Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Apr 2008 13:10:53 +0200 (CEST)
From:      Harald Schmalzbauer <harry@omnisec.de>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/122526: lighttpd active SSL connection loss (SSL3_WRITE_PENDING:bad write retry)
Message-ID:  <200804071110.m37BArIm005921@titan.flintsbach.schmalzbauer.de>
Resent-Message-ID: <200804071120.m37BK1WH053020@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         122526
>Category:       ports
>Synopsis:       lighttpd active SSL connection loss (SSL3_WRITE_PENDING:bad write retry)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 07 11:20:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Harald Schmalzbauer
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
OmniSEC
>Environment:
System: FreeBSD titan.flintsbach.schmalzbauer.de 7.0-STABLE FreeBSD 7.0-STABLE #1: Thu Mar 27 09:36:49 CET 2008 root@titan.flintsbach.schmalzbauer.de:/usr/obj/usr/src/sys/TITAN i386


	
>Description:
	lighttpd 1.4.19 shows these lines in the error-log:
(network_openssl.c.130) SSL: 1 -1 error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry 
(connections.c.614) connection closed: write failed on fd 8
If one of two concurrent SSL connections get cancelled by the client then also the other connection gets closed by lighhtpd.
According to http://trac.lighttpd.net/trac/ticket/285 this is a closed DoS vulnerability
(http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531)
>How-To-Repeat:
	Install lighttpd 1.4.19 and download something using SSL
>Fix:

add patch-SSL_shutdown to files directory:

--- src/connections.c (revision 2103)
+++ src/connections.c (revision 2136)
@@ -200,4 +200,5 @@
        /* don't resize the buffer if we were in SSL_ERROR_WANT_* */

+       ERR_clear_error();
        do {
                if (!con->ssl_error_want_reuse_buffer) {
@@ -1670,4 +1671,5 @@
                        if (srv_sock->is_ssl) {
                                int ret;
+                               ERR_clear_error();
                                switch ((ret = SSL_shutdown(con->ssl))) {
                                case 1:
@@ -1675,6 +1677,8 @@
                                        break;
                                case 0:
-                                       SSL_shutdown(con->ssl);
-                                       break;
+                                       ERR_clear_error();
+                                       if ((ret = SSL_shutdown(con->ssl)) == 1) break;
+
+                                       // fall through
                                default:
                                        log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
--- src/network_openssl.c (revision 2084)
+++ src/network_openssl.c (revision 2136)
@@ -86,4 +86,5 @@
                         */

+                       ERR_clear_error();
                        if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
                                unsigned long err;
@@ -188,4 +189,5 @@
                                close(ifd);

+                               ERR_clear_error();
                                if ((r = SSL_write(ssl, s, toSend)) <= 0) {
                                        unsigned long err;
--- NEWS (revision 2130)
+++ NEWS (revision 2136)
@@ -9,4 +9,5 @@
   * Fix mod_extforward to compile with old gcc version (#1591)
   * Update documentation for #1587
+  * Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls

 - 1.4.19 - 2008-03-10
--- src/connections.c (revision 2136)
+++ src/connections.c (revision 2139)
@@ -1670,5 +1670,6 @@
 #ifdef USE_OPENSSL
                        if (srv_sock->is_ssl) {
-                               int ret;
+                               int ret, ssl_r;
+                               unsigned long err;
                                ERR_clear_error();
                                switch ((ret = SSL_shutdown(con->ssl))) {
@@ -1678,14 +1679,40 @@
                                case 0:
                                        ERR_clear_error();
-                                       if ((ret = SSL_shutdown(con->ssl)) == 1) break;
+                                       if (-1 != (ret = SSL_shutdown(con->ssl))) break;

                                        // fall through
                                default:
-                                       log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
-                                                       SSL_get_error(con->ssl, ret),
-                                                       ERR_error_string(ERR_get_error(), NULL));
-                                       return -1;
+
+                                       switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
+                                       case SSL_ERROR_WANT_WRITE:
+                                       case SSL_ERROR_WANT_READ:
+                                               break;
+                                       case SSL_ERROR_SYSCALL:
+                                               /* perhaps we have error waiting in our error-queue */
+                                               if (0 != (err = ERR_get_error())) {
+                                                       do {
+                                                               log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+                                                                               ssl_r, ret,
+                                                                               ERR_error_string(err, NULL));
+                                                       } while((err = ERR_get_error()));
+                                               } else {
+                                                       log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
+                                                                       ssl_r, r, errno,
+                                                                       strerror(errno));
+                                               }
+       
+                                               break;
+                                       default:
+                                               while((err = ERR_get_error())) {
+                                                       log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+                                                                       ssl_r, ret,
+                                                                       ERR_error_string(err, NULL));
+                                               }
+       
+                                               break;
+                                       }
                                }
                        }
+                       ERR_clear_error();
 #endif


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804071110.m37BArIm005921>