/portable

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some nginx TLS tests started failing with LibreSSL 2.5.3 (but not with 2.4.4) #307

Closed
jirutka opened this Issue Apr 25, 2017 · 15 comments

Comments

Assignees

@bob-beck bob-beck

@4a6f656c 4a6f656c

Labels
None yet
Projects
None yet
Milestone
No milestone
6 participants
@jirutka @Duncaen @4a6f656c @kaniini @bob-beck @Shizmob
@jirutka

jirutka commented Apr 25, 2017
edited
Edited 1 time
  • @jirutka jirutka edited Apr 26, 2017 (most recent)

After we updated LibreSSL from 2.4.4. to 2.5.3 in Alpine Linux, we have noticed that some TLS-related tests in nginx (both 1.10.3 and 1.12.0) started failing. Moreover, most of them fail because nginx accepted certificate that should be rejected! That’s pretty bad regression.

We’re not sure if the problem is in LibreSSL, nginx or nginx-tests, so reporting it to both. Nginx bug report: https://trac.nginx.org/nginx/ticket/1257.

People from VoidLinux have reproduced this issue too, on glibc.

Test Summary Report
-------------------
./h2_ssl_verify_client.t             (Wstat: 256 Tests: 5 Failed: 1)
  Failed test:  2
  Non-zero exit status: 1
./mail_imap_ssl.t                    (Wstat: 512 Tests: 14 Failed: 2)
  Failed tests:  4, 10
  Non-zero exit status: 2
./proxy_bind_transparent.t           (Wstat: 512 Tests: 3 Failed: 2)
  Failed tests:  1-2
  Non-zero exit status: 2
./proxy_ssl_certificate.t            (Wstat: 256 Tests: 7 Failed: 1)
  Failed test:  2
  Non-zero exit status: 1
./ssl_crl.t                          (Wstat: 512 Tests: 5 Failed: 2)
  Failed tests:  2-3
  Non-zero exit status: 2
./ssl_verify_client.t                (Wstat: 512 Tests: 12 Failed: 2)
  Failed tests:  4-5
  Non-zero exit status: 2
./ssl_verify_depth.t                 (Wstat: 256 Tests: 4 Failed: 1)
  Failed test:  2
  Non-zero exit status: 1
./stream_proxy_ssl_certificate.t     (Wstat: 256 Tests: 7 Failed: 1)
  Failed test:  2
  Non-zero exit status: 1
./stream_ssl_verify_client.t         (Wstat: 512 Tests: 12 Failed: 2)
  Failed tests:  3, 5
  Non-zero exit status: 2
Files=290, Tests=3628, 300 wallclock secs ( 1.91 usr  0.46 sys + 54.82 cusr  9.07 csys = 66.26 CPU)

Complete log: http://tpaste.us/Ynw6 or nginx-tests.log.txt

/cc @ncopa
@Duncaen

This comment has been minimized.

Show comment
Hide comment
@Duncaen

Duncaen Apr 25, 2017 

nginx-tests@openbsd$ TEST_NGINX_BINARY=/usr/local/sbin/nginx prove -v ./ssl_verify_client.t
./ssl_verify_client.t ..
1..12
ok 1 - plain connection
ok 2 - no cert
ok 3 - no optional cert
not ok 4 - bad optional cert

#   Failed test 'bad optional cert'
#   at ./ssl_verify_client.t line 125.
#                   'HTTP/1.1 200 OK
# Server: nginx/1.10.2
# Date: Tue, 25 Apr 2017 17:39:03 GMT
# Content-Type: text/plain
# Content-Length: 8
# Last-Modified: Tue, 25 Apr 2017 17:39:03 GMT
# Connection: close
# ETag: "58ff89b7-8"
# X-Verify: xSUCCESS:-----BEGIN CERTIFICATE-----
#       MIIBpzCCARACCQCgJ9TYR7fSOzANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA0x
#       LmV4YW1wbGUuY29tMB4XDTE3MDQyNTE3MzkwM1oXDTE3MDUyNTE3MzkwM1owGDEW
#       MBQGA1UEAwwNMS5leGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
#       gYEAr70r4WM5yL5LJrp6rhBLOX6FKX85NY59H7J3/XHU1/wAnr/AUclq0ugfyj8e
#       rUTL5tNG8VC0fhKZ+nzgiMhY/WnLvF8LJArjw3DgeB8G5JAVZIMhUtfl9HmBv35Z
#       OhcFVgx315umUcDBSDlOAxES2wILhU7h6YB7qiQkHPYZN4kCAwEAATANBgkqhkiG
#       9w0BAQsFAAOBgQBkUOogRBmb+bANFb/o01+q4yC9o7mWmzL2YCgokJU6sw6PrY6Q
#       fExdPKrSYLwcQrGGow/zYMyndGRhVp0Z/61Ph6c7xXIVNge4L0JjVPZ4llgVcZTh
#       1FnvG808QBxPWY2s2lgmnu0B262DepxVHgDhR4oV8VUQRLMUMOnJFBBsWQ==
#       -----END CERTIFICATE-----x
# Accept-Ranges: bytes
#
# SEE-THIS'
#     doesn't match '(?^:400 Bad)'
not ok 5 - bad optional_no_ca cert

