nginx ssl_verify_client on leads to segmentation fault
Thomas Glanzmann
thomas at glanzmann.de
Mon May 15 06:16:38 UTC 2017
Hello,
I'm running nginx from git HEAD, when I add the following two lines to a
https server:
ssl_client_certificate /tmp/ca.crt;
ssl_verify_client on;
and connect to the website, I get:
2017/05/15 08:12:04 [alert] 9109#0: worker process 12908 exited on signal 11 (core dumped)
2017/05/15 08:12:04 [alert] 9109#0: worker process 12909 exited on signal 11 (core dumped)
2017/05/15 08:12:10 [alert] 9109#0: worker process 12916 exited on signal 11 (core dumped)
I enabled cores and get:
(infra) [/tmp] gdb /local/nginx/sbin/nginx core
Reading symbols from /local/nginx/sbin/nginx...done.
[New LWP 12916]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `nginx: worker process '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007fbd9b8653db in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(gdb) bt
#0 0x00007fbd9b8653db in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
#1 0x00007fbd9c5c2a16 in ngx_ssl_remove_cached_session (ssl=0x0, sess=0x7fbd9eb7ccf0) at src/event/ngx_event_openssl.c:2698
#2 0x00007fbd9c5d3633 in ngx_http_process_request (r=r at entry=0x7fbd9e67d6b0) at src/http/ngx_http_request.c:1902
#3 0x00007fbd9c5d3a2a in ngx_http_process_request_headers (rev=rev at entry=0x7fbd9eb0fa30) at src/http/ngx_http_request.c:1358
#4 0x00007fbd9c5d3ceb in ngx_http_process_request_line (rev=rev at entry=0x7fbd9eb0fa30) at src/http/ngx_http_request.c:1031
#5 0x00007fbd9c5d4092 in ngx_http_wait_request_handler (rev=0x7fbd9eb0fa30) at src/http/ngx_http_request.c:506
#6 0x00007fbd9c5d4142 in ngx_http_ssl_handshake_handler (c=0x7fbd9ec7b4c0) at src/http/ngx_http_request.c:814
#7 0x00007fbd9c5c1714 in ngx_ssl_handshake_handler (ev=<optimized out>) at src/event/ngx_event_openssl.c:1389
#8 0x00007fbd9c5beb6d in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:902
#9 0x00007fbd9c5b6102 in ngx_process_events_and_timers (cycle=cycle at entry=0x7fbd9ec39cd0) at src/event/ngx_event.c:242
#10 0x00007fbd9c5bcdb4 in ngx_worker_process_cycle (cycle=cycle at entry=0x7fbd9ec39cd0, data=data at entry=0x2) at src/os/unix/ngx_process_cycle.c:749
#11 0x00007fbd9c5bb473 in ngx_spawn_process (cycle=cycle at entry=0x7fbd9ec39cd0, proc=0x7fbd9c5bcd3a <ngx_worker_process_cycle>, data=0x2, name=0x7fbd9c64b42d "worker process", respawn=respawn at entry=4) at src/os/unix/ngx_process.c:198
#12 0x00007fbd9c5bd818 in ngx_reap_children (cycle=0x7fbd9ec39cd0) at src/os/unix/ngx_process_cycle.c:621
#13 ngx_master_process_cycle (cycle=0x7fbd9ec39cd0) at src/os/unix/ngx_process_cycle.c:174
#14 0x00007fbd9c5988a0 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:375
I attached the ca.crt. It is a self signed with not all fields filled
out.
Please advice, if I should do any more testing.
Cheers,
Thomas
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJiHhD7iXgUPMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNTEyMTEzNTQyWhcNMjcwNTEwMTEzNTQyWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAtEfckobyI1uk4n+rqJUiVjKhGt3e98zjGaAZQ49S1Lc+0ZRm5Pch9c7N
koscg6UiR7xPIuGl6GeqRar6vsoSeLXK1ZOA2pEDgRznrISB2NC8kuNL/GQG+Qey
VeVj+to/pi+y3zL7vSX68iM3L8Kn6Ekh5qlOA2f7Jf7ie8evlKx3uLIMiBEddpUz
JJHcNLxIpqXHJbHziyXXrXdFvNm7P34/Qr0ZEu8wPj9qUJbMd/FQ3t5DCDgC5R6w
9P8Mb/yD8EXATRPf0z4LBUmomNvnYgI2azCrxciGwhrwj3w5BQl0Vz5h2tewQjMf
clMkQKu5/6ATJ1SbMXNpLt+rBOPFyQIDAQABo1AwTjAdBgNVHQ4EFgQUBUoxjdMM
JB989mnoEHmEnjOfQjAwHwYDVR0jBBgwFoAUBUoxjdMMJB989mnoEHmEnjOfQjAw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAmBfdIoSWvxsrHeRoXSHR
4x/Ec/Y/UF9Zc42RouDhtki8MnFz2HY9BqpMpRY87ECEnTgqzoUEgQe2sd3B1fu8
sfKZ0VSxoWX6ltVK9oB+ThSe1bOQesNrzBjj42d+wHAfjNUBjEEpvmvClu2sl4XF
vwxkRUvDh/zCdnCKp549fhjuBGZYy+I9ETgunyJ1+e7SD9zuMQhqra+HGABhAFs+
+us4gdQd8vB5SV4j0L1Ib+vjPWcO93Vybxtl2ispGt1WkzLYgtaYQ9KsAnP3LMoS
lQeJC2ELGblpZxkA7Lpr8hfW5e9WzK1YhnOs9N2PgUEgVLPnsD2UNpBCQSHB7/Zz
CQ==
-----END CERTIFICATE-----
More information about the nginx
mailing list