search

openssl / openssl

TLS/SSL and crypto library
https://www.openssl.org
Apache License 2.0
25.48k stars 10.06k forks source link

OpenSSL crashes inside Curl #25208

Closed Shackster closed 1 month ago

Shackster commented 1 month ago

Hello Team, I am using curl 8.7.1 language - C++ I am getting below crash when I send high volume of requests to one of our SSL servers. A dbx stack trace is provided below:

(dbx) where
.(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??) at 0x100000000
look_str_cb@AF19_12() at 0x10063efac
int_cb_LHASH_DOALL_ARG() at 0x100544f58
doall_util_fn@AF15_10() at 0x1005243e8
engine_table_doall() at 0x100544fa8
ENGINE_pkey_asn1_find_str() at 0x10063e8dc
EVP_PKEY_asn1_find_str() at 0x1005a7b88
get_optional_pkey_id() at 0x1007c8c28
IPRA.$ssl_cipher_get_disabled() at 0x1007c9858
ssl_create_cipher_list() at 0x1007caf6c
SSL_CTX_set_cipher_list() at 0x1007c2644
ossl_connect_step1() at 0x1007b9508
ossl_connect_common() at 0x1007bc4f8
Curl_ssl_connect_nonblocking() at 0x1007b0b7c
Curl_http_connect() at 0x10085eb04
IPRA.$multi_runsingle() at 0x100825eec
curl_multi_perform() at 0x100827278
easy_perform() at 0x1007aea10
internal error: unexpected value 120 at line 5214 in file stabstring.c
internal error: unexpected value 120 at line 5214 in file stabstring.c
internal error: unexpected value 120 at line 5214 in file stabstring.c

It appears to be crashing deep inside OpenSSL. Non-ssl works fine. The version and OS information is presented below.

Operating System: AIX 7.2

Library and version information: curl 8.7.1 (powerpc-ibm-aix7.1.5.0) libcurl/8.7.1 OpenSSL/1.1.1v zlib/1.2.13 libssh2/1.10.0 nghttp2/1.58.0 OpenLDAP/2.5.16 Release-Date: 2024-03-27 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe UnixSockets

I have a similar issue created for the Curl devs: https://github.com/curl/curl/issues/14517

Any Ideas on how this could happen? Any and all information and advice are welcome. Thanks in advance!

nhorman commented 1 month ago

Just FYI, 1.1.1 is out of support, you should try to recreate this on openssl 3 if you can

That said, I'm not sure what the dbx meaning of this is: .(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??) at 0x100000000

I'm sort of assuming its dbx's way of saying I jumped to a function that I have no stabs information for (perhaps an invalid function pointer?)

can you elaborate on what dbx means by that?

Shackster commented 1 month ago

It seems to mean what you think it does. It goes on to say "Illegal Instruction" in . at 0x100000000.

bernd-edlinger commented 1 month ago

Are you using any openssl engines here?