Feb 2019 20:17:09 GMT\r\nETag: \"1b-582d1bdec225c\"\r\nAccept-Ranges:
bytes\r\nCo"..., len=0x7f943a190500) at ssl_engine_io.c:798
        pos = 0x0
        status = 2129812
        tmplen = 0
        buflen = 8192
        offset = 0
#9  0x00007f943d04f2e8 in ssl_io_filter_input (f=0x7f9420030ef8,
bb=0x7f9420026e08, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at
ssl_engine_io.c:1559
        pos = 0x3834362e34303a33 <Address 0x3834362e34303a33 out of bounds>
        status = 0
        inctx = 0x7f942002eea8
        start = 0x7f942002eef0 "<name>This is host01</name>\n 12 Mar 2019
20:53:03 GMT\r\nServer: Apache/2.4.38 (Unix)
OpenSSL/1.0.1e-fips\r\nLast-Modified: Tue, 26 Feb 2019 20:17:09 GMT\r\nETag:
\"1b-582d1bdec225c\"\r\nAccept-Ranges: bytes\r\nCo"...
        len = 0
        is_init = 0
        bucket = 0x7f943ecffb25
#10 0x000000000043b6da in ap_get_brigade (next=0x7f9420030ef8,
bb=0x7f9420026e08, mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0) at
util_filter.c:553
No locals.
#11 0x000000000043e450 in ap_rgetline_core (s=0x7f943a1906e0, n=8192,
read=0x7f943a1906f0, r=0x7f942005bf00, flags=0, bb=0x7f9420026e08) at
protocol.c:246
        rv = 32660
        e = 0x7f943ed06558
        bytes_handled = 0
        current_alloc = 0
        pos = 0x3000000018 <Address 0x3000000018 out of bounds>
        last_char = 0x7f943a1907a0 ""
        do_alloc = 0
        saw_eos = 0
        fold = 0
        crlf = 0
        nospc_eol = 0
        saw_eol = 0
        saw_nospc = 0
#12 0x00007f943d281d60 in ap_proxygetline (bb=0x7f9420026e08, s=0x7f943a1907a0
"", n=8192, r=0x7f942005bf00, flags=0, read=0x7f943a19079c) at
mod_proxy_http.c:1161
        rv = 32660
        len = 140273631887480
#13 0x00007f943d2821fe in ap_proxy_http_process_response (p=0x7f9420018278,
r=0x7f94200182f0, backend_ptr=0x7f943a192958, worker=0x193f430, conf=0x193bcb8,
server_portstr=0x7f943a192960 "")
    at mod_proxy_http.c:1279
        rc = 32660
        c = 0x7f94340398a8
        buffer = 0x7f943a1907a0 ""
        fixed_buffer =
"\000\a\031:\224\177\000\000\264\030\320>\224\177\000\000\240\301\217\001\000\000\000\000\240\301\217\001\000\000\000\000\260\t\031:\224\177\000\000\261\000\000\000\000\000\000\000\000\b\031:\224\177\000\000\355\230F\000\000\000\000\000
\t\031:\224\177\000\000P\b\031:\224\177\000\000\261\000\000\000\000\000\000\000\240\b\031:\224\177\000\000\000)\031:\224\177\000\000r\241F\000\000\000\000\000`)\031:\224\177\000\000\277\000\000\000\000\000\000\000ȴ\227\001\000\000\000\000\000\000\000\000\a\000\000\000\016\000\000\000\340\004\000\000U\316j=\224\177\000\000\277\000\000\000\000\000\000\000\261\000\000\000\200\000\000\000ȴ\227\001\000\000\000\000\250\230\003\064\224\177\000\000\360\202\001
\224\177\000\000\360\202\001
\224\177\000\000\000\000\000\000\000\000\000\000U\316j=\224\177\000\000\340\004\000\000\016\000\000\000\a",
'\000' <repeats 15 times>, "H\322j=\224\177"...
        buf = 0x0
        keepchar = 0 '\000'
        e = 0x7f942002a4f8
        bb = 0x7f9420021058
        pass_bb = 0x7f9420021078
        len = 0
        backasswards = 974727392
        interim_response = 0
        response_field_size = 8192
        pread_len = 0
        save_table = 0x0
        backend_broke = 0
        hop_by_hop_hdrs = {0x7f943d286ff1 "Keep-Alive", 0x7f943d286ffc
"Proxy-Authenticate", 0x7f943d28700f "TE", 0x7f943d287012 "Trailer",
0x7f943d28701a "Upgrade", 0x0}
        i = 32660
        te = 0x0
        original_status = 200
        proxy_status = 0
        original_status_line = 0x0
        proxy_status_line = 0x0