#   Failed test 'bad optional_no_ca cert'
#   at ./ssl_verify_client.t line 126.
#                   'HTTP/1.1 200 OK
# Server: nginx/1.10.2
# Date: Tue, 25 Apr 2017 17:39:03 GMT
# Content-Type: text/plain
# Content-Length: 8
# Last-Modified: Tue, 25 Apr 2017 17:39:03 GMT
# Connection: close
# ETag: "58ff89b7-8"
# X-Verify: xSUCCESS:-----BEGIN CERTIFICATE-----
#       MIIBpzCCARACCQCgJ9TYR7fSOzANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA0x
#       LmV4YW1wbGUuY29tMB4XDTE3MDQyNTE3MzkwM1oXDTE3MDUyNTE3MzkwM1owGDEW
#       MBQGA1UEAwwNMS5leGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
#       gYEAr70r4WM5yL5LJrp6rhBLOX6FKX85NY59H7J3/XHU1/wAnr/AUclq0ugfyj8e
#       rUTL5tNG8VC0fhKZ+nzgiMhY/WnLvF8LJArjw3DgeB8G5JAVZIMhUtfl9HmBv35Z
#       OhcFVgx315umUcDBSDlOAxES2wILhU7h6YB7qiQkHPYZN4kCAwEAATANBgkqhkiG
#       9w0BAQsFAAOBgQBkUOogRBmb+bANFb/o01+q4yC9o7mWmzL2YCgokJU6sw6PrY6Q
#       fExdPKrSYLwcQrGGow/zYMyndGRhVp0Z/61Ph6c7xXIVNge4L0JjVPZ4llgVcZTh
#       1FnvG808QBxPWY2s2lgmnu0B262DepxVHgDhR4oV8VUQRLMUMOnJFBBsWQ==
#       -----END CERTIFICATE-----x
# Accept-Ranges: bytes
#
# SEE-THIS'
#     doesn't match '(?^:FAILED.*BEGIN)'
ok 6 - good cert
ok 7 - good cert optional
ok 8 - good cert trusted
ok 9 - no trusted sent
ok 10 - misdirected
ok 11 - no alerts
ok 12 - no sanitizer errors
# Looks like you failed 2 tests of 12.
Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/12 subtests

Test Summary Report
-------------------
./ssl_verify_client.t (Wstat: 512 Tests: 12 Failed: 2)
  Failed tests:  4-5
  Non-zero exit status: 2
Files=1, Tests=12,  1 wallclock secs ( 0.04 usr  0.00 sys +  0.24 cusr  0.08 csys =  0.36 CPU)
Result: FAIL

Same or similiar results with the nginx port in OpenBSD 6.1.

Duncaen commented Apr 25, 2017 

nginx-tests@openbsd$ TEST_NGINX_BINARY=/usr/local/sbin/nginx prove -v ./ssl_verify_client.t
./ssl_verify_client.t ..
1..12
ok 1 - plain connection
ok 2 - no cert
ok 3 - no optional cert
not ok 4 - bad optional cert

#   Failed test 'bad optional cert'
#   at ./ssl_verify_client.t line 125.
#                   'HTTP/1.1 200 OK
# Server: nginx/1.10.2
# Date: Tue, 25 Apr 2017 17:39:03 GMT
# Content-Type: text/plain
# Content-Length: 8
# Last-Modified: Tue, 25 Apr 2017 17:39:03 GMT
# Connection: close
# ETag: "58ff89b7-8"
# X-Verify: xSUCCESS:-----BEGIN CERTIFICATE-----
#       MIIBpzCCARACCQCgJ9TYR7fSOzANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA0x
#       LmV4YW1wbGUuY29tMB4XDTE3MDQyNTE3MzkwM1oXDTE3MDUyNTE3MzkwM1owGDEW
#       MBQGA1UEAwwNMS5leGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
#       gYEAr70r4WM5yL5LJrp6rhBLOX6FKX85NY59H7J3/XHU1/wAnr/AUclq0ugfyj8e
#       rUTL5tNG8VC0fhKZ+nzgiMhY/WnLvF8LJArjw3DgeB8G5JAVZIMhUtfl9HmBv35Z
#       OhcFVgx315umUcDBSDlOAxES2wILhU7h6YB7qiQkHPYZN4kCAwEAATANBgkqhkiG
#       9w0BAQsFAAOBgQBkUOogRBmb+bANFb/o01+q4yC9o7mWmzL2YCgokJU6sw6PrY6Q
#       fExdPKrSYLwcQrGGow/zYMyndGRhVp0Z/61Ph6c7xXIVNge4L0JjVPZ4llgVcZTh
#       1FnvG808QBxPWY2s2lgmnu0B262DepxVHgDhR4oV8VUQRLMUMOnJFBBsWQ==
#       -----END CERTIFICATE-----x
# Accept-Ranges: bytes
#
# SEE-THIS'
#     doesn't match '(?^:400 Bad)'
not ok 5 - bad optional_no_ca cert

