httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52212] New: SSLProxyMachineCertificateFile key first causes segfault
Date Fri, 18 Nov 2011 23:12:04 GMT

             Bug #: 52212
           Summary: SSLProxyMachineCertificateFile key first causes
           Product: Apache httpd-2
           Version: 2.2.21
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
    Classification: Unclassified

Sending a request via a mod_proxy reverse proxy to an https backend results in
a segfault. This is a similar issue to bug 24030 in that the segfault also
occurs in ssl_callback_proxy_cert calling the modssl_set_cert_info() macro:

   #define modssl_set_cert_info(info, cert, pkey) \
       *cert = info->x509; \
       X509_reference_inc(*cert); \
       *pkey = info->x_pkey->dec_pkey; \

except that instead of info->x_pkey being NULL, it is info->x_pkey->dec_pkey
(the private key data) that is NULL.

(gdb) p *info                                                                  
              $1 = {x509 = 0xcb2140, crl = 0x0, x_pkey = 0xcaf490, enc_cipher =
{cipher = 0x0,                  iv =
"?\"?\000\000\000\000\000?\t?\000\000\000\000"}, enc_len = 0, enc_data = 0x0,  
       references = 1}                                                         
                   (gdb) set print pretty on
(gdb) p info->x_pkey->dec_pkey
$5 = (EVP_PKEY *) 0x0
(gdb) c

Program received signal SIGSEGV, Segmentation fault.
0x0000002a96f10e82 in CRYPTO_add_lock (pointer=0x8, amount=1, type=5,
    file=0x2a96fbdd7f "ssl_engine_kernel.c", line=1698) at cryptlib.c:630
(gdb) bt
#0  0x0000002a96f10e82 in CRYPTO_add_lock (pointer=0x8, amount=1, type=5,
    file=0x2a96fbdd7f "ssl_engine_kernel.c", line=1698) at cryptlib.c:630
#1  0x0000002a96edd0a3 in ssl_callback_proxy_cert (ssl=0xcbc710,
    pkey=0x7fbfffea30) at ssl_engine_kernel.c:1698
#2  0x0000002a96f09deb in ssl_do_client_cert_cb (s=0xcbc710,
    ppkey=0x7fbfffea30) at s3_clnt.c:3048
#3  0x0000002a96f09e89 in ssl3_send_client_certificate (s=0xcbc710) at
#4  0x0000002a96f0a378 in ssl3_connect (s=0xcbc710) at s3_clnt.c:373

I initially avoided the segfault by modifying the fix for bug 24030 to check
x_pkey->dec_pkey as well:

--- a/httpd-2.2.21/modules/ssl/ssl_engine_init.c
+++ b/httpd-2.2.21/modules/ssl/ssl_engine_init.c
@@ -1006,7 +1006,7 @@ static void ssl_init_proxy_certs(server_rec *s,
     for (n = 0; n < ncerts; n++) {
         X509_INFO *inf = sk_X509_INFO_value(sk, n);

-        if (!inf->x509 || !inf->x_pkey) {
+        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                          "incomplete client cert configured for SSL proxy "

which resulted in a:

  incomplete client cert configured for SSL proxy (missing or encrypted private

error on startup, which was an improvement.

Further investigation using gdb and testing showed that having the private key
before the certificate in SSLProxyMachineCertificateFile was triggering the
segfault.  Changing this file to have the certificate first resolved the issue.

I'd suggest applying the above patch to avoid the segfault and at least
updating the SSLProxyMachineCertificateFile documentation to say that the
certificate should come before the private key.

Note that this issue does not occur in Apache/2.2.11 with OpenSSL/0.9.8k but
does also occur in Apache/2.2.17 with OpenSSL/1.0.0c.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message