[openssl-dev] [openssl.org #4658] bug: Abort() in 1.0.2h parsing server cert in ASN.1 routine
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Aug 24 23:36:37 UTC 2016
On Wed, Aug 24, 2016 at 11:17:21PM +0000, Quanah Gibson-Mount via RT wrote:
> When a process (nginx in this case) has this as the server cert, it core
> dumps with an abort() when clients request the cert:
You say the server dumps core, and yet:
> #1 0x00007f22ba125ce8 in __GI_abort () at abort.c:90
> [...]
> #14 0x00007f22bac435ec in d2i_X509 (a=a at entry=0x0,
> in=in at entry=0x7ffc53c49a60, len=len at entry=1517) at x_x509.c:143
> #15 0x00007f22baf71da2 in ssl3_get_server_certificate (s=s at entry=0x2167a50)
> at s3_clnt.c:1228
> #16 0x00007f22baf76cee in ssl3_connect (s=0x2167a50) at s3_clnt.c:345
> #17 0x00007f22baf8166e in ssl23_get_server_hello (s=0x2167a50) at
> s23_clnt.c:799
> #18 ssl23_connect (s=0x2167a50) at s23_clnt.c:228
this is clearly a TLS client-side stack trace. Why is nginx acting
as an SSL/TLS client?
> #19 0x000000000044a755 in ngx_ssl_handshake (c=0x7f22b8ca0f60) at
> src/event/ngx_event_openssl.c:791
> #20 0x000000000044adbf in ngx_ssl_handshake_handler (ev=0x7f22b8b99640) at
> src/event/ngx_event_openssl.c:939
> #21 0x000000000043a8da in ngx_event_process_posted (cycle=0x1e86db0,
> posted=0x73d4e8 <ngx_posted_events>) at src/event/ngx_event_posted.c:40
> #22 0x000000000043843a in ngx_process_events_and_timers (cycle=0x1e86db0)
> at src/event/ngx_event.c:275
> #23 0x0000000000445dad in ngx_worker_process_cycle (cycle=0x1e86db0,
> data=0x1) at src/os/unix/ngx_process_cycle.c:879
> #24 0x00000000004423cb in ngx_spawn_process (cycle=0x1e86db0, proc=0x445bca
> <ngx_worker_process_cycle>, data=0x1, name=0x4ff02f "worker process",
> respawn=1)
> at src/os/unix/ngx_process.c:198
> #25 0x000000000044579d in ngx_reap_children (cycle=0x1e86db0) at
> src/os/unix/ngx_process_cycle.c:688
> #26 0x0000000000444443 in ngx_master_process_cycle (cycle=0x1e86db0) at
> src/os/unix/ngx_process_cycle.c:241
> #27 0x00000000004075fb in main (argc=3, argv=0x7ffc53c4a278) at
> src/core/nginx.c:407
This feels like some sort concurrency/reentrancy issue, and the
certificate processed is probably one that nginx got off the wire
from a remote server. Find out what nginx is connecting to and
why, and whether there are any potential concurrency issues.
--
Viktor.
More information about the openssl-dev
mailing list