Re: s6-tlsd immediately sending EOF during TLS handshake

From: Guillermo <gdiazhartusch_at_gmail.com>
Date: Sun, 16 Feb 2020 12:00:10 -0300

El vie., 14 feb. 2020 a las 22:59, Laurent Bercot escribió:
>
> Indeed, the client's error message indicates that the handshake did
> not complete. But in that case, that would mean the error is in
> libtls, not s6-tlsd.

If this turns out to be a bug in LibreSSL triggered by the OP's
particular certificate and key, it will be hard to debug. It could be
worth trying to obtain a backtrace with GDB. s6-networking and skalibs
would have to be rebuilt with debugging symbols (CFLAGS=-ggdb
./configure $configure-arguments), and debugging symbols for LibreSSL
would also have to be installed, which apparently is possible on Void:

* https://docs.voidlinux.org/xbps/repositories/official/debug.html

Then I'd try launching s6-tlsserver with:

$(which export) CERTFILE /etc/letsencrypt/live/$REDACTED/fullchain.pem \
$(which export) KEYFILE /etc/letsencrypt/live/$REDACTED/privkey.pem \
s6-tcpserver 0.0.0.0 443 ./script

where 'script' is:

#!/bin/execlineb -P
# Possibly drop privileges with s6-setuidgid
getpid PID
importas -u PID PID
background -d {
  redirfd -w 1 gdb-output.txt
  gdb -batch -ex continue -ex bt s6-tlsd $PID
}
s6-tlsd exit 0

This should hopefully attach the s6-tlsd process to GDB in batch mode,
and when the s6-tlsclient invocation makes it segfault, create a
backtrace in file gdb-output.txt. I don't have s6-networking, but this
works for me when used with s6-ipcserver and a test program that
raises SIGSEGV on purpose:

$ cat test-program.c
#include <signal.h>
#include <unistd.h>

void do_it_for_real () {
  sleep(5);
  raise(SIGSEGV);
}

void do_it () {
  do_it_for_real();
}

int main () {
  do_it();
  return 0;
}

$ s6-ipcserver -v socket ./script &
s6-ipcserverd: info: starting
s6-ipcserverd: info: status: 0/40

$ s6-ipcclient socket exit 0
s6-ipcserverd: info: allow 1000:1000 pid 556 count 1/40
s6-ipcserverd: info: status: 1/40
s6-ipcserverd: info: end pid 556 uid 1000 signal 11
s6-ipcserverd: info: status: 0/40

$ cat gdb-output.txt
0x00007fe21b52f3a8 in nanosleep () from /lib64/libc.so.6

Program received signal SIGSEGV, Segmentation fault.
0x00007fe21b498ec1 in raise () from /lib64/libc.so.6
#0 0x00007fe21b498ec1 in raise () from /lib64/libc.so.6
#1 0x000056114282316d in do_it_for_real () at test-program.c:6
#2 0x000056114282317e in do_it () at test-program.c:10
#3 0x000056114282318f in main () at test-program.c:14
[Inferior 1 (process 556) detached]

Hope that helps,
G.
Received on Sun Feb 16 2020 - 15:00:10 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC