Hello Robert,
thanks for your reply.
I'm using mbedtls in version 2.26.0.
Just tried with 2.16.10 and the problem is still there.
The certificate is (letsencrypt certificate created with certbot 1.13.0) :
-----BEGIN CERTIFICATE-----
MIIFIzCCBAugAwIBAgISBE08ex690A6acOOAGuY+BkFJMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA0MjkxMzUwMDhaFw0yMTA3MjgxMzUwMDhaMBoxGDAWBgNVBAMT
D3Rlc3QuaXRlY2gyOC5sdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANx+GT8GyMLznev4OsxH9UCiAhPmmiLD8QQtukVoO0bmqPVJxw2nUMGBVp60uA4o
obVGzp6Ddl9HQmJj/prwtQGcUGDYzhNa4EL24zh2ADPsSHFH6DTnM8pljZwwnhib
nxoVzW9i0XnZW1xDxzlgqKDAKICGlcP/8RWZIRT033IRSoHiPy4bDmWLZ2blmC7S
Pz7QhmEf5XPEngnyzIZiqIm18EEv2tiHQ+0DKe6jMA5rVgS5THKyP6BEt9MH/9bV
HOkQe1SAQWz8/BjKnk7Z0LanMyjYIn+b2Gcm7JIvGqnxkM1EHBwd14HN40TOe9Z+
iz7rcbC7fJxjipKL68ivt10CAwEAAaOCAkkwggJFMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQURmCWwbSGMPyInrczOEr/8ZXtam8wHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
Zy8wGgYDVR0RBBMwEYIPdGVzdC5pdGVjaDI4Lmx1MEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYARJRlLrDuzq/E
QAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF5HhvLfQAABAMARzBFAiBgoKLO87a4
Mc6KoeVNmWlYDo6iSckwaTjrrQpMNcjF9gIhALnh8r9TviI36DWM1i8v4DO7PwX1
sZJ7JlN3irPhYcqmAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcA
AAF5HhvLlAAABAMARjBEAiBtJK9FguK86bl3RUGn7RmEYJB+vuawJGZj5X+cfyfk
ewIgKCbisKfhjDCq2cl8OiKKNVhxIn3UvBcUwkIMAWsgsFIwDQYJKoZIhvcNAQEL
BQADggEBAHg8XPE8d49mQbf+FEPPH5fbgrXbY+Ekc7p7INzv3ovrErcFXeonytit
yIYmIPdAdkke6ZR7ri08ZQQVAfIHn9pyk+vBq+5pT1GsBmE/uPDS01w+Yh9/uZSJ
vM8ZLzZJA78Ms0e/Mnlk4TdXC6ItJJ+5cqilh9yFdUH0pyAvhdObg1/xVa2JoCH3
KRQL7exDA6i7o4kukCvkL0JjTQSXYOjLuQs7QmOzjFOJX7FewoRO1j6YZ1qDnW4p
3XNpnqj/2eSJxDNf9egF3Or4E0fzHFdVsPeHKb7TsAfvOEFMHeyH9Yt6AZhTR3XU
1jeC0m9juUqaB3AYqfke3QR4f09wkN8=
-----END CERTIFICATE-----
Not sure about your third question but the request is done via my web
browser. Nothing fancy just trying to access the index of a specific URL
created for the test.
For the avoidance of doubt I made the test via firefox and chromium
(both form my linux laptop) and pound segfault in the same way.
This pound is installed in a fresh VM installed for testing pound3
before using it in production and there is only one SSL certificate and
one URL in the configuration file.
Regards
On 15/05/2021 16:00, Robert Segall via pound wrote:
Hallo Sandrino
Thank you for the report. I am a bit baffled by this, so let's try some
debugging:
1. what version on mbedtls are you using?
2. Could you please send the certificate(s) you are using (without the
private keys please!)
3. What is the exact request you are sending?
The SEGV happens when Pound tries to match the host you are requesting
to the SNI data in the certificate(s) you provided.
On Thu, 2021-05-06 at 19:13 +0200, Sandrino Torelli via pound wrote:
Hello Robert,
when accessing my URL in HTTPS pound is dying in a segfault.
In HTTP everything seems to work perfectly.
I'm using a let's encrypt certificate.
For the test I have installed a fresh gentoo box.
my pound.yaml :
Global:
- User: nobody
Group: nobody
Backends:
- &Pound-101
Address: 127.0.0.1
Port: 81
- &Web-101
Address: 10.10.10.3
Port: 80
HTTPListeners:
HTTPSListeners:
- Address: xxx.xxx.xxx.xxx
Port: 443
Certificates:
- "/etc/letsencrypt/live/test.xyz.lu/pound-fullkeychain.pem"
Services:
- HeadRequire: test.xyz.lu
Backends:
- *Web-101
The log from launch to the segfault :
debug option 9 /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:632
config file option /etc/pound.yaml /var/tmp/portage/www-
servers/pound-3.0/work/Pound-3.0/src/config.c:622
start get_others /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:564
start get_backends /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:123
addr 127.0.0.1 /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:139
port 81 /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:142
push /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:168
addr 10.10.10.3 /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:139
port 80 /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:142
push /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:168
start get_https /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:489
address xxx.xxx.xxx.xxx /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/config.c:510
port 443 /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:513
start get_certificates /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/config.c:451
start get_one(/etc/letsencrypt/live/test.xyz.lu/pound-
fullkeychain.pem) /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:376
get_one add pattern test.xyz.lu /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/config.c:403
get_one add pattern test.xyz.lu /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/config.c:424
get_one: added 2 patterns /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/config.c:436
start get_services /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:209
HeadRequire test.xyz.lu /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/config.c:237
push /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:258
push /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/config.c:552
Prepare backends /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/pound.c:153
Prepare listeners /var/tmp/portage/www-servers/pound-3.0/work/Pound-
3.0/src/pound.c:185
Prepare services for listener 0 /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/pound.c:188
Starting resurrector thread /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/util.c:80
7F7883296640 start service /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:45
7F7883296640 Null session: /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:52
7F7880290640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F7880290640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F787FA8F640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F787FA8F640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F787F28E640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F787F28E640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F7880A91640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F7880A91640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F7881292640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F7881292640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F7881A93640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F7881A93640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F7882294640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F7882294640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F7882A95640 thr_http start /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:535
7F7882A95640 start loop /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/http.c:539
7F787F28E640 peer address xxx.xxx.xxx.xxx /var/tmp/portage/www-
servers/pound-3.0/work/Pound-3.0/src/http.c:549
7F787F28E640 start sni /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/util.c:157
7F787F28E640 sni for test.xyz.lu /var/tmp/portage/www-servers/pound-
3.0/work/Pound-3.0/src/util.c:165
Segmentation fault
Should you need more information I would be happy to provide them.
Best Regards
Sandrino
--
pound mailing list
[email protected]
https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