        backend = 0x19ba170
        origin = 0x7f9420026e48
        old_timeout = 0
        dconf = 0x7f9420006fa8
        do_100_continue = 0
#14 0x00007f943d286127 in proxy_http_handler (r=0x7f94200182f0,
worker=0x193f430, conf=0x193bcb8, url=0x7f94200073c6 "https://dev06/bob/bob",
proxyname=0x0, proxyport=0) at mod_proxy_http.c:2011
        locurl = 0x7f942001bd98 "/bob/bob"
        status = 0
        server_portstr =
"\000\000\000\000\060\000\000\000X*\031:\224\177\000\000\200)\031:\224\177\000\000p\364\223\001\000\000\000"
        scheme = 0x7f942001bd68 "https"
        proxy_function = 0x7f943d286e83 "HTTPS"
        u = 0x7f94200073cb "://dev06/bob/bob"
        backend = 0x19ba170
        is_ssl = 1
        c = 0x7f94340398a8
        retry = 0
        p = 0x7f9420018278
        uri = 0x7f942001bd10
#15 0x00007f943d69dae7 in proxy_run_scheme_handler (r=0x7f94200182f0,
worker=0x193f430, conf=0x193bcb8, url=0x7f94200073c6 "https://host01/bob/bob",
proxyhost=0x0, proxyport=0) at mod_proxy.c:3068
        pHook = 0x1981678
        n = 0
        rv = -1
#16 0x00007f943d697aa2 in proxy_handler (r=0x7f94200182f0) at mod_proxy.c:1250
        url = 0x7f94200073c6 "https://host01/bob/bob"
        uri = 0x7f94200073c6 "https://host01/bob/bob"
        scheme = 0x7f942001bcf0 "https"
        p = 0x7f94200073cb "://host01/bob/bob"
        p2 = 0x7f9434039800 ""
        sconf = 0x197b608
        conf = 0x193bcb8
        proxies = 0x193bde8
        ents = 0x193be08
        i = 0
        rc = 26467640
        access_status = 0
        direct_connect = 0
        str = 0x0
        maxfwd = -1
        balancer = 0x0
worker = 0x193f430
        attempts = 0
        max_attempts = 0
        list = 0x193c228
        saved_status = 32660
#17 0x000000000046190b in ap_run_handler (r=0x7f94200182f0) at config.c:171
        pHook = 0x1980890
        n = 2
        rv = -1
#18 0x00000000004623aa in ap_invoke_handler (r=0x7f94200182f0) at config.c:444
        handler = 0x7f94200182f0 "x\202\001 \224\177"
        p = 0x7f943a192c10 "\200,\031:\224\177"
        result = 0
        old_handler = 0x7f943d6ace36 "proxy-server"
        ignore = 0x7f94200182f0 "x\202\001 \224\177"
#19 0x00000000004817e6 in ap_process_async_request (r=0x7f94200182f0) at
http_request.c:453
        c = 0x7f94340398a8
        access_status = 0
#20 0x000000000047cfe5 in ap_process_http_async_connection (c=0x7f94340398a8)
at http_core.c:154
        r = 0x7f94200182f0
        cs = 0x7f9434039870
#21 0x000000000047d1ff in ap_process_http_connection (c=0x7f94340398a8) at
http_core.c:248
No locals.
#22 0x00000000004707d1 in ap_run_process_connection (c=0x7f94340398a8) at
connection.c:42
        pHook = 0x1980f10
        n = 1
        rv = -1
#23 0x000000000048cfb2 in process_socket (thd=0x19b92a8, p=0x7f9434039578,
sock=0x7f9434039600, cs=0x7f9434039800, my_child_num=1, my_thread_num=2) at
event.c:1050
        c = 0x7f94340398a8
        conn_id = 66
        clogging = 0
        rv = 974728704
        rc = 0
#24 0x000000000048fac9 in worker_thread (thd=0x19b92a8, dummy=0x7f9434004e20)
at event.c:2083
        csd = 0x7f9434039600
        cs = 0x0
        te = 0x0
        ptrans = 0x7f9434039578
        ti = 0x7f9434004e20
        process_slot = 1
        thread_slot = 2
        rv = 0
        is_idle = 0
#25 0x00007f943ed14eb3 in dummy_worker (opaque=0x19b92a8) at
threadproc/unix/thread.c:142
        thread = 0x19b92a8
#26 0x0000003c84007aa1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#27 0x0000003c83ce8c4d in clone () from /lib64/libc.so.6
No symbol table info available.


