A customer of ours has a server cert where the CSR was generated with 
1.0.2h but was signed with 1.0.0j.

When a process (nginx in this case) has this as the server cert, it core 
dumps with an abort() when clients request the cert:

[root@zre-ldap005 q]# gdb /opt/zimbra/common/sbin/nginx 
core-nginx-sig6-user1004-group1004-pid8084-time1471924181
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/zimbra/common/sbin/nginx...Reading symbols from 
/usr/lib/debug/opt/zimbra/common/sbin/nginx.debug...done.
done.
[New LWP 8084]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `nginx: worker process 
'.
Program terminated with signal 6, Aborted.
#0  0x00007f22ba1245f7 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
Missing separate debuginfos, use: debuginfo-install 
pcre-8.32-15.el7_2.1.x86_64 
zimbra-cyrus-sasl-libs-2.1.26-1zimbra8.7b1.el7.x86_64 
zlib-1.2.7-15.el7.x86_64
(gdb) bt
#0  0x00007f22ba1245f7 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f22ba125ce8 in __GI_abort () at abort.c:90
#2  0x00007f22ba164327 in __libc_message (do_abort=do_abort@entry=2, 
fmt=fmt@entry=0x7f22ba26e488 "*** Error in `%s': %s: 0x%s ***\n") at 
../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007f22ba16ada5 in malloc_printerr (ar_ptr=0x7f22ba4aa760 
<main_arena>, ptr=<optimized out>, str=0x7f22ba26bb57 "corrupted 
double-linked list", action=3) at malloc.c:5022
#4  malloc_consolidate (av=av@entry=0x7f22ba4aa760 <main_arena>) at 
malloc.c:4169
#5  0x00007f22ba16ced5 in _int_malloc (av=av@entry=0x7f22ba4aa760 
<main_arena>, bytes=bytes@entry=1366) at malloc.c:3443
#6  0x00007f22ba16f26c in __GI___libc_malloc (bytes=1366) at malloc.c:2895
#7  0x00007f22bab51048 in CRYPTO_malloc (num=num@entry=1366, 
file=file@entry=0x7f22bace2220 "tasn_utl.c", line=line@entry=174) at 
mem.c:342
#8  0x00007f22bac4be94 in asn1_enc_save (pval=pval@entry=0x21302b0, 
in=0x214c6ce 
"0\202\005R\240\003\002\001\002\002\002\022x0\r\006\t*\206H\206\367\r\001\001\v\005",
 
inlen=1366,
    it=it@entry=0x7f22baf35f60 <X509_CINF_it>) at tasn_utl.c:174
#9  0x00007f22bac4b14e in ASN1_item_ex_d2i (pval=<optimized out>, 
in=0x7ffc53c497e0, len=0, it=0x7f22baf35f60 <X509_CINF_it>, tag=<optimized 
out>, tag@entry=-1, aclass=<optimized out>,
    opt=0 '\000', ctx=0x7ffc53c49a10) at tasn_dec.c:492
#10 0x00007f22bac4b4f2 in asn1_template_noexp_d2i (val=0x21302b0, 
in=0x7ffc53c499a0, len=1513, tt=0x7f22baf3cd20 <X509_seq_tt>, 
opt=<optimized out>, ctx=0x7ffc53c49a10) at tasn_dec.c:694
#11 0x00007f22bac4b735 in asn1_template_ex_d2i (val=0x21302b0, 
in=0x7ffc53c499a0, inlen=1513, tt=0x7f22baf3cd20 <X509_seq_tt>, 
opt=<optimized out>, ctx=<optimized out>) at tasn_dec.c:582
#12 0x00007f22bac4ae9b in ASN1_item_ex_d2i (pval=pval@entry=0x7ffc53c49a00, 
in=in@entry=0x7ffc53c49a60, len=1513, len@entry=1517, 
it=it@entry=0x7f22baf35ee0 <X509_it>,
    tag=<optimized out>, tag@entry=-1, aclass=<optimized out>, 
aclass@entry=0, opt=opt@entry=0 '\000', ctx=ctx@entry=0x7ffc53c49a10) at 
tasn_dec.c:445
#13 0x00007f22bac4b294 in ASN1_item_d2i (pval=0x7ffc53c49a00, 
pval@entry=0x0, in=in@entry=0x7ffc53c49a60, len=len@entry=1517, 
it=it@entry=0x7f22baf35ee0 <X509_it>) at tasn_dec.c:146
#14 0x00007f22bac435ec in d2i_X509 (a=a@entry=0x0, 
in=in@entry=0x7ffc53c49a60, len=len@entry=1517) at x_x509.c:143
#15 0x00007f22baf71da2 in ssl3_get_server_certificate (s=s@entry=0x2167a50) 
at s3_clnt.c:1228
#16 0x00007f22baf76cee in ssl3_connect (s=0x2167a50) at s3_clnt.c:345
#17 0x00007f22baf8166e in ssl23_get_server_hello (s=0x2167a50) at 
s23_clnt.c:799
#18 ssl23_connect (s=0x2167a50) at s23_clnt.c:228
#19 0x000000000044a755 in ngx_ssl_handshake (c=0x7f22b8ca0f60) at 
src/event/ngx_event_openssl.c:791
#20 0x000000000044adbf in ngx_ssl_handshake_handler (ev=0x7f22b8b99640) at 
src/event/ngx_event_openssl.c:939
#21 0x000000000043a8da in ngx_event_process_posted (cycle=0x1e86db0, 
posted=0x73d4e8 <ngx_posted_events>) at src/event/ngx_event_posted.c:40
#22 0x000000000043843a in ngx_process_events_and_timers (cycle=0x1e86db0) 
at src/event/ngx_event.c:275
#23 0x0000000000445dad in ngx_worker_process_cycle (cycle=0x1e86db0, 
data=0x1) at src/os/unix/ngx_process_cycle.c:879
#24 0x00000000004423cb in ngx_spawn_process (cycle=0x1e86db0, proc=0x445bca 
<ngx_worker_process_cycle>, data=0x1, name=0x4ff02f "worker process", 
respawn=1)
    at src/os/unix/ngx_process.c:198
#25 0x000000000044579d in ngx_reap_children (cycle=0x1e86db0) at 
src/os/unix/ngx_process_cycle.c:688
#26 0x0000000000444443 in ngx_master_process_cycle (cycle=0x1e86db0) at 
src/os/unix/ngx_process_cycle.c:241
#27 0x00000000004075fb in main (argc=3, argv=0x7ffc53c4a278) at 
src/core/nginx.c:407

Let me know what further information I can provide.

--Quanah

--

Quanah Gibson-Mount


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4658
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to