[openssl-dev] Random Crash in X509_NAME_cmp

Viktor Dukhovni openssl-users at dukhovni.org
Sun Feb 14 07:04:21 UTC 2016 

On Sun, Feb 14, 2016 at 11:51:40AM +0530, JM wrote:

> Hello All,
> 
> We are facing this issue for quite sometime, a random crash in SSL3_accept.
> We yet to figure out the exact cause as it's quite random and does not
> happen frequently - but it does happen once in a few hundred thousand
> connections and crashing the server.  We are using openssl 1.0.1e on CentOS
> 7.2. I hope to get some help here, will be happy to provide additional
> information if requires.
> 
> (gdb) bt
> #0  0x00007f0956bd394a in X509_NAME_cmp () from /lib64/libcrypto.so.10
> #1  0x00007f0956b26b54 in OBJ_bsearch_ex_ () from /lib64/libcrypto.so.10
> #2  0x00007f0956b9c005 in internal_find () from /lib64/libcrypto.so.10
> #3  0x00007f0956bd9a3f in x509_object_idx_cnt () from /lib64/libcrypto.so.10
> #4  0x00007f0956bd9fb9 in X509_OBJECT_retrieve_by_subject () from
> /lib64/libcrypto.so.10
> #5  0x00007f0956bda03b in X509_STORE_get_by_subject () from
> /lib64/libcrypto.so.10
> #6  0x00007f0956bda8ea in X509_STORE_CTX_get1_issuer () from
> /lib64/libcrypto.so.10
> #7  0x00007f0956bd64f5 in X509_verify_cert () from /lib64/libcrypto.so.10
> #8  0x00007f0956ecec98 in ssl3_output_cert_chain () from /lib64/libssl.so.10
> #9  0x00007f0956ec23d5 in ssl3_send_server_certificate () from
> /lib64/libssl.so.10
> #10 0x00007f0956ec384d in ssl3_accept () from /lib64/libssl.so.10
> #11 0x00007f0956ed1088 in ssl23_accept () from /lib64/libssl.so.10

This sequence of calls corresponds to the server building its own
certificate chain, by finding issuers for its own certificate
recursively in the trust store.

If this fails intermittently, that suggests memory corruption
somewhere else.  Is this server multi-threaded?  Is it using the
requisite locking callbacks? ...

In the mean-time a work-around might be to configure the server
with an explicit certificate chain (load a chain file, not just a
leaf certificate), and just in case also set the SSL mode flags
to include SSL_MODE_NO_AUTO_CHAIN:

	SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
    or
	SSL_set_mode(ssl, SSL_MODE_NO_AUTO_CHAIN);

Then the above call sequence will go no deeper than
ssl3_output_cert_chain(), and your server will do less work for
each client connection.  It it still crashes, we'll learn that
the crash in the cert store code is just a canary for a problem
elsewhere.

The only other thing that comes to mind is potential races against
code is rehashing the CApath directory, but that seems unlikely.

-- 
	Viktor.

More information about the openssl-dev mailing list