Bug 1394948
| Summary: | nodejs core dumps when https used with startssl server certificate | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Bobby Krupczak <rdk> | ||||||
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> | ||||||
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.3 | CC: | chris, gt500, jamielinux, mrunge, nodejs-sig, piotr1212, rdk, sgallagh, szidek, tchollingsworth, thrcka, tom, victor, zsvetlik | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-04-03 14:34:01 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Bobby Krupczak
2016-11-14 20:33:26 UTC
I'm looking into this. So far I cannot reproduce the issue locally, but I'm attempting to set up a StartSSL account so I can see if the problem is unique to certificates issued through them. I'm happy to give you my certs to use or I can give you access to my ec2 instance. Thanks, Bobby Oh yeah, one more item on the certificate. I take the cert given to me by ssl and I append the startssl intermediate cert to the end of the cert pem file. OK, I just did the following: * Created a CSR for one of my domains * Got a certificate issued for that CSR from StartSSL * Installed CentOS 7.2 * Updated to openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm * Installed epel-release * Installed nodejs * Ran your test script * Ran `openssl s_client -connect <hostname>:8443 -CAfile 1_root_bundle.crt` * Updated to openssl-libs-1.0.1e-60.el7.x86_64 * Ran your test script * Ran `openssl s_client -connect <hostname>:8443 -CAfile 1_root_bundle.crt` Both attempts at `openssl s_client` succeeded and did not trigger a segmentation fault in Node.js. I can only assume that there is something unusual with your specific environment. Do you perhaps have unusual characters in your CN or subjectAltNames for the certificate? (In reply to Bobby Krupczak from comment #3) > Oh yeah, one more item on the certificate. I take the cert given to me by > ssl and I append the startssl intermediate cert to the end of the cert pem > file. Why do you do that? OK, I can confirm *that* will crash the application, but what is the purpose of putting the intermediate certificate in with the service certificate? Presumably because applications using openssl will often read it from there... Specifically if they use SSL_CTX_use_certificate_chain_file to load the certificate then they will accept an intermediate certificate that follows it. No idea which routine Node uses to load the certificate though. Hey! One thing to mention. You tested on centos 7.2 and my ec2 instance is running RHEL 7.3 (centos 7.3). Re Stephen's confirmation that the intermediate cert will crash node . . . I guess its still a node bug? Or, openssl bug? Even if I feed an erroneous cert, the code should not crash. I added the intermediate cert in the server cert file because my understanding was that one needed it so that the server code would think the cert is legit. I probably mis-understood the cert install instructions. I just tested the epel node build with my cert with the intermediate cert removed and it did not crash. You are correct. That fixed that problem. Should I close this ticket? I will also update the github issue with this revelation. Bobby Created attachment 1220859 [details] Backtrace of crash Attaching a backtrace produced while running openssl-libs-1.0.1e-51.el7_2.7.x86_64 I used the same certificates I generated in comment #4, except that I appended the intermediate certificate to the service certificate. I modifed the test.js slightly, just to look for the combined cert. I can confirm that the issue only happens on the RHEL 7.2 and 7.3 OpenSSL packages. I actually did an EPEL 7 scratch-build of the latest Fedora OpenSSL package (http://koji.fedoraproject.org/koji/taskinfo?taskID=16463661) and tried that; it did not crash. Reassigning the issue to OpenSSL, as the problem is definitely on that end. I need to know what is the method that nodeJS calls when loading the certificate. It's a bit involved, but think it is probably SecureContext::SetCert (https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L633) that winds up doing it, which is using SSL_CTX_use_certificate_chain. Of course if the reporter can get a backtrace that will help confirm... (In reply to Tom Hughes from comment #12) > It's a bit involved, but think it is probably SecureContext::SetCert > (https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L633) that > winds up doing it, which is using SSL_CTX_use_certificate_chain. > > Of course if the reporter can get a backtrace that will help confirm... A backtrace doesn't help (and I attached mine to the ticket). The problem is that the failure doesn't happen at load-time, it happens the first time the loaded value is used after that. Tomas, I don't really know the internals of Node.js, but Tom Hughes does. I'll trust his interpretation and clear NEEDINFO. It would be also interesting to see if the crash happens with any other (valid) server+intermediate certificates. *** Bug 1402372 has been marked as a duplicate of this bug. *** *** Bug 1413370 has been marked as a duplicate of this bug. *** I'm getting the same problem with CentOS 7.2.1511, EPEL, and OpenSSL 1.0.1e-fips. We have a Thawte cert. Removing the intermediate certificates fixes the segfault issue. However, without the intermediate certificates we are getting an error on Chrome (Android) with our secure web sockets (wss): "No certificates found The app Chrome has requested a certificate. Choosing a certificate will let the app use this identity with servers now and in the future...". My guess is this error is because we have removed the intermediate certificates. Strangely, this error only occurs on Chrome in Android. iOS and all desktop browsers I've tested seem fine. I found out that I'm getting the segfault issue with the EPEL version of Node.js 6.9.4. When I downgrade to version 4.8.1 provided by NodeSource I no longer get any segfaults when using an intermediate certificate. Great success! It would still be useful to find why the crash with 1.0.1e happens but apparently this will be fixed by the rebase to 1.0.2. *** This bug has been marked as a duplicate of bug 1276310 *** |