Re: [openssl-dev] [openssl.org #4658] bug: Abort() in 1.0.2h parsing server cert in ASN.1 routine

Wed, 24 Aug 2016 16:37:09 -0700 

On Wed, Aug 24, 2016 at 11:17:21PM +0000, Quanah Gibson-Mount via RT wrote:

> When a process (nginx in this case) has this as the server cert, it core 
> dumps with an abort() when clients request the cert:

You say the server dumps core, and yet:

> #1  0x00007f22ba125ce8 in __GI_abort () at abort.c:90
> [...]
> #14 0x00007f22bac435ec in d2i_X509 (a=a@entry=0x0, 
> in=in@entry=0x7ffc53c49a60, len=len@entry=1517) at x_x509.c:143
> #15 0x00007f22baf71da2 in ssl3_get_server_certificate (s=s@entry=0x2167a50) 
> at s3_clnt.c:1228
> #16 0x00007f22baf76cee in ssl3_connect (s=0x2167a50) at s3_clnt.c:345
> #17 0x00007f22baf8166e in ssl23_get_server_hello (s=0x2167a50) at 
> s23_clnt.c:799
> #18 ssl23_connect (s=0x2167a50) at s23_clnt.c:228

this is clearly a TLS client-side stack trace.  Why is nginx acting
as an SSL/TLS client?

> #19 0x000000000044a755 in ngx_ssl_handshake (c=0x7f22b8ca0f60) at 
> src/event/ngx_event_openssl.c:791
> #20 0x000000000044adbf in ngx_ssl_handshake_handler (ev=0x7f22b8b99640) at 
> src/event/ngx_event_openssl.c:939
> #21 0x000000000043a8da in ngx_event_process_posted (cycle=0x1e86db0, 
> posted=0x73d4e8 <ngx_posted_events>) at src/event/ngx_event_posted.c:40
> #22 0x000000000043843a in ngx_process_events_and_timers (cycle=0x1e86db0) 
> at src/event/ngx_event.c:275
> #23 0x0000000000445dad in ngx_worker_process_cycle (cycle=0x1e86db0, 
> data=0x1) at src/os/unix/ngx_process_cycle.c:879
> #24 0x00000000004423cb in ngx_spawn_process (cycle=0x1e86db0, proc=0x445bca 
> <ngx_worker_process_cycle>, data=0x1, name=0x4ff02f "worker process", 
> respawn=1)
>     at src/os/unix/ngx_process.c:198
> #25 0x000000000044579d in ngx_reap_children (cycle=0x1e86db0) at 
> src/os/unix/ngx_process_cycle.c:688
> #26 0x0000000000444443 in ngx_master_process_cycle (cycle=0x1e86db0) at 
> src/os/unix/ngx_process_cycle.c:241
> #27 0x00000000004075fb in main (argc=3, argv=0x7ffc53c4a278) at 
> src/core/nginx.c:407

This feels like some sort concurrency/reentrancy issue, and the
certificate processed is probably one that nginx got off the wire
from a remote server.  Find out what nginx is connecting to and
why, and whether there are any potential concurrency issues.

-- 
        Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to