Bug 693857

Summary: s_server quits when receiving a connection from an unresolvable IP
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Mraz <tmraz>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: medium    
Version: 6.2CC: pvrabec, s8472.fluid
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 561260 Environment:
Last Closed: 2011-04-05 19:07:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tomas Mraz 2011-04-05 18:45:46 UTC 
+++ This bug was initially created as a clone of Bug #561260 +++

Description of problem:
The openssl s_server command refuses to continue execution if it receives a connection from a host whose IP is not resolvable.

Version-Release number of selected component (if applicable):
since openssl-0.9.8b

How reproducible:
Always

Steps to Reproduce:
1. Start openssl s_server at host A.
2. Run any SSL client (openssl s_client, for example) at host B and connect to s_server at host A.
3. Depending on configuration in /etc/nsswitch.conf, if A can not resolve B's IP to a name (B's IP not in A's /etc/hosts, name server returning error to A's query, ...), s_server prints the error message "getnameinfo failed" and quits.
 
Actual results:
s_server quits.

Expected results:
The name resolved from the IP of the client is never used in the source code of openssl.  Whether the client's IP is resolvable should not stop s_server from further execution.  In fact, the original openssl source code uses gethostbyaddr() to resolve the IP and resumes execution with an error message "bad gethostbyaddr" even if the name resolution failed.

Additional info:
One of the patch applied to the original openssl source code, openssl-0.9.8b-ipv6-apps.patch (patch 39), adds ipv6 support to s_client and s_server to resolve bug #198737.  The patch replaces calls of gethostbyaddr() and gethostbyname() with getnameinfo() in do_accept() in apps/s_socket.c.  The patched do_accept() returns 0 if getnameinfo() returns with any error, resulting in s_server quiting execution.  However, the original do_accept() only complains with an error message but does not stop.  The patch modifies s_server's behavior in a way incompatible with the original one.
Comment 1 Tomas Mraz 2011-04-05 19:07:47 UTC 
Actually this is already fixed in the RHEL-6 package.