[AOLSERVER] Possible bug in TLS?

Tue, 14 Apr 2009 10:52:02 -0700

We noticed that whenever we made web services calls (using tsoap) over https, Aolserver was crashing with a signal 11 (IIRC).
We did a fair amount of debugging, and wanted to ask for some help with the rest. 


After turning debugging on, one of my team members here (Sep) produced  
this trace and analysis. Can anyone help us track down if we've  
discovered a bug, and if it is safe to disable Diffie-Hellman?


-----------------------------------------------------------------------------------------------

Program received signal SIGABRT, Aborted.
[Switching to Thread -1448084592 (LWP 11092)]
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7c68875 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7c6a201 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7e7aa4f in Tcl_PanicVA () from /usr/local/tcl/lib/libtcl8.4.so
#4  0xb7e7aa77 in Tcl_Panic () from /usr/local/tcl/lib/libtcl8.4.so
#5  0xb7e89b4f in Ptr2Block () from /usr/local/tcl/lib/libtcl8.4.so
#6  0xb7e8a117 in TclpFree () from /usr/local/tcl/lib/libtcl8.4.so
#7  0xb7e2a51d in Tcl_Free () from /usr/local/tcl/lib/libtcl8.4.so

#8  0xb7eba251 in ns_free () from /usr/local/aolserver40r10/lib/ 
libnsthread.so
#9  0xb5ff14aa in CRYPTO_free () from /usr/lib/i686/cmov/libcrypto.so. 
0.9.8
#10 0xb601e0aa in BN_clear_free () from /usr/lib/i686/cmov/ 
libcrypto.so.0.9.8

#11 0xb6045836 in DH_free () from /usr/lib/i686/cmov/libcrypto.so.0.9.8

#12 0xa9910e51 in CTX_Init (statePtr=0x168b7e38, proto=3, key=0x0,  
cert=0x0,

    CAdir=0x0, CAfile=0x0, ciphers=0x0) at tls.c:961

#13 0xa991084f in ImportObjCmd (clientData=0x0, interp=0x13066570,  
objc=4,

    objv=0xa9afb6bc) at tls.c:801

#14 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so

#15 0xb7e25987 in Tcl_EvalEx () from /usr/local/tcl/lib/libtcl8.4.so
#16 0xb7e26635 in Tcl_EvalObjEx () from /usr/local/tcl/lib/libtcl8.4.so
#17 0xb7e2d358 in Tcl_EvalObjCmd () from /usr/local/tcl/lib/libtcl8.4.so

#18 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so
#19 0xb7e520db in TclExecuteByteCode () from /usr/local/tcl/lib/ 
libtcl8.4.so

#20 0xb7e55dbc in TclCompEvalObj () from /usr/local/tcl/lib/libtcl8.4.so

#21 0xb7e82d68 in TclObjInterpProc () from /usr/local/tcl/lib/ 
libtcl8.4.so
#22 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so

#23 0xb7e25987 in Tcl_EvalEx () from /usr/local/tcl/lib/libtcl8.4.so
#24 0xb7e26635 in Tcl_EvalObjEx () from /usr/local/tcl/lib/libtcl8.4.so
#25 0xb7e2d358 in Tcl_EvalObjCmd () from /usr/local/tcl/lib/libtcl8.4.so

#26 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so
#27 0xb7e520db in TclExecuteByteCode () from /usr/local/tcl/lib/ 
libtcl8.4.so

#28 0xb7e55dbc in TclCompEvalObj () from /usr/local/tcl/lib/libtcl8.4.so

#29 0xb7e82d68 in TclObjInterpProc () from /usr/local/tcl/lib/ 
libtcl8.4.so
#30 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so
#31 0xb7e520db in TclExecuteByteCode () from /usr/local/tcl/lib/ 
libtcl8.4.so

#32 0xb7e55dbc in TclCompEvalObj () from /usr/local/tcl/lib/libtcl8.4.so
#33 0xb7e26539 in Tcl_EvalObjEx () from /usr/local/tcl/lib/libtcl8.4.so
#34 0xb7e32e07 in Tcl_IfObjCmd () from /usr/local/tcl/lib/libtcl8.4.so

#35 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so

#36 0xb7e25987 in Tcl_EvalEx () from /usr/local/tcl/lib/libtcl8.4.so
#37 0xb7e6fccb in Tcl_FSEvalFile () from /usr/local/tcl/lib/libtcl8.4.so

#38 0xb7e38f16 in Tcl_SourceObjCmd () from /usr/local/tcl/lib/ 
libtcl8.4.so
#39 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so

#40 0xb7e25987 in Tcl_EvalEx () from /usr/local/tcl/lib/libtcl8.4.so
#41 0xb7e26635 in Tcl_EvalObjEx () from /usr/local/tcl/lib/libtcl8.4.so

#42 0xb7e76cf1 in Tcl_NamespaceObjCmd () from /usr/local/tcl/lib/ 
libtcl8.4.so
#43 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so
#44 0xb7e520db in TclExecuteByteCode () from /usr/local/tcl/lib/ 
libtcl8.4.so

#45 0xb7e55dbc in TclCompEvalObj () from /usr/local/tcl/lib/libtcl8.4.so

#46 0xb7e82d68 in TclObjInterpProc () from /usr/local/tcl/lib/ 
libtcl8.4.so
#47 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so

