SegmentationFault with provided openssl.Linux.x86_64

[ic0ns]

Hey, your provided openssl binary segfaults while doing the OCSP check on my system. If I execute the same command with my normal openssl version (I tested either 1.0.2 or 1.1.1) no segfault occurs. This might be related to the statically linking of the version (I assume)? I am also not sure if this should be reported to the openssl dev's instead

1. uname -a 5.1.4-arch1-1-ARCH #1 SMP PREEMPT Wed May 22 08:06:56 UTC 2019 x86_64 GNU/Linux

2. testssl version from the banner: testssl.sh -b 2>/dev/null | head -4 | tail -2 testssl.sh 3.0rc5 from https://testssl.sh/dev/

3. git log | head -1 (if running from git repo) commit 91e98f1fc3b22ba8451dd40b7655ca3edde12480

4. openssl version used by testssl.sh: testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}'

./bin/openssl.Linux.x86_64

5. steps to reproduce: testssl.sh or docker command line, if possible incl. host

./testssl.sh --phone-out google.de

6. what exactly was happening, output is needed

The provided openssl binary segfaults on the ocsp request. ´´´ OCSP URI http://ocsp.pki.goog/GTSGIAG3./testssl.sh: Zeile 1741: 26002 Speicherzugriffsfehler (Speicherabzug geschrieben) $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" , error querying OCSP responder (empty ocsp response) ´´´ dmesg says: ´´´ openssl[17662]: segfault at 1c ip 00007f0273e75703 sp 00007ffd8e011590 error 4 in libnss_resolve.so.2[7f0273e6b000+2d000] ´´´

7. what did you expect instead? No segfault

If further info / cooperation is need let me know. Cheers Robert

[drwetter]

Hi Robert!

mmm.... first time somebody reported something like this. And I never experience through all the years on a variety of platforms this myself.

Looks to me it's somewhat related to Arch-Linux and one the binary's calls doesn't comply with what libnss_resolve expects.

Did you try to gdb the core file or strace the ocsp call?

Cheers, Dirk

[ic0ns]

strace output static linked: https://gist.github.com/ic0ns/b72ab0e7ba8ab327a299a29dbb939c48 strace output normal openssl: https://gist.github.com/ic0ns/7a27806df72efb9d5f90694be4a83578

I have to admit I'm no expert in debugging such issues.

[drwetter]

Thanks.

It's certainly a system thing, but cannot tell why yet. Your system opens for some reason a unix socket to /run/dbus/system_bus_socket, then it tries to send data over it and crashes. It is certainly triggered by the supplied openssl but my guess is your system is somehwat taking part in that.

It has something to do with dbus, systemd and maybe DNS resolution. If you doing DNS queries over systemd, have you tried to configure it the correct..err... classical way?

I tried to reproduced that on some modern machines I have here (debian buster, opensuse tumbleweed) but it's completely different. They don't use this unix socket.

[drwetter]

Another thing which would be interesting to know whether a self-compiled binary works for you?

Sources: https://github.com/drwetter/openssl-1.0.2.bad . Make script: https://github.com/drwetter/testssl.sh/blob/3.0/utils/make-openssl.sh

[ic0ns]

I did not make any significant DNS related changes to the system. It should be mostly default settings. I tried this today on my machine at home ( also 5.1.3-arch1-1-ARCH #1 SMP PREEMPT) which also shows the same behavior.

The self-compiled version also segfaults for me. I now also tried openssl.1.0.2q without your changes (compiled with -static) and it also segfaults. So I assume that this might be a general (static)openssl problem?

[drwetter]

... and not using -static works?

[ic0ns]

yes

[drwetter]

It seems to me that this is either a bug in systemd-resolved or a deliberate incompatibility introduced by systemd -- at least in my opinion I do not get why static DNS libs should fail all of a sudden.

You can try to reconfigure the system like

systemctl stop systemd-resolved
systemctl disable systemd-resolved

and then find / configure another means to get an IP address and name resolution e.g. by network manager.

[drwetter]

.. and what could help to file an issue @ https://github.com/systemd/systemd/issues with the gists provided.

[ghen2]

FWIW, the bundled openssl.Linux.x86_64 binary also segfaults when connecting to an TLSv1.3-only server. This is on Arch Linux, but without systemd-resolved, just using an external resolver from /etc/resolv.conf.

[drwetter]

Ok, thanks. The thing with a TLSv1.3-only server seems strange as it should be unrelated to name resolution.