Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 561260

Summary: s_server quits when receiving a connection from an unresolvable IP
Product: Red Hat Enterprise Linux 5 Reporter: s8472.fluid
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: medium    
Version: 5.3CC: mvadkert, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-0.9.8e-19.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 693857 (view as bug list) Environment:
Last Closed: 2011-07-21 07:38:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description s8472.fluid 2010-02-03 08:24:20 UTC 
Description of problem:
The openssl s_server command refuses to continue execution if it receives a connection from a host whose IP is not resolvable.

Version-Release number of selected component (if applicable):
since openssl-0.9.8b

How reproducible:
Always

Steps to Reproduce:
1. Start openssl s_server at host A.
2. Run any SSL client (openssl s_client, for example) at host B and connect to s_server at host A.
3. Depending on configuration in /etc/nsswitch.conf, if A can not resolve B's IP to a name (B's IP not in A's /etc/hosts, name server returning error to A's query, ...), s_server prints the error message "getnameinfo failed" and quits.
 
Actual results:
s_server quits.

Expected results:
The name resolved from the IP of the client is never used in the source code of openssl.  Whether the client's IP is resolvable should not stop s_server from further execution.  In fact, the original openssl source code uses gethostbyaddr() to resolve the IP and resumes execution with an error message "bad gethostbyaddr" even if the name resolution failed.

Additional info:
One of the patch applied to the original openssl source code, openssl-0.9.8b-ipv6-apps.patch (patch 39), adds ipv6 support to s_client and s_server to resolve bug #198737.  The patch replaces calls of gethostbyaddr() and gethostbyname() with getnameinfo() in do_accept() in apps/s_socket.c.  The patched do_accept() returns 0 if getnameinfo() returns with any error, resulting in s_server quiting execution.  However, the original do_accept() only complains with an error message but does not stop.  The patch modifies s_server's behavior in a way incompatible with the original one.
Comment 2 RHEL Program Management 2010-08-09 18:12:33 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Program Management 2011-01-11 20:02:44 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 4 RHEL Program Management 2011-01-11 23:17:31 UTC 
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 8 errata-xmlrpc 2011-07-21 07:38:08 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1010.html