Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx::SSL limitations? #339

Open
yyamano opened this issue Feb 8, 2018 · 7 comments
Open

Nginx::SSL limitations? #339

yyamano opened this issue Feb 8, 2018 · 7 comments

Comments

@yyamano
Copy link
Collaborator

yyamano commented Feb 8, 2018

Nginx::SSL#servername doesn't work in content handler.
Not sure if it's a bug or unexpected usage. Other SSL methods might have similar issue.

I get SIGSEGV without ssl handshake handler. With the handler, Nginx::SSL#servername returns empty string.

        location /ssl_in_content_handler {
          mruby_content_handler_code '
            ssl = Nginx::SSL.new
            Nginx.rputs "servername: #{ssl.servername}"
          ';
        }

Program received signal SIGSEGV, Segmentation fault.
0x000000000055ac31 in ngx_mrb_ssl_get_servername (mrb=0xbfeec0, self=...)
    at /home/vagrant/ngx_mruby/src/http/ngx_http_mruby_ssl.c:88
88	  return mrb_str_new(mrb, (char *)mscf->servername->data, mscf->servername->len);
Missing separate debuginfos, use: debuginfo-install glibc-2.17-106.el7_2.6.x86_64 nss-softokn-freebl-3.16.2.3-13.el7_1.x86_64 openssl-libs-1.0.1e-51.el7_2.5.x86_64 pcre-8.32-15.el7_2.1.x86_64 zlib-1.2.7-15.el7.x86_64
(gdb) bