OSX - Segmentation fault - EXC_BAD_ACCESS

[kdawes]

Hi ,

I'm not sure if this is a setup issue on my part or if I hit a legit bug. Fairly standard setup I think - I have linux guest VM on virtual box. Host OS is Mac OS X, Yosemite and it acts as the gateway and runs ssl split :

[ Guest - Linux 172.16.1.63 ] <---------->  [ Host 172.16.1.65 ]<---------------> [ Internetz]

---

On the guest, I point it to the host /gw with standard route commands

$ route add default gw blah blah blah

On the host, I setup forwarding with a pf.conf something like this :

rdr pass on en1 inet proto tcp from 172.16.1.63 to any port 443 -> 127.0.0.1 port 8443
rdr pass on en1 inet proto tcp from 172.16.1.63 to any port 80 -> 127.0.0.1 port 8080

# sanity check conf file
$ pfctl -vnf
# set it up 
$ pfctl -vf 
# Go for it
$ pfctl -e
# and check 
$ pfctl -s nat

---- I'm running sslsplit in lldb here so I can get a backtrace :

sh-3.2# lldb -- ./sslsplit -P -D -l ./ssl.log -j ./logdir   -k ./ca.key -c ./ca.crt  https 0.0.0.0 8443 tcp 0.0.0.0 8080
sh-3.2# run
Process 13594 launched: './sslsplit' (x86_64)
Generated RSA key for leaf certs.
SSLsplit 0.4.11-dirty (built 2015-11-29)
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
Build info: OSX:10.10.4 XNU:2782.1.97:fallback:2782.30.5 V:GIT
Features: -DHAVE_PF
NAT engines: pf*
Local process info support: no
compiled against OpenSSL 0.9.8zd 8 Jan 2015 (9081df)
rtlinked against OpenSSL 0.9.8zf 19 Mar 2015 (9081df)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe without THREADID
Not using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: ssl3 tls10
SSL/TLS algorithm availability: RSA DSA ECDSA DH !ECDH EC
OpenSSL option availability: !SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.22-stable
rtlinked against libevent 2.0.22-stable
4 CPU cores detected
SSL/TLS protocol: negotiate
proxyspecs:
- [0.0.0.0]:8080 tcp plain pf
- [0.0.0.0]:8443 ssl http pf
Loaded CA: '/C=CA/ST=Manitoba/L=Winnipeg/O=Internet Widgits Pty Ltd'
NAT engine preinit 'pf'
Using libevent backend 'kqueue'
Event base supports: edge yes, O(1) yes, anyfd yes
NAT engine init 'pf'
Inserted events:
  0x100406968 [fd 7] Read Persist
  0x1006010a0 [fd 9] Read Persist
  0x100601160 [fd 10] Read Persist
  0x1006011f0 [fd 3] Signal Persist
  0x100601ee0 [fd 1] Signal Persist
  0x100601f70 [fd 2] Signal Persist
  0x100602000 [fd 13] Signal Persist
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.
SNI peek: [github.com] [complete]
Connecting to [192.30.252.128]:443
Process 13594 stopped
* thread #2: tid = 0xafb8, 0x0000000000000002, stop reason = EXC_BAD_ACCESS (code=1, address=0x2)
    frame #0: 0x0000000000000002
error: memory read failed for 0x0
(lldb) bt
* thread #2: tid = 0xafb8, 0x0000000000000002, stop reason = EXC_BAD_ACCESS (code=1, address=0x2)
  * frame #0: 0x0000000000000002
    frame #1: 0x0000000100060f2c libssl.0.9.8.dylib`ssl_parse_serverhello_tlsext + 252
    frame #2: 0x00000001000461ec libssl.0.9.8.dylib`ssl3_get_server_hello + 876
    frame #3: 0x000000010004539f libssl.0.9.8.dylib`ssl3_connect + 863
    frame #4: 0x000000010003e5a7 libssl.0.9.8.dylib`ssl23_connect + 3127
    frame #5: 0x0000000100081436 libevent_openssl-2.0.5.dylib`do_handshake + 52
    frame #6: 0x0000000100082a03 libevent_openssl-2.0.5.dylib`be_openssl_handshakeeventcb + 50
    frame #7: 0x000000010008d784 libevent-2.0.5.dylib`event_base_loop + 1858
    frame #8: 0x0000000100017b2e sslsplit`pxy_thrmgr_thr(arg=0x0000000100602340) + 206 at pxythrmgr.c:93
    frame #9: 0x00007fff92e92268 libsystem_pthread.dylib`_pthread_body + 131
    frame #10: 0x00007fff92e921e5 libsystem_pthread.dylib`_pthread_start + 176
    frame #11: 0x00007fff92e9041d libsystem_pthread.dylib`thread_start + 13
(lldb) f 8
frame #8: 0x0000000100017b2e sslsplit`pxy_thrmgr_thr(arg=0x0000000100602340) + 206 at pxythrmgr.c:93
   90       return NULL;
   91     evtimer_add(ev, &timer_delay);
   92     ctx->running = 1;
-> 93     event_base_dispatch(ctx->evbase);
   94     event_free(ev);
   95
   96     return NULL;

---

sh-3.2# sslsplit -V
SSLsplit 0.4.11-dirty (built 2015-11-29)
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
Build info: OSX:10.10.4 XNU:2782.1.97:fallback:2782.30.5 V:GIT
Features: -DHAVE_PF
NAT engines: pf*
Local process info support: no
compiled against OpenSSL 0.9.8zd 8 Jan 2015 (9081df)
rtlinked against OpenSSL 0.9.8zf 19 Mar 2015 (9081df)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe without THREADID
Not using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: ssl3 tls10
SSL/TLS algorithm availability: RSA DSA ECDSA DH !ECDH EC
OpenSSL option availability: !SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.22-stable
rtlinked against libevent 2.0.22-stable
4 CPU cores detected

---

./sslsplit.test
Running suite(s):
 main
 opts
 dynbuf
 cert
 cachemgr
 cachefkcrt
 cachetgcrt
 cachedsess
 cachessess
 ssl
 sys
 base64
 url
 util
 pxythrmgr
100%: Checks: 124, Failures: 0, Errors: 0

[kdawes]

Wow, that formatting got all messed up. Here is a gist for sanity :

https://gist.github.com/kdawes/b0ef7f9d970c63411ac7

[droe]

Looks like you are running against a different version of OpenSSL than you are compiling against:

compiled against OpenSSL 0.9.8zd 8 Jan 2015 (9081df)
rtlinked against OpenSSL 0.9.8zf 19 Mar 2015 (9081df)

This is most likely the cause of your crashes. Try to run against the same version of OpenSSL as you compile against before continuing to debug the problem if it persists.

[kdawes]

Ah - rookie mistake! Cheers, and thanks for the assist.