Bug #3096
closedSegfaults in mod_openssl_cert_cb() (misconfigured lighttpd.conf)
Description
Hi, I'm on lighttpd-1.4.59 and see segfaults in mod_openssl_cert_cb():
$ sudo coredumpctl debug
...
warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available.
Core was generated by `/nix/store/v760939ywffha1y5gw2zgz4xxzpwlp2c-lighttpd-1.4.59/sbin/lighttpd -D -f'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f081aabcaaa in mod_openssl_cert_cb (ssl=0x20cd090, arg=<optimized out>) at mod_openssl.c:1058
1058 mod_openssl.c: No such file or directory.
(gdb) bt
#0 0x00007f081aabcaaa in mod_openssl_cert_cb (ssl=0x20cd090, arg=<optimized out>) at mod_openssl.c:1058
#1 0x00007f081aa82b95 in tls_post_process_client_hello () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#2 0x00007f081aa71a9d in state_machine.part () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#3 0x00007f081aa46366 in ssl3_read_bytes () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#4 0x00007f081aa4e170 in ssl3_read () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#5 0x00007f081aa5aa03 in SSL_read () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#6 0x00007f081aabf237 in connection_read_cq_ssl (con=0x2043410, cq=0x20436c0, max_bytes=<optimized out>) at mod_openssl.c:2978
#7 0x0000000000421d24 in connection_read_header_more (olen=<optimized out>, c=<optimized out>, cq=0x20436c0, con=0x2043410) at connections.c:618
#8 connection_handle_read_state (con=0x2043410) at connections.c:757
#9 0x0000000000423631 in connection_state_machine_loop (r=0x2043410, con=0x2043410) at connections.c:1079
#10 0x0000000000422dcf in connection_state_machine_h1 (con=0x2043410, r=0x2043410) at connections.c:1418
#11 connection_state_machine (con=0x2043410) at connections.c:1436
#12 0x00000000004265dd in network_server_handle_fdevent (context=0x20361e0, revents=<optimized out>) at network.c:66
#13 0x0000000000438be3 in fdevent_linux_sysepoll_poll (ev=0x203c380, timeout_ms=<optimized out>) at fdevent_linux_sysepoll.c:43
#14 0x0000000000431804 in fdevent_poll (ev=0x203c380, timeout_ms=<optimized out>) at fdevent.c:436
#15 0x000000000041f968 in server_main_loop (srv=0x1f95500) at server.c:1923
#16 0x000000000040dedc in main (argc=4, argv=0x7ffe501b7d08) at server.c:1965
I'm not sure what exactly triggers it, it doesn't seem to happen all the time,
but it does happen several times a day (on my home server). Concretely, 44
times yesterday and 32 times so far today.
I started noticing the segfaults after I upgraded from NixOS 20.09 with
lighttpd-1.4.55 and openssl-1.1.1k to NixOS 21.05 with lighttpd-1.4.59 and
openssl-1.1.1k (unchanged).
Any ideas?
Updated by bjornfor over 3 years ago
I see the segfaults also on lighttpd-1.4.55 when I'm on NixOS 21.05. (That version worked fine on NixOS 20.09.)
Updated by gstrauss over 3 years ago
- Status changed from New to Need Feedback
mod_openssl.c line 158 if (NULL pc->ssl_pemfile_x509 || NULL pc->ssl_pemfile_pkey) {
so pc (plugin_cert *)
is likely NULL when lighttpd crashes.
I have seen this happen when the user has misconfigured lighttpd.conf and does not have a certificate configured in $SERVER["socket"]
or has nested $SERVER["socket"]
inside other lighttpd conditionals (which has always been a user error). See lighttpd TLS/SSL Configuration for a more detailed explanation. The upcoming lighttpd 1.4.60 tries to detect and warn users of this misconfiguration.
excerpt from lighttpd TLS/SSL Configuration:
Note: ssl.* configuration options are generally valid only in global scope or in the top level of a $SERVER["socket"] configuration condition, as they are needed when the socket connection is established, before the host is known. In cases where the client adds SNI (server name indication), some ssl.* options can be specified in $HTTP["host"] or $HTTP["scheme"] conditions, e.g. to select certificates for that specific connection. All other conditions occur after TLS negotiation has completed, so ssl.* directives nested in other configuration conditions may be ignored, including $SERVER["socket"] or $HTTP["host"] or $HTTP["scheme"] nested in other configuration conditions.
Updated by bjornfor over 3 years ago
I have seen this happen when the user has misconfigured lighttpd.conf and does not have a certificate configured in $SERVER["socket"] or has nested $SERVER["socket"] inside other lighttpd conditionals (which has always been a user error).
You're right, that was the problem! Thank you!
My lighttpd.conf had a snippet like this:
$HTTP["host"] == "${domainName}" { $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/var/lib/acme/${domainName}/full.pem" } }
I moved the `$SERVER["socket"]` block out and the segfaults are gone. Yay!
(Now I wonder why I didn't see the segfaults on NixOS 20.09...)
Updated by bjornfor over 3 years ago
I'm looking for a way to close this issue, but I fail.
Updated by gstrauss over 3 years ago
- Status changed from Need Feedback to Invalid
Thank you for confirming that fixing the configuration addressed your issue.
Updated by gstrauss over 3 years ago
- Subject changed from Segfaults in mod_openssl_cert_cb() to Segfaults in mod_openssl_cert_cb() (misconfigured lighttpd.conf)
Also available in: Atom