RE: Crash in mod_ssl after 2.4.29

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, Yann -

It took me a while, but I've managed to reproduce this issue with two smallish configs:

Backend server (host01):
==================================================================
<Files "file.xml">
</Files>

<LocationMatch "^/bob/(bob)">
   SSLVerifyClient require
   RewriteEngine on
   RewriteRule /bob/bob /file.xml
</LocationMatch>

<Location />
  Require all granted
</Location>

SSLEngine on
Listen 443
SSLPassPhraseDialog builtin
SSLOptions +ExportCertData +StdEnvVars +LegacyDNStringFormat
====================================================================



Reverse proxy server (host02)
===================================================================
SSLProxyEngine on
SSLProxyMachineCertificateFile /path/to/cert.crt_and_key
ProxyPreserveHost off

ExtendedStatus on

Listen 443

<VirtualHost _default_:443>
SSLEngine on
SSLOptions +ExportCertData +StdEnvVars +LegacyDNStringFormat
SSLProtocol all +TLSv1 +SSLv3 +TLSv1.1 +TLSv1.2

SSLCertificateFile /path/to/server/cert/cert.pem
SSLCertificateKeyFile /path/to/server/key.nopass.pem
SSLCACertificateFile /path/to/ca.pem

SSLVerifyDepth 4
</VirtualHost>

<Location /host01>
  ProxyPass https://host01
  ProxyPassReverse https://host01

  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"

   SSLVerifyClient require
</Location>
========================================================

The proxy server SEGV's with the following stack on every third or fourth request for https://host02/host01/bob/bob. It appears to be having trouble with the client cert.


#0  0x00007f29c8400132 in ssl_callback_SSLVerify () from /var/www/modules/mod_ssl.so
#1  0x0000003c90521730 in X509_verify_cert () from /usr/lib64/libcrypto.so.10
#2  0x0000003c93c46d88 in ssl_verify_cert_chain () from /usr/lib64/libssl.so.10
#3  0x0000003c93c2569c in ssl3_get_server_certificate () from /usr/lib64/libssl.so.10
#4  0x0000003c93c27d62 in ssl3_connect () from /usr/lib64/libssl.so.10
#5  0x0000003c93c2cbe3 in ssl3_read_bytes () from /usr/lib64/libssl.so.10
#6  0x0000003c93c28260 in ?? () from /usr/lib64/libssl.so.10
#7  0x00007f29c83fc99c in ssl_io_input_read () from /var/www/modules/mod_ssl.so
#8  0x00007f29c83ff6bd in ssl_io_filter_input () from /var/www/modules/mod_ssl.so
#9  0x0000000000438b2e in ap_rgetline_core ()
#10 0x00007f29c86238c8 in ap_proxygetline () at mod_proxy_http.c:1161
#11 0x00007f29c8623d2b in ap_proxy_http_process_response.isra.2 () at mod_proxy_http.c:1279
#12 0x00007f29c8626802 in proxy_http_handler () at mod_proxy_http.c:2011
#13 0x00007f29c8a3a63c in proxy_run_scheme_handler () from /var/www/modules/mod_proxy.so
#14 0x00007f29c8a3b7d6 in proxy_handler () from /var/www/modules/mod_proxy.so
#15 0x0000000000450820 in ap_run_handler ()
#16 0x0000000000450db6 in ap_invoke_handler ()
#17 0x0000000000465fa3 in ap_process_async_request ()
#18 0x0000000000462561 in ap_process_http_connection ()
#19 0x0000000000459d50 in ap_run_process_connection ()
#20 0x000000000046f8c5 in process_socket () at event.c:1050
#21 0x000000000047018a in worker_thread () at event.c:2083
#22 0x0000003c84007aa1 in start_thread () from /lib64/libpthread.so.0
#23 0x0000003c83ce8c4d in clone () from /lib64/libc.so.6


If I remove +ExportCertData from SSLOptions it works. But I need the cert data.

Unfortunately, I don't have a debug session anymore that I can give you the values of those variables, but I don't believe that any of them were null pointers, just an out-of-range memory read on mctx-> crl_check_mask.

I tried to look at the code diff between 2.4.29 and 2.4.38 for ssl_engine_kernel.c, but so much has changed that I couldn't make much sense of it.

Please let me know if there is anything else that I can do to help solve this issue.
Thanks!
Marty


-----Original Message-----
From: Yann Ylavic [mailto:ylavic.dev@xxxxxxxxx] 
Sent: Friday, February 01, 2019 1:44 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Crash in mod_ssl after 2.4.29

Hello Marty,

On Thu, Jan 31, 2019 at 7:13 PM Schettler, Marty L.
<Martin.L.Schettler@xxxxxxxxxx.invalid> wrote:
>
> I have a simple ssl reverse proxy set up that has been working for years up through 2.4.29. When upgrading to 2.4.38, it now crashes periodically. It is repeatable, but inconsistent.

Can you please share the relevant configuration?

>
> Gdb indicates that mctx (declared on the previous line) is incorrectly constructed, and so trying to access the field crl_check_mask results in trying to access unavailable memory.

Do you have a NULL pointer somewhere (mctx, sslconn->dc or
sslconn->dc->proxy)? Otherwise what's the content of each (i.e. print
*mctx, *sslconn->dc and *sslconn->dc->proxy)?

Feel free to send me your configuration and gdb output privately if you wish.


Regards,
Yann.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux