Quantcast

nginx ssl_verify_client on leads to segmentation fault

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

nginx ssl_verify_client on leads to segmentation fault

Thomas Glanzmann
Hello,
I'm running nginx from git HEAD, when I add the following two lines to a
https server:

ssl_client_certificate /tmp/ca.crt;
ssl_verify_client on;

and connect to the website, I get:

2017/05/15 08:12:04 [alert] 9109#0: worker process 12908 exited on signal 11 (core dumped)
2017/05/15 08:12:04 [alert] 9109#0: worker process 12909 exited on signal 11 (core dumped)
2017/05/15 08:12:10 [alert] 9109#0: worker process 12916 exited on signal 11 (core dumped)

I enabled cores and get:

(infra) [/tmp] gdb /local/nginx/sbin/nginx core
Reading symbols from /local/nginx/sbin/nginx...done.
[New LWP 12916]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `nginx: worker process  '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fbd9b8653db in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(gdb) bt
#0  0x00007fbd9b8653db in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
#1  0x00007fbd9c5c2a16 in ngx_ssl_remove_cached_session (ssl=0x0, sess=0x7fbd9eb7ccf0) at src/event/ngx_event_openssl.c:2698
#2  0x00007fbd9c5d3633 in ngx_http_process_request (r=r@entry=0x7fbd9e67d6b0) at src/http/ngx_http_request.c:1902
#3  0x00007fbd9c5d3a2a in ngx_http_process_request_headers (rev=rev@entry=0x7fbd9eb0fa30) at src/http/ngx_http_request.c:1358
#4  0x00007fbd9c5d3ceb in ngx_http_process_request_line (rev=rev@entry=0x7fbd9eb0fa30) at src/http/ngx_http_request.c:1031
#5  0x00007fbd9c5d4092 in ngx_http_wait_request_handler (rev=0x7fbd9eb0fa30) at src/http/ngx_http_request.c:506
#6  0x00007fbd9c5d4142 in ngx_http_ssl_handshake_handler (c=0x7fbd9ec7b4c0) at src/http/ngx_http_request.c:814
#7  0x00007fbd9c5c1714 in ngx_ssl_handshake_handler (ev=<optimized out>) at src/event/ngx_event_openssl.c:1389
#8  0x00007fbd9c5beb6d in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:902
#9  0x00007fbd9c5b6102 in ngx_process_events_and_timers (cycle=cycle@entry=0x7fbd9ec39cd0) at src/event/ngx_event.c:242
#10 0x00007fbd9c5bcdb4 in ngx_worker_process_cycle (cycle=cycle@entry=0x7fbd9ec39cd0, data=data@entry=0x2) at src/os/unix/ngx_process_cycle.c:749
#11 0x00007fbd9c5bb473 in ngx_spawn_process (cycle=cycle@entry=0x7fbd9ec39cd0, proc=0x7fbd9c5bcd3a <ngx_worker_process_cycle>, data=0x2, name=0x7fbd9c64b42d "worker process", respawn=respawn@entry=4) at src/os/unix/ngx_process.c:198
#12 0x00007fbd9c5bd818 in ngx_reap_children (cycle=0x7fbd9ec39cd0) at src/os/unix/ngx_process_cycle.c:621
#13 ngx_master_process_cycle (cycle=0x7fbd9ec39cd0) at src/os/unix/ngx_process_cycle.c:174
#14 0x00007fbd9c5988a0 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:375

I attached the ca.crt. It is a self signed with not all fields filled
out.

Please advice, if I should do any more testing.

Cheers,
        Thomas

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

ca.crt (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nginx ssl_verify_client on leads to segmentation fault

Maxim Dounin
Hello!

On Mon, May 15, 2017 at 08:16:38AM +0200, Thomas Glanzmann wrote:

> Hello,
> I'm running nginx from git HEAD, when I add the following two lines to a
> https server:
>
> ssl_client_certificate /tmp/ca.crt;
> ssl_verify_client on;
>
> and connect to the website, I get:
>
> 2017/05/15 08:12:04 [alert] 9109#0: worker process 12908 exited on signal 11 (core dumped)
> 2017/05/15 08:12:04 [alert] 9109#0: worker process 12909 exited on signal 11 (core dumped)
> 2017/05/15 08:12:10 [alert] 9109#0: worker process 12916 exited on signal 11 (core dumped)

[...]

> (gdb) bt
> #0  0x00007fbd9b8653db in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
> #1  0x00007fbd9c5c2a16 in ngx_ssl_remove_cached_session (ssl=0x0, sess=0x7fbd9eb7ccf0) at src/event/ngx_event_openssl.c:2698
> #2  0x00007fbd9c5d3633 in ngx_http_process_request (r=r@entry=0x7fbd9e67d6b0) at src/http/ngx_http_request.c:1902

Could you please confirm you do _not_ have ssl_certificate defined
in the server block where you've added ssl_verify_client?

I was able to reproduce the problem with the following
configuration:

    server{
        listen 8443 ssl;

        ssl_certificate test.crt;
        ssl_certificate_key test.key;
    }

    server {
        listen 8443 ssl;
        server_name foo;

        ssl_verify_client on;
        ssl_client_certificate test.root;
    }

(Just in case, an obvious workaround would be to add
ssl_certificate to the second server.)

Here is a patch:

# HG changeset patch
# User Maxim Dounin <[hidden email]>
# Date 1494865081 -10800
#      Mon May 15 19:18:01 2017 +0300
# Node ID 26c5ec160d3cb89ec681c285a3d87cae0595cb9e
# Parent  c85782291153482fe126e20ebc13b30eca4139ee
SSL: fixed context when removing cached sessions.

When removing cached session due to client certificate verification failure,
we have to use c->ssl->session_ctx, which matches the SSL context used by
OpenSSL when reusing sessions (see 97f102a13f33).

Using a context from currently selected virtual server is wrong, as it may
be different from the session context.  Moreover, it may be NULL if there is
no certificate defined in the currently selected virtual server, leading
to a segmentation fault.

Reported by Thomas Glanzmann.

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1885,7 +1885,7 @@ ngx_http_process_request(ngx_http_reques
                               "client SSL certificate verify error: (%l:%s)",
                               rc, X509_verify_cert_error_string(rc));
 
-                ngx_ssl_remove_cached_session(sscf->ssl.ctx,
+                ngx_ssl_remove_cached_session(c->ssl->session_ctx,
                                        (SSL_get0_session(c->ssl->connection)));
 
                 ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR);
@@ -1899,7 +1899,7 @@ ngx_http_process_request(ngx_http_reques
                     ngx_log_error(NGX_LOG_INFO, c->log, 0,
                                   "client sent no required SSL certificate");
 
-                    ngx_ssl_remove_cached_session(sscf->ssl.ctx,
+                    ngx_ssl_remove_cached_session(c->ssl->session_ctx,
                                        (SSL_get0_session(c->ssl->connection)));
 
                     ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT);

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nginx ssl_verify_client on leads to segmentation fault

Thomas Glanzmann
Hello Maxim,

> Could you please confirm you do _not_ have ssl_certificate defined
> in the server block where you've added ssl_verify_client?

I confirm the same, the ssl_certificate is defined in another server
block. The fix works for me, thanks.

Cheers,
        Thomas
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...