Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 123624
Status: rejected
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: beldmit [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Segmentation fault on malformed certificate file
Date: Tue, 14 Nov 2017 16:07:10 +0300
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Dmitry Belyavsky <beldmit [...] gmail.com>
Hello, I get a segmentation fault using malformed clients certificate and private key. Minimal example: ========= #!/usr/bin/perl use strict; use warnings; use utf8; use LWP::UserAgent; use IO::Socket::SSL qw(debug3); my $ua = LWP::UserAgent->new( ssl_opts => { SSL_cert_file => '/srv/vr/experiment/cert.pem', SSL_key_file => '/srv/vr/experiment/key.pem', } ); my $response = $ua->get("https://my.cool.url"); ========= The debug output is ========= SSL error: 38061: 1 - error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error DEBUG: .../IO/Socket/SSL.pm:1774: Failed to use certificate file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:531: socket connected DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:1769: SSL structure creation failed DEBUG: .../IO/Socket/SSL.pm:1774: SSL structure creation failed error:140BA0C3:SSL routines:SSL_new:null ssl ctx DEBUG: .../IO/Socket/SSL.pm:640: set socket to non-blocking to enforce timeout=180 Segmentation fault (core dumped) ========== When I try to reproduce it with the same certificate and key on the other machine, I get a normal shutdown with different debug output: ========== DEBUG: .../IO/Socket/SSL.pm:1769: Failed to use certificate file SSL error: 45289: 1 - error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error DEBUG: .../IO/Socket/SSL.pm:1774: Failed to use certificate file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:531: socket connected DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:1769: SSL structure creation failed DEBUG: .../IO/Socket/SSL.pm:1774: SSL structure creation failed error:140BA0C3:SSL routines:SSL_new:null ssl ctx DEBUG: .../IO/Socket/SSL.pm:1758: IO::Socket::IP configuration failed ========== Thank you! -- SY, Dmitry Belyavsky
Download (untitled) / with headers
text/plain 1012b
Am Di 14. Nov 2017, 08:07:29, beldmit@gmail.com schrieb: Show quoted text
> Hello, > > I get a segmentation fault using malformed clients certificate and private > key.
Hi, I'm not able to reproduce your problem. This might be due to insufficient information in the bug report. It is especially unknown which version of IO::Socket::SSL, Net::SSLeay and OpenSSL where in use. Also, it is unknown what exactly was malformed with the certificate. Please provide a working example using only the latest versions of IO::Socket::SSL, i.e. no additional dependency on LWP. Please make sure that this example causes the problem when used with the latest version of Net::SSLeay. Please provide also the version of OpenSSL you are using, i.e. the one which is linked against Net::SSLeay. You might run the t/01loadmodule.t from IO::Socket::SSL distribution for this. Please provide also a certificate and key which can be used to trigger the problem or provide instructions on how to generate malformed files which trigger the problem.
CC: behroozi [...] www.pls.uni.edu
Subject: Re: [rt.cpan.org #123624] Segmentation fault on malformed certificate file
Date: Wed, 15 Nov 2017 12:06:10 +0300
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Dmitry Belyavsky <beldmit [...] gmail.com>
Download (untitled) / with headers
text/plain 1.4k
Hello, I strongly suspect that the bug was fixed in 2.003 according to the changes. Debian 8 still uses 2.002 version. Unfortunately I can't provide access to a working service because of its restrictions. On Wed, Nov 15, 2017 at 11:26 AM, Steffen Ullrich via RT < bug-IO-Socket-SSL@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=123624 > > > Am Di 14. Nov 2017, 08:07:29, beldmit@gmail.com schrieb:
> > Hello, > > > > I get a segmentation fault using malformed clients certificate and
> private
> > key.
> > Hi, > > I'm not able to reproduce your problem. This might be due to insufficient > information in the bug report. It is especially unknown which version of > IO::Socket::SSL, Net::SSLeay and OpenSSL where in use. Also, it is unknown > what exactly was malformed with the certificate. > > Please provide a working example using only the latest versions of > IO::Socket::SSL, i.e. no additional dependency on LWP. Please make sure > that this example causes the problem when used with the latest version of > Net::SSLeay. Please provide also the version of OpenSSL you are using, i.e. > the one which is linked against Net::SSLeay. You might run the > t/01loadmodule.t from IO::Socket::SSL distribution for this. Please provide > also a certificate and key which can be used to trigger the problem or > provide instructions on how to generate malformed files which trigger the > problem. >
-- SY, Dmitry Belyavsky
Download (untitled) / with headers
text/plain 474b
Am Mi 15. Nov 2017, 04:06:24, beldmit@gmail.com schrieb: Show quoted text
> Hello, > > I strongly suspect that the bug was fixed in 2.003 according to the > changes. Debian 8 still uses 2.002 version.
Yes, this makes sense. If you or Debian want to backport the trivial fix done in 2.003 see https://github.com/noxxi/p5-io-socket-ssl/commit/a09f29f423859565bc0384dcfbbc75811d9e4e4a. Based on your feedback I will reject the bug here since it seems to have been fixed 3 years ago already.
CC: behroozi [...] www.pls.uni.edu
Subject: Re: [rt.cpan.org #123624] Segmentation fault on malformed certificate file
Date: Wed, 15 Nov 2017 12:37:29 +0300
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Dmitry Belyavsky <beldmit [...] gmail.com>
Download (untitled) / with headers
text/plain 700b
Thank you! On Wed, Nov 15, 2017 at 12:34 PM, Steffen Ullrich via RT < bug-IO-Socket-SSL@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=123624 > > > Am Mi 15. Nov 2017, 04:06:24, beldmit@gmail.com schrieb:
> > Hello, > > > > I strongly suspect that the bug was fixed in 2.003 according to the > > changes. Debian 8 still uses 2.002 version.
> > Yes, this makes sense. > If you or Debian want to backport the trivial fix done in 2.003 see > https://github.com/noxxi/p5-io-socket-ssl/commit/ > a09f29f423859565bc0384dcfbbc75811d9e4e4a. > > Based on your feedback I will reject the bug here since it seems to have > been fixed 3 years ago already. >
-- SY, Dmitry Belyavsky


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.