========================================
And here are the local symbols (the value of mctx is way out of memory range)


(gdb) info locals
ssl = 0x7f942002b9f0
conn = 0x7f9420026e48
r = 0x0
s = 0x197b4c8
sc = 0x197f8b8
sslconn = 0x7f9420027190
dc = 0x7f942001a838
mctx = 0x577769544c0a435a
crl_check_mode = 32660
errnum = 1
errdepth = 0
depth = 469800880
verify = 32660

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #3 from Ruediger Pluem <[hidden email]> ---
Can you please do

print *dc
print *sslconn

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #4 from [hidden email] ---
certainly:


(gdb) print *dc
$2 = {bSSLRequired = 1098320484, aRequirement = 0x3267467279536471, nOptions =
1179988074, nOptionsAdd = 1952085090, nOptionsDel = 1937327430,
  szCipherSuite = 0x496a785151673356 <Address 0x496a785151673356 out of
bounds>, nVerifyClient = 1798713165, nVerifyDepth = 1769035589,
  szUserName = 0x7947556f32414856 <Address 0x7947556f32414856 out of bounds>,
nRenegBufferSize = 5285087886881221241, proxy = 0x577769544c0a435a,
proxy_enabled = 726675534, proxy_post_config = 1716021612}

(gdb) print *sslconn
$3 = {ssl = 0x7f942002b9f0, client_dn = 0x0, client_cert = 0x0, shutdown_type =
SSL_SHUTDOWN_TYPE_UNSET, verify_info = 0x0, verify_error = 0x0, verify_depth =
-1, is_proxy = 1, disabled = 0,
  non_ssl_request = NON_SSL_OK, reneg_state = RENEG_REJECT, server = 0x197b4c8,
dc = 0x7f942001a838, cipher_suite = 0x0, service_unavailable = 0}
(gdb)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #5 from Yann Ylavic <[hidden email]> ---
I tried your configuration with latest 2.4.x, openssl 1.1.0j and 1.1.1b, but
could not reproduce (SSL_CLIENT_* are sent to the backend). Will retry with
2.4.38.

Can you please double check that the openssl version linked to httpd (runtime)
is the same that the one used at build time?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #6 from Yann Ylavic <[hidden email]> ---
Same with 2.4.38, working as expected.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #7 from [hidden email] ---
Bummer! I'm definitely using the same openssl. I'm building on CentOS 6.10 and
using the system's openssl. The proxy server reliably crashes about every third
call. Can you please send me your configs that failed to reproduce so I can
make sure that I didn't leave anything important out?

Thanks!
Marty

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #8 from Yann Ylavic <[hidden email]> ---
Created attachment 36484
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36484&action=edit
ylavic's conf

I'm using this proxy configuration, the backend being my debian's httpd on
which I added SSLVerifyClient things (same caRoot.pem).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #9 from Yann Ylavic <[hidden email]> ---
My client is simply:
$ while true; do curl -k -v --cert
/home/ylavic/src/apache/install/httpd/certs/client.pem --key
/home/ylavic/src/apache/install/httpd/certs/client.key
https://localhost:8443/host01/bob/bob; sleep 1; done

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #10 from Yann Ylavic <[hidden email]> ---
(In reply to martin.l.schettler from comment #7)
> I'm building on CentOS 6.10
> and using the system's openssl.