#   Failed test 'bad optional_no_ca cert'
#   at ./ssl_verify_client.t line 126.
#                   'HTTP/1.1 200 OK
# Server: nginx/1.10.2
# Date: Tue, 25 Apr 2017 17:39:03 GMT
# Content-Type: text/plain
# Content-Length: 8
# Last-Modified: Tue, 25 Apr 2017 17:39:03 GMT
# Connection: close
# ETag: "58ff89b7-8"
# X-Verify: xSUCCESS:-----BEGIN CERTIFICATE-----
#       MIIBpzCCARACCQCgJ9TYR7fSOzANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA0x
#       LmV4YW1wbGUuY29tMB4XDTE3MDQyNTE3MzkwM1oXDTE3MDUyNTE3MzkwM1owGDEW
#       MBQGA1UEAwwNMS5leGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
#       gYEAr70r4WM5yL5LJrp6rhBLOX6FKX85NY59H7J3/XHU1/wAnr/AUclq0ugfyj8e
#       rUTL5tNG8VC0fhKZ+nzgiMhY/WnLvF8LJArjw3DgeB8G5JAVZIMhUtfl9HmBv35Z
#       OhcFVgx315umUcDBSDlOAxES2wILhU7h6YB7qiQkHPYZN4kCAwEAATANBgkqhkiG
#       9w0BAQsFAAOBgQBkUOogRBmb+bANFb/o01+q4yC9o7mWmzL2YCgokJU6sw6PrY6Q
#       fExdPKrSYLwcQrGGow/zYMyndGRhVp0Z/61Ph6c7xXIVNge4L0JjVPZ4llgVcZTh
#       1FnvG808QBxPWY2s2lgmnu0B262DepxVHgDhR4oV8VUQRLMUMOnJFBBsWQ==
#       -----END CERTIFICATE-----x
# Accept-Ranges: bytes
#
# SEE-THIS'
#     doesn't match '(?^:FAILED.*BEGIN)'
ok 6 - good cert
ok 7 - good cert optional
ok 8 - good cert trusted
ok 9 - no trusted sent
ok 10 - misdirected
ok 11 - no alerts
ok 12 - no sanitizer errors
# Looks like you failed 2 tests of 12.
Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/12 subtests

Test Summary Report
-------------------
./ssl_verify_client.t (Wstat: 512 Tests: 12 Failed: 2)
  Failed tests:  4-5
  Non-zero exit status: 2
Files=1, Tests=12,  1 wallclock secs ( 0.04 usr  0.00 sys +  0.24 cusr  0.08 csys =  0.36 CPU)
Result: FAIL

Same or similiar results with the nginx port in OpenBSD 6.1.
@Duncaen

This comment has been minimized.

Show comment
Hide comment
@Duncaen

Duncaen Apr 25, 2017

I think its this commit [0] together with the nginxs ngx_ssl_verify_callback [1].

[0] libressl-portable/openbsd@ddd98f8
[1] https://github.com/nginx/nginx/blob/branches/stable-1.10/src/event/ngx_event_openssl.c#L666

Duncaen commented Apr 25, 2017

I think its this commit [0] together with the nginxs ngx_ssl_verify_callback [1].

[0] libressl-portable/openbsd@ddd98f8
[1] https://github.com/nginx/nginx/blob/branches/stable-1.10/src/event/ngx_event_openssl.c#L666
@jirutka

This comment has been minimized.

Show comment
Hide comment
@jirutka

jirutka Apr 26, 2017

I’ve tries to rebuild LibreSSL 2.5.3 with reverted libressl-portable/openbsd@ddd98f8 and now all nginx tests pass!

jirutka commented Apr 26, 2017

I’ve tries to rebuild LibreSSL 2.5.3 with reverted libressl-portable/openbsd@ddd98f8 and now all nginx tests pass!
@jirutka

This comment has been minimized.

Show comment
Hide comment
@jirutka

jirutka Apr 26, 2017

Please read responses from the nginx team in https://trac.nginx.org/nginx/ticket/1257#comment:4. According to them it’s not problem on their said and it seems for us that they are right.

jirutka commented Apr 26, 2017

Please read responses from the nginx team in https://trac.nginx.org/nginx/ticket/1257#comment:4. According to them it’s not problem on their said and it seems for us that they are right.

