Project

General

Profile

Actions

Bug #3096

closed

Segfaults in mod_openssl_cert_cb() (misconfigured lighttpd.conf)

Added by bjornfor 26 days ago. Updated 14 days ago.

Status:
Invalid
Priority:
Normal
Category:
-
Target version:
ASK QUESTIONS IN Forums:
No

Description

Hi, I'm on lighttpd-1.4.59 and see segfaults in mod_openssl_cert_cb():

$ sudo coredumpctl debug
...
warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available.
Core was generated by `/nix/store/v760939ywffha1y5gw2zgz4xxzpwlp2c-lighttpd-1.4.59/sbin/lighttpd -D -f'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f081aabcaaa in mod_openssl_cert_cb (ssl=0x20cd090, arg=<optimized out>) at mod_openssl.c:1058
1058 mod_openssl.c: No such file or directory.
(gdb) bt
#0 0x00007f081aabcaaa in mod_openssl_cert_cb (ssl=0x20cd090, arg=<optimized out>) at mod_openssl.c:1058
#1 0x00007f081aa82b95 in tls_post_process_client_hello () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#2 0x00007f081aa71a9d in state_machine.part () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#3 0x00007f081aa46366 in ssl3_read_bytes () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#4 0x00007f081aa4e170 in ssl3_read () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#5 0x00007f081aa5aa03 in SSL_read () from /nix/store/m3gdqvg4m7m0llr1f0izkh3kgiipd88p-openssl-1.1.1k/lib/libssl.so.1.1
#6 0x00007f081aabf237 in connection_read_cq_ssl (con=0x2043410, cq=0x20436c0, max_bytes=<optimized out>) at mod_openssl.c:2978
#7 0x0000000000421d24 in connection_read_header_more (olen=<optimized out>, c=<optimized out>, cq=0x20436c0, con=0x2043410) at connections.c:618
#8 connection_handle_read_state (con=0x2043410) at connections.c:757
#9 0x0000000000423631 in connection_state_machine_loop (r=0x2043410, con=0x2043410) at connections.c:1079
#10 0x0000000000422dcf in connection_state_machine_h1 (con=0x2043410, r=0x2043410) at connections.c:1418
#11 connection_state_machine (con=0x2043410) at connections.c:1436
#12 0x00000000004265dd in network_server_handle_fdevent (context=0x20361e0, revents=<optimized out>) at network.c:66
#13 0x0000000000438be3 in fdevent_linux_sysepoll_poll (ev=0x203c380, timeout_ms=<optimized out>) at fdevent_linux_sysepoll.c:43
#14 0x0000000000431804 in fdevent_poll (ev=0x203c380, timeout_ms=<optimized out>) at fdevent.c:436
#15 0x000000000041f968 in server_main_loop (srv=0x1f95500) at server.c:1923
#16 0x000000000040dedc in main (argc=4, argv=0x7ffe501b7d08) at server.c:1965

I'm not sure what exactly triggers it, it doesn't seem to happen all the time,
but it does happen several times a day (on my home server). Concretely, 44
times yesterday and 32 times so far today.

I started noticing the segfaults after I upgraded from NixOS 20.09 with
lighttpd-1.4.55 and openssl-1.1.1k to NixOS 21.05 with lighttpd-1.4.59 and
openssl-1.1.1k (unchanged).

Any ideas?

Actions #1

Updated by bjornfor 26 days ago

I see the segfaults also on lighttpd-1.4.55 when I'm on NixOS 21.05. (That version worked fine on NixOS 20.09.)

Actions #2

Updated by gstrauss 26 days ago

  • Status changed from New to Need Feedback

mod_openssl.c line 158
if (NULL pc->ssl_pemfile_x509 || NULL pc->ssl_pemfile_pkey) {
so pc (plugin_cert *) is likely NULL when lighttpd crashes.

I have seen this happen when the user has misconfigured lighttpd.conf and does not have a certificate configured in $SERVER["socket"] or has nested $SERVER["socket"] inside other lighttpd conditionals (which has always been a user error). See lighttpd TLS/SSL Configuration for a more detailed explanation. The upcoming lighttpd 1.4.60 tries to detect and warn users of this misconfiguration.

excerpt from lighttpd TLS/SSL Configuration:

Note: ssl.* configuration options are generally valid only in global scope or in the top level of a $SERVER["socket"] configuration condition, as they are needed when the socket connection is established, before the host is known. In cases where the client adds SNI (server name indication), some ssl.* options can be specified in $HTTP["host"] or $HTTP["scheme"] conditions, e.g. to select certificates for that specific connection. All other conditions occur after TLS negotiation has completed, so ssl.* directives nested in other configuration conditions may be ignored, including $SERVER["socket"] or $HTTP["host"] or $HTTP["scheme"] nested in other configuration conditions.

Actions #3

Updated by bjornfor 25 days ago

I have seen this happen when the user has misconfigured lighttpd.conf and does not have a certificate configured in $SERVER["socket"] or has nested $SERVER["socket"] inside other lighttpd conditionals (which has always been a user error).

You're right, that was the problem! Thank you!

My lighttpd.conf had a snippet like this:

$HTTP["host"] == "${domainName}" {
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = "/var/lib/acme/${domainName}/full.pem" 
  }
}

I moved the `$SERVER["socket"]` block out and the segfaults are gone. Yay!

(Now I wonder why I didn't see the segfaults on NixOS 20.09...)

Actions #4

Updated by bjornfor 25 days ago

I'm looking for a way to close this issue, but I fail.

Actions #5

Updated by gstrauss 25 days ago

  • Status changed from Need Feedback to Invalid

Thank you for confirming that fixing the configuration addressed your issue.

Actions #6

Updated by gstrauss 14 days ago

  • Subject changed from Segfaults in mod_openssl_cert_cb() to Segfaults in mod_openssl_cert_cb() (misconfigured lighttpd.conf)
Actions

Also available in: Atom