Crystal: Segfault with OpenSSL 1.1.1

Created on 17 Sep 2018 · 7Comments · Source: crystal-lang/crystal

System information

Crystal 0.26.1
OpenSSL 1.1.1

Synopsis

Crystal programs will successfully compile against this OpenSSL version, but appear to have issues at runtime when performing read/write operations over TLS connections.

The new LTS version of OpenSSL, version 1.1.1, was released September 11, 2018.

https://www.openssl.org/blog/blog/2018/09/11/release111/

For example, carc.in just so happens to have OpenSSL 1.1.1

https://carc.in/#/r/50pp

Example code

require "http/client"

response = HTTP::Client.get "https://tomrichards.net/"
puts response.body

Error output

Invalid memory access (signal 11) at address 0x8
[0x562297c94f96] *CallStack::print_backtrace:Int32 +118
[0x562297c8524d] __crystal_sigfault_handler +61
[0x7f99e48e93c0] ???
[0x562297ce95e0] ???
[0x562297c8582e] ~procProc(Pointer(LibCrypto::Bio), Pointer(UInt8), Int32, Int32) +46
[0x7f99e5005343] ???
[0x7f99e5005803] BIO_write +35
[0x7f99e50038eb] ???
[0x7f99e5005cd7] BIO_ctrl +119
[0x7f99e527a49e] ???
[0x7f99e527eee0] ???
[0x7f99e527999a] ???
[0x7f99e5265496] SSL_do_handshake +86
[0x562297d245a6] *OpenSSL::SSL::Socket::Client#initialize<TCPSocket, OpenSSL::SSL::Context::Client, Bool, String>:Nil +342
[0x562297d24436] *OpenSSL::SSL::Socket::Client::new:context:sync_close:hostname<TCPSocket, OpenSSL::SSL::Context::Client, Bool, String>:OpenSSL::SSL::Socket::Client +214
[0x562297d14c13] *HTTP::Client#socket:IO+ +499
[0x562297d1449c] *HTTP::Client#send_request<HTTP::Request>:Bool +60
[0x562297d1441d] *HTTP::Client#exec_internal_single<HTTP::Request>:(HTTP::Client::Response | Nil) +29
[0x562297d1423d] *HTTP::Client#exec_internal<HTTP::Request>:HTTP::Client::Response +29
[0x562297d14216] *HTTP::Client#exec<HTTP::Request>:HTTP::Client::Response +6
[0x562297d141c5] *HTTP::Client#exec<String, String, HTTP::Headers, Nil>:HTTP::Client::Response +69
[0x562297d13ab9] *HTTP::Client::exec<String, String, Nil, Nil, Nil>:HTTP::Client::Response +809
[0x562297d1377d] *HTTP::Client::get<String>:HTTP::Client::Response +29
[0x562297c77ecb] __crystal_main +1803
[0x562297d290e6] *Crystal::main_user_code<Int32, Pointer(Pointer(UInt8))>:Nil +6
[0x562297d29049] *Crystal::main<Int32, Pointer(Pointer(UInt8))>:Int32 +41
[0x562297c82ea6] main +6
[0x7f99e44b8223] __libc_start_main +243
[0x562297c776ee] _start +46
[0x0] ???

This may be related to the addition of new fields to the bio_method_st.
https://abi-laboratory.pro/index.php?view=compat_report&l=openssl&v1=1.1.0i&v2=1.1.1&obj=4afcc&kind=abi#Type_Problems_Medium

Source

t-richards

👍3

Most helpful comment

Fixed in #6738 anyway. If I saved the day, I accept donations :smile:

ysbaddaden on 17 Sep 2018

😄2 👍2 🎉1

All 7 comments

A demo repository has been created for this issue:

https://github.com/t-richards/crystal-openssl-111

The exact error conditions have been reproduced on Circle CI:

https://circleci.com/gh/t-richards/crystal-openssl-111/4

t-richards on 17 Sep 2018

👍3

We are having the same issue:

Invalid memory access (signal 11) at address 0x8
[0x55b1c514a866] *CallStack::print_backtrace:Int32 +118
[0x55b1c51378cd] __crystal_sigfault_handler +61
[0x7fcff53483c0] ???
[0x55b1c51aa450] ???
[0x55b1c513897e] ~procProc(Pointer(LibCrypto::Bio), Pointer(UInt8), Int32, Int32) +46
[0x7fcff5a64343] ???
[0x7fcff5a64803] BIO_write +35
[0x7fcff5a628eb] ???
[0x7fcff5a64cd7] BIO_ctrl +119
[0x7fcff5cd949e] ???
[0x7fcff5cddee0] ???
[0x7fcff5cd899a] ???
[0x7fcff5cc4496] SSL_do_handshake +86
[0x55b1c5210916] *OpenSSL::SSL::Socket::Client#initialize<TCPSocket, OpenSSL::SSL::Context::Client, Bool, String>:Nil +342
[0x55b1c52107a6] *OpenSSL::SSL::Socket::Client::new:context:sync_close:hostname<TCPSocket, OpenSSL::SSL::Context::Client, Bool, String>:OpenSSL::SSL::Socket::Client +214
[0x55b1c5202463] *HTTP::Client#socket:IO+ +499
[0x55b1c5201c72] *HTTP::Client#send_request<HTTP::Request>:Bool +66
[0x55b1c5201bed] *HTTP::Client#exec_internal_single<HTTP::Request>:(HTTP::Client::Response | Nil) +29
[0x55b1c52019d0] *HTTP::Client#exec_internal<HTTP::Request>:HTTP::Client::Response +32
[0x55b1c52019a6] *HTTP::Client#exec<HTTP::Request>:HTTP::Client::Response +6
[0x55b1c5201952] *HTTP::Client#exec<String, String, HTTP::Headers, String>:HTTP::Client::Response +82

OpenSSL: OpenSSL 1.1.1 11 Sep 2018

bararchy on 17 Sep 2018

@bcardiff this is a critical issue, it's really problematic to downgrade OpenSSL version as it has security issues fixes.

bararchy on 17 Sep 2018

Yes, that's the cause for the segfault. That's still not enough to support OpenSSL 1.1.1, thought :(

ysbaddaden on 17 Sep 2018

@bararchy no, it's not critical. This only affects OpenSSL 1.1.1 which isn't a patch release but a major release and won't be available on LTS distributions for a long time.

OpenSSL 1.0.2 (LTS until 31 december 2019) and OpenSSL 1.1.0 (~september 2019) are still supported, widely deployed, and do work.

ysbaddaden on 17 Sep 2018

@ysbaddaden They do, but they wont support TLS1.3 and other added security features the new version has added.

But I agree that calling "critical" was premature

bararchy on 17 Sep 2018

Fixed in #6738 anyway. If I saved the day, I accept donations :smile:

ysbaddaden on 17 Sep 2018

😄2 👍2 🎉1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Allow type annotation + initialization `@var : Type = value`

oprypin · 3Comments

Allow accessing named tuples with strings

costajob · 3Comments

Unify structs and C structs

oprypin · 3Comments

Proposal: Rename File::Stat to FileInfo

lbguilherme · 3Comments

Rewrite sigfault.c in Crystal

asterite · 3Comments