phlax
commented
1 year ago cc @alyssawilk
Open danzh2010 opened 1 year ago
phlax
commented
1 year ago cc @alyssawilk
kyessenov
commented
1 year ago Likely related to https://github.com/envoyproxy/envoy/issues/23809, since this is mTLS.
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
danzh2010
commented
1 year ago needs a non-stable label
HTTP/3 crashes upon local and peer certs retrieval. Below is an example crash call stack:
F1102 20:47:54.651913 8626 logging.cc:58] assert.h assertion failed at third_party/openssl/boringssl/src/ssl/ssl_x509.cc:163 in void bssl::check_ssl_x509_method(const SSL *): ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method Check failure stack trace: @ 0x55c9de433be9 absl::log_internal::LogMessage::SendToLog() @ 0x55c9de4333e6 absl::log_internal::LogMessage::Flush() @ 0x55c9de434069 absl::log_internal::LogMessageFatal::~LogMessageFatal() @ 0x55c9de3d5194 assert_fail @ 0x55c9dd924e3a SSL_get_peer_certificate @ 0x55c9dd36735c Envoy::Extensions::TransportSockets::Tls::ConnectionInfoImplBase::uriSanPeerCertificate() @ 0x55c9dd034a2a std::u::function::policy_invoker<>::__call_impl<>() @ 0x55c9dd03ab4e Envoy::Formatter::StreamInfoSslConnectionInfoFieldExtractor::extract() @ 0x55c9dd02d9eb Envoy::Formatter::StreamInfoFormatter::format() @ 0x55c9dd0292d3 Envoy::Formatter::FormatterImpl::format() @ 0x55c9dbcd2ce5 Envoy::Extensions::AccessLoggers::File::FileAccessLog::emitLog() @ 0x55c9dce31490 Envoy::Http::FilterManager::log() @ 0x55c9dce22009 Envoy::Http::ConnectionManagerImpl::doDeferredStreamDestroy() @ 0x55c9dce2197c Envoy::Http::ConnectionManagerImpl::doEndStream() @ 0x55c9dcf614ae Envoy::Http::FilterManager::encodeData() @ 0x55c9dcf476e0 Envoy::Router::UpstreamRequest::decodeData() @ 0x55c9dcf6149a Envoy::Http::FilterManager::encodeData() @ 0x55c9dbb6a51d Envoy::Http::ResponseDecoderWrapper::decodeData() @ 0x55c9dbb6a51d Envoy::Http::ResponseDecoderWrapper::decodeData() @ 0x55c9dce7fbcb Envoy::Http::Http1::ClientConnectionImpl::onMessageCompleteBase() @ 0x55c9dce78733 Envoy::Http::Http1::ConnectionImpl::onMessageCompleteImpl() @ 0x55c9dce7844d Envoy::Http::Http1::ConnectionImpl::onMessageComplete() @ 0x55c9dd7940a8 http_parser_execute @ 0x55c9dce75308 Envoy::Http::Http1::ConnectionImpl::dispatchSlice() @ 0x55c9dce73f32 Envoy::Http::Http1::ConnectionImpl::dispatch() @ 0x55c9dce739be Envoy::Http::Http1::ClientConnectionImpl::dispatch() @ 0x55c9dbddc365 Envoy::Http::CodecClient::onData()
The issue lies in the usage of boringSSL X509 specific interfaces like SSL_get_peer_cert() in this implementation. But unfortunately [QUICHE](https://source.chromium.org/chromium/chromium/src/+/main:net/third_party/quiche/src/quiche/quic/core/crypto/tls_connection.cc;l=131?q=TlsConnection::CreateSslCtx()%20&ss=chromium%2Fchromium%2Fsrc:net%2Fthird_party%2Fquiche%2Fsrc%2Fquiche%2Fquic%2Fcore%2F) doesn't install the same set of x509 methods.
This is a deterministic failure if a user configures Envoy to use HTTP/3 downstream and to retrieve peer cert at the same time, i.e. configuring access log or forwarding client certs.