Hi,
this seems harmless, but haproxy processes crash on reload when using
TLS tickets with multiple sockets per port.
Following configuration reproduces the problem:
global
nbproc 2
user haproxy
group haproxy
daemon
defaults
timeout connect 5000
timeout client 50000
timeout server 50000
frontend test
bind 127.0.0.1:8443 process 1 ssl crt file tls-ticket-keys file
bind 127.0.0.1:8443 process 2 ssl crt file tls-ticket-keys file
Every reload results with the following warning in logs:
[WARNING] 142/134019 (23389) : Former worker 23404 exited with code 134
gdb shows following:
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fc87c8cc42a in __GI_abort () at abort.c:89
#2 0x00007fc87c908c00 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7fc87c9fdd98 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/posix/libc_fatal.c:175
#3 0x00007fc87c90efc6 in malloc_printerr (action=3,
str=0x7fc87c9fde10 "double free or corruption (!prev)", ptr=<optimized
out>, ar_ptr=<optimized out>) at malloc.c:5049
#4 0x00007fc87c90f80e in _int_free (av=0x7fc87cc31b00 <main_arena>,
p=0x55f389a1a4a0, have_lock=0) at malloc.c:3905
#5 0x000055f387b9aa16 in ssl_sock_destroy_bind_conf
(bind_conf=0x55f389a1c400) at src/ssl_sock.c:4818
#6 0x000055f387c25280 in deinit () at src/haproxy.c:2240
#7 0x000055f387b8846e in main (argc=<optimized out>,
argv=0x7ffed2261cc8) at src/haproxy.c:3070
src/ssl_sock.c:4818 contains:
free(bind_conf->keys_ref->tlskeys);
haproxy version (1.8.9 recompiled on Debian stretch with USE_TFO):
$ /usr/sbin/haproxy -vv
HA-Proxy version 1.8.9-1~tsg9+1 2018/05/21
Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/root/haproxy-1.8.9=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.1.0f 25 May 2017
Running on OpenSSL version : OpenSSL 1.1.0f 25 May 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
--
Janusz Dziemidowicz