Which openssl is that?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #11 from [hidden email] ---
My openssl is:

openssl-1.0.1e-57.el6.x86_64

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #12 from Yann Ylavic <[hidden email]> ---
Tried with some openssl 1.0.1s I had compiled somewhere, and it also works.

One difference may be the depth of your client certificate chain (thus calls to
ssl_callback_SSLVerify), mine is of depth 1 (my test's certs are all signed by
the same "rootCA.key").
Could you try with a simple chain, or possibly provide yours if it's built for
testing only?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #13 from Ruediger Pluem <[hidden email]> ---
Trying to get further puzzle pieces:

Can you please move the

SSLVerifyClient require

on the backend out of the LocationMatch and up to the virtual host level and
retry?

You said, that it works when you remove +ExportCertData from SSLOptions. Where
do you remove it? On the reverse proxy or on the backend?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #14 from Ruediger Pluem <[hidden email]> ---
(In reply to martin.l.schettler from comment #4)

> certainly:
>
>
> (gdb) print *dc
> $2 = {bSSLRequired = 1098320484, aRequirement = 0x3267467279536471, nOptions
> = 1179988074, nOptionsAdd = 1952085090, nOptionsDel = 1937327430,
>   szCipherSuite = 0x496a785151673356 <Address 0x496a785151673356 out of
> bounds>, nVerifyClient = 1798713165, nVerifyDepth = 1769035589,
>   szUserName = 0x7947556f32414856 <Address 0x7947556f32414856 out of
> bounds>, nRenegBufferSize = 5285087886881221241, proxy = 0x577769544c0a435a,
> proxy_enabled = 726675534, proxy_post_config = 1716021612}
>
> (gdb) print *sslconn
> $3 = {ssl = 0x7f942002b9f0, client_dn = 0x0, client_cert = 0x0,
> shutdown_type = SSL_SHUTDOWN_TYPE_UNSET, verify_info = 0x0, verify_error =
> 0x0, verify_depth = -1, is_proxy = 1, disabled = 0,
>   non_ssl_request = NON_SSL_OK, reneg_state = RENEG_REJECT, server =
> 0x197b4c8, dc = 0x7f942001a838, cipher_suite = 0x0, service_unavailable = 0}
> (gdb)

Thanks. The address of dc looks valid, but its contents seems to be completely
messed up, not just the proxy field which becomes mctx locally.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #15 from [hidden email] ---
(In reply to Yann Ylavic from comment #8)
> Created attachment 36484 [details]
> ylavic's conf
>
> I'm using this proxy configuration, the backend being my debian's httpd on
> which I added SSLVerifyClient things (same caRoot.pem).

I tried your proxy config, just swapping names and certs as appropriate and
still experience the crash. Must be backend related.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #16 from [hidden email] ---
(In reply to Ruediger Pluem from comment #13)
> Trying to get further puzzle pieces:
>
> Can you please move the
>
> SSLVerifyClient require
>
> on the backend out of the LocationMatch and up to the virtual host level and
> retry?

Aha! When I moved "SSLVerifyClient require" up out of the LocationMatch the
crash no longer occurs. That gives me a

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #17 from Joe Orton <[hidden email]> ---
r being NULL in the callback looks significant possibly?  The app data has not
been set up properly for the client-side SSL * in the proxy?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #18 from Yann Ylavic <[hidden email]> ---
Created attachment 36488
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36488&action=edit
mod_proxy to reset SSL dir config on connection reuse

I think that the issue is the scope of sslconn->dc, when it's based off
r->per_dir_config it's also destroyed with the request, so we need to reset it
on connection reuse in mod_proxy.

Does this patch work for you Martin?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63256] mod_ssl segmentation fault after 2.4.29

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63256

--- Comment #19 from Yann Ylavic <[hidden email]> ---
(In reply to Joe Orton from comment #17)
> r being NULL in the callback looks significant possibly?  The app data has
> not been set up properly for the client-side SSL * in the proxy?

Yes r is NULL in the proxy case (which r anyway?), but it should not really
matter for the proxy case in ssl_callback_SSLVerify() because c->base_server ==
r->server (c == mod_proxy backend here).

So provided sslconn->dc is right we should be good no?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

12