@4a6f656c 4a6f656c assigned bob-beck and 4a6f656c Apr 26, 2017

@4a6f656c

This comment has been minimized.

Show comment
Hide comment
@4a6f656c

4a6f656c Apr 26, 2017

Member

Thanks for digging into the issue and reporting this. It seems that the change does indeed break the documented API - we're looking into solutions and will follow up soon.
Member

4a6f656c commented Apr 26, 2017

Thanks for digging into the issue and reporting this. It seems that the change does indeed break the documented API - we're looking into solutions and will follow up soon.

@Steiniche Steiniche referenced this issue Apr 26, 2017

Closed

[nextcloud] latest image stops after "unhandled exception" #130

@itoffshore itoffshore referenced this issue Apr 27, 2017

Closed

testing/nginx-naxsi: update to 1.13.8 #1320

@kaniini

This comment has been minimized.

Show comment
Hide comment
@kaniini

kaniini Apr 27, 2017

this regression being a security issue, have we got a CVE yet?

kaniini commented Apr 27, 2017

this regression being a security issue, have we got a CVE yet?
@bob-beck

This comment has been minimized.

Show comment
Hide comment
@bob-beck

bob-beck Apr 27, 2017

Member
Member

bob-beck commented Apr 27, 2017

@bob-beck

This comment has been minimized.

Show comment
Hide comment
@bob-beck

bob-beck Apr 27, 2017

Member
Member

bob-beck commented Apr 27, 2017

@Shizmob

This comment has been minimized.

Show comment
Hide comment
@Shizmob

Shizmob Apr 27, 2017

Since this seems to affect at least two widely-used software packages severely if used together with LibreSSL, we opted to request a CVE for this.

Shizmob commented Apr 27, 2017

Since this seems to affect at least two widely-used software packages severely if used together with LibreSSL, we opted to request a CVE for this.
@Shizmob

This comment has been minimized.

Show comment
Hide comment
@Shizmob

Shizmob Apr 27, 2017

CVE-2017-8301 has been assigned for this issue.

Shizmob commented Apr 27, 2017

CVE-2017-8301 has been assigned for this issue.

@omarkilani omarkilani referenced this issue Apr 27, 2017

Closed

Feature Request: LibreSSL 2.5.3 or later #1280

@4a6f656c

This comment has been minimized.

Show comment
Hide comment
@4a6f656c

4a6f656c Apr 28, 2017

Member

This has been reverted upstream - errata/release to follow soon.
Member

4a6f656c commented Apr 28, 2017

This has been reverted upstream - errata/release to follow soon.
@bob-beck
@bob-beck

This comment has been minimized.

Show comment
Hide comment
@bob-beck

bob-beck May 3, 2017

Member

Once the portable 2.5.4 heads out (shortly) I will close this out.
Member

bob-beck commented May 3, 2017

Once the portable 2.5.4 heads out (shortly) I will close this out.
@bob-beck

This comment has been minimized.

Show comment
Hide comment
@bob-beck

bob-beck May 3, 2017

Member

Errata released, and fixed in portable libressl 2.5.4
Member

bob-beck commented May 3, 2017
edited
Edited 1 time
  • @bob-beck bob-beck edited May 3, 2017 (most recent)

Errata released, and fixed in portable libressl 2.5.4

@bob-beck bob-beck closed this May 3, 2017

@kaniini

This comment has been minimized.

Show comment
Hide comment
@kaniini

kaniini May 3, 2017

thanks.

kaniini commented May 3, 2017

thanks.

joachifm added a commit to joachifm/nixpkgs that referenced this issue May 5, 2017

@joachifm
libressl: 2.5.3 -> 2.5.4 
Contains a fix for CVE-2017-8301: TLS verification vulnerability in
LibreSSL 2.5.1 - 2.5.3 [1][2]

[1]: http://seclists.org/oss-sec/2017/q2/145
[2]: libressl-portable/portable#307
Verified
This commit was signed with a verified signature.
@joachifm joachifm Joachim F.
GPG key ID: 7544761007FE4E08 Learn about signing commits
e2bc4e4

@joachifm joachifm referenced this issue May 5, 2017

Merged

libressl: 2.5.3 -> 2.5.4 #25523

joachifm added a commit to NixOS/nixpkgs that referenced this issue May 5, 2017

@joachifm
libressl: 2.5.3 -> 2.5.4 
Contains a fix for CVE-2017-8301: TLS verification vulnerability in
LibreSSL 2.5.1 - 2.5.3 [1][2]

[1]: http://seclists.org/oss-sec/2017/q2/145
[2]: libressl-portable/portable#307

(cherry picked from commit e2bc4e4)
Verified
This commit was signed with a verified signature.
@joachifm joachifm Joachim F.
GPG key ID: 7544761007FE4E08 Learn about signing commits
ef06638
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment