Bug 693857 - s_server quits when receiving a connection from an unresolvable IP
Summary: s_server quits when receiving a connection from an unresolvable IP
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssl
Version: 6.2
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-05 18:45 UTC by Tomas Mraz
Modified: 2011-04-05 19:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 561260
Environment:
Last Closed: 2011-04-05 19:07:47 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Tomas Mraz 2011-04-05 18:45:46 UTC
+++ This bug was initially created as a clone of Bug #561260 +++

Description of problem:
The openssl s_server command refuses to continue execution if it receives a connection from a host whose IP is not resolvable.

Version-Release number of selected component (if applicable):
since openssl-0.9.8b

How reproducible:
Always

Steps to Reproduce:
1. Start openssl s_server at host A.
2. Run any SSL client (openssl s_client, for example) at host B and connect to s_server at host A.
3. Depending on configuration in /etc/nsswitch.conf, if A can not resolve B's IP to a name (B's IP not in A's /etc/hosts, name server returning error to A's query, ...), s_server prints the error message "getnameinfo failed" and quits.
 
Actual results:
s_server quits.

Expected results:
The name resolved from the IP of the client is never used in the source code of openssl.  Whether the client's IP is resolvable should not stop s_server from further execution.  In fact, the original openssl source code uses gethostbyaddr() to resolve the IP and resumes execution with an error message "bad gethostbyaddr" even if the name resolution failed.

Additional info:
One of the patch applied to the original openssl source code, openssl-0.9.8b-ipv6-apps.patch (patch 39), adds ipv6 support to s_client and s_server to resolve bug #198737.  The patch replaces calls of gethostbyaddr() and gethostbyname() with getnameinfo() in do_accept() in apps/s_socket.c.  The patched do_accept() returns 0 if getnameinfo() returns with any error, resulting in s_server quiting execution.  However, the original do_accept() only complains with an error message but does not stop.  The patch modifies s_server's behavior in a way incompatible with the original one.

Comment 1 Tomas Mraz 2011-04-05 19:07:47 UTC
Actually this is already fixed in the RHEL-6 package.


Note You need to log in before you can comment on or make changes to this bug.