#48 0xb7e25987 in Tcl_EvalEx () from /usr/local/tcl/lib/libtcl8.4.so
#49 0xb7e26635 in Tcl_EvalObjEx () from /usr/local/tcl/lib/libtcl8.4.so

#50 0xb7e835bd in Tcl_UplevelObjCmd () from /usr/local/tcl/lib/ 
libtcl8.4.so
#51 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so
#52 0xb7e520db in TclExecuteByteCode () from /usr/local/tcl/lib/ 
libtcl8.4.so

#53 0xb7e55dbc in TclCompEvalObj () from /usr/local/tcl/lib/libtcl8.4.so

#54 0xb7e82d68 in TclObjInterpProc () from /usr/local/tcl/lib/ 
libtcl8.4.so
#55 0xb7e743c9 in InvokeImportedCmd () from /usr/local/tcl/lib/ 
libtcl8.4.so
#56 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so
#57 0xb7e520db in TclExecuteByteCode () from /usr/local/tcl/lib/ 
libtcl8.4.so

#58 0xb7e55dbc in TclCompEvalObj () from /usr/local/tcl/lib/libtcl8.4.so

#59 0xb7e82d68 in TclObjInterpProc () from /usr/local/tcl/lib/ 
libtcl8.4.so
#60 0xb7e253c3 in TclEvalObjvInternal () from /usr/local/tcl/lib/ 
libtcl8.4.so

#61 0xb7e25987 in Tcl_EvalEx () from /usr/local/tcl/lib/libtcl8.4.so
#62 0xb7e25c8c in Tcl_Eval () from /usr/local/tcl/lib/libtcl8.4.so
#63 0xb7e25d26 in Tcl_GlobalEval () from /usr/local/tcl/lib/libtcl8.4.so

#64 0xb7efbe83 in ProcRequest () from /usr/local/aolserver40r10/lib/ 
libnsd.so

#65 0xb7ee823b in Ns_ConnRunRequest ()
   from /usr/local/aolserver40r10/lib/libnsd.so

#66 0xb7ee99fc in NsConnThread () from /usr/local/aolserver40r10/lib/ 
libnsd.so

#67 0xb7ebb48f in NsThreadMain ()
   from /usr/local/aolserver40r10/lib/libnsthread.so
#68 0xb7ebcb6d in ThreadMain ()
   from /usr/local/aolserver40r10/lib/libnsthread.so

#69 0xb7dd346b in start_thread () from /lib/tls/i686/cmov/ 
libpthread.so.0

#70 0xb7d116de in clone () from /lib/tls/i686/cmov/libc.so.6

That line is:

961             DH_free(dh);


This is the 12th level of the running stack and it's a reference to  
DH_free in line 961 in the tls package.  I am not certain if this is  
the source of all our woes, however, I inspected the code a bit and it  
looks like some programmatic error (though it is a wonder how this is  
included in multiple releases of tls, I would suggest talking with the  
tls mailing list about this... for more information.  I'm eager to  
find out what and why it causes the crash)


Here's the code at tls.c:

#ifndef NO_DH
    {
        DH* dh = get_dh512();
        SSL_CTX_set_tmp_dh(ctx, dh);
        DH_free(dh);
    }
#endif


The entire code is, interestingly, wrapped around the NO_DH if-check,  
this reads "If NO_DH variable is not define, do the following".  And  
so the crash happens when the dh pointer is being freed.  What is  
interesting to point out is that get_dh512() is defined as:


static DH *get_dh512()
{
    ...
}


I'm not sure how and what the purpose is, but the way I see this is  
that the pointer returned is a static DH pointer and we know how  
freeing static pointers go.



I rebuilt the tls-head (tls1.5.1) package except I disabled the DH  
routines.  I inserted this on tls.c, line 75:


#define NO_DH 1


This will toggle tls not to use DH which is part of the libcrypto  
library.  Now, I'm not sure if my change here effectively disabled  
ssh, but it seems to have extracted the soap-response just fine.  Like  
I said, the ramifications of this change needs the expertise of the  
TLS folks.


Either way, this is certainly one way of going about this.

According to SSL, dh is the Diffie-Hellman key agreement
http://openssl.org/docs/crypto/dh.html

More info:
http://en.wikipedia.org/wiki/Diffie-Hellman


After some reading, I'm half-convinced this should not shut down ssl  
encryption of packets.  The other half is up in the air.


---------------------------------------------------------------------------------


Is this a bug in TLS and/or its interaction with Aolserver? And is it  
safe to disable Diffie-Hellman?


Jade



Jade Rubick
Director of Development
Truist
120 Wall Street, 4th Floor
New York, NY 10005 USA
jrub...@truist.com
+1 503 285 4963
+1 707 671 1333 fax

www.truist.com


The information contained in this email/document is confidential and  
may be legally privileged. Access to this email/document by anyone  
other than the intended recipient(s) is unauthorized. If you are not  
an intended recipient, any disclosure, copying, distribution, or any  
action taken or omitted to be taken in reliance to it, is prohibited.




--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to 
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: 
field of your email blank.






















					Reply via email to