Project

General

Profile

[Solved] Core Dump lighttpd 1.4.58 with option "-SessionTicket" (discontinuous system time)

Added by Agossi about 2 months ago

Hi all,

I am facing a core dump after some time during a stress test of lighttpd 1.4.58 with disabled Session Tickets "Options" => "-SessionTicket".
I am not sure at the moment if it would also core dump with Session Tickets activated.

OpenSSL on the system is 1.1.1k.

I ran on my Ubuntu system a apache util to stress the system:

ab -c40 -n10000000  https://IP/

What I saw was an increasing CPU usage (constantly growing 1,2,3,4,50%,60% -> crash).
I let it run for 3-4 hours and then stopped it but after some time (maybe internal cleanup) it core dumped.

Seen in the core file:

(gdb) bt 
#0  0x76d514fc in free () from /lib/libc.so.6
#1  0x76c49156 in SSL_SESSION_free () from /usr/lib/libssl.so.1.1
#2  0x76edbab4 in OPENSSL_LH_doall_arg () from /usr/lib/libcrypto.so.1.1
#3  0x76c49e18 in SSL_CTX_flush_sessions () from /usr/lib/libssl.so.1.1
#4  0x76c5aed4 in ?? () from /usr/lib/libssl.so.1.1
#5  0x76c5aed4 in ?? () from /usr/lib/libssl.so.1.1
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Any suggestion how to debug it more or how to fix it?


Replies (7)

RE: Core Dump lighttpd 1.4.58 with option "-SessionTicket" - Added by gstrauss about 2 months ago

What I saw was an increasing CPU usage (constantly growing 1,2,3,4,50%,60% -> crash).

missing context. system time? user time? other processes? free memory? free disk space? Were you hitting other resource limits?

The latest lighttpd release is lighttpd 1.4.59, released almost 6 months ago. Please test with lighttpd 1.4.59.
lighttpd 1.4.59 fixed some bugs in lighttpd 1.4.58, hence the reason lighttpd 1.4.59 was released.
lighttpd 1.4.59 release info

RE: Core Dump lighttpd 1.4.58 with option "-SessionTicket" - Added by gstrauss about 2 months ago

Please read the "Help" section on the front page of the lighttpd wiki

RE: Core Dump lighttpd 1.4.58 with option "-SessionTicket" - Added by gstrauss about 2 months ago

Please read the lighttpd TLS docs and then explain why you are disabling Session Tickets.
Also, if you haven't tested your stress test with Session Tickets enabled, how in the world have you concluded that is the problem?

RE: Core Dump lighttpd 1.4.58 with option "-SessionTicket" - Added by Agossi about 2 months ago

missing context. system time? user time? other processes? free memory? free disk space? Were you hitting other resource limits?

=>
total used free shared buff/cache available
Mem: 511768 179400 105308 58100 227060 273172
No memory issue.

Size Used Available Use% Mounted on
249.9M 49.3M 200.6M 20% /tmp
=> no disk space issue.

Please read the lighttpd TLS docs and then explain why you are disabling Session Tickets.
Also, if you haven't tested your stress test with Session Tickets enabled, how in the world have you concluded that is the problem?

I just said it could be the problem, but never said it is the problem for sure.
I disabled SessionTickets since we saw SSL Errors with time changes on the system with TLS 1.3 therefore it is disabled for now, also it shall not crash with SessionTickets disabled.
The main issue for us was if the time is changed into the past and into the future, since only 3 Tickets are generated in 24 h (every 8h) and if the time changes it can happen that the next ticket will be generated at <= 8h until then no fallback appears and system is not useable.

I will give 1.4.59 a try. Thanks

RE: Core Dump lighttpd 1.4.58 with option "-SessionTicket" - Added by gstrauss about 2 months ago

The main issue for us was if the time is changed into the past and into the future, since only 3 Tickets are generated in 24 h (every 8h) and if the time changes it can happen that the next ticket will be generated at <= 8h until then no fallback appears and system is not useable.

Don't you think that is an important piece of information?

lighttpd has added additional defensive maneuvers in the source code, which will be part of lighttpd 1.4.60 when released.

#3075 TLS 1.3 with SessionTicket fail for the first 8 hours of 1970
#3080 Lighttpd 1.4.58 SSL connections stop working if system time of lighttpd server is changed to future one (+12h or even days)
https://redmine.lighttpd.net/boards/2/topics/9664

RE: [Solved] Core Dump lighttpd 1.4.58 with option "-SessionTicket" (discontinuous system time) - Added by Agossi 24 days ago

Update:
Still failing with lighttp 1.4.59 and -SessionTicket.
Previous version 1.4.58 without "--SessionTicket" works without crashes.

Any timeline when 1.4.60 will be released?

RE: [Solved] Core Dump lighttpd 1.4.58 with option "-SessionTicket" (discontinuous system time) - Added by gstrauss 24 days ago

Still failing with lighttp 1.4.59 and -SessionTicket.

Any more details? Any stack trace?

Kindly test the pre-release to see if it addresses your issue:
lighttpd source code and build instructions

    (1-7/7)