httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 42972] New: - Certificate list in mod_ssl module context are not sorted
Date Wed, 25 Jul 2007 12:50:18 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42972>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42972

           Summary: Certificate list in mod_ssl module context are not
                    sorted
           Product: Apache httpd-2
           Version: 2.2.4
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: pascal.buchbinder@united-security-providers.ch


mod_ssl re-uses its module context for each request/connection.

Example:
static void ssl_init_ctx_cipher_suite(server_rec *s,
                                      apr_pool_t *p,
                                      apr_pool_t *ptemp,
                                      modssl_ctx_t *mctx)
{
    SSL_CTX *ctx = mctx->ssl_ctx;

This context is accessed as "read only" and can therefore been shared between
threads. OpenSSL uses mutexes when accessing global objects (e.g. random
generation).

The problem I encounter: the server certificates are stored in OpenSSL stacks.
The objects in this stack need to be sorted when they get accessed the very
first time (sk_find() brings the objects in the right order using qsort()).

Stack trace:
   ssl_io_filter_input()
   ssl_io_filter_connect()
   SSL_accept()
   ssl23_accept()
   ssl23_get_client_hello()
   SSL_accept()
   ssl3_accept()
   ssl3_send_server_certificate()
   ssl3_output_cert_chain()
   X509_STORE_get_by_subject()
   X509_OBJECT_retrieve_by_subject()
   X509_OBJECT_idx_by_subject()
   sk_find()
   internal_find()
   sk_sort()
   qsort()
   x509_object_cmp()

When starting multiple requests (new ssl handshakes) in parallel right after a
server restart, the server might crash due multiple threads are accessing the
certificate stack which has not been sorted yet (segmentation fault in
x509_object_cmp() due the move of the certificate objects in the stack order).

Possible workaround:
Manual sort of the stacks in the ssl context at server startup, e.g. in mod_ssl
ssl_init_ctx_verify()

Example:
 if(ctx->cert_store->objs->comp) {
      sk_sort(ctx->cert_store->objs);
 }

Impact of this issue is not very high due:
- it can only happen after a server restart
- may cause a crash of one single server child process
- happens only in a multithreaded environment (MPM worker)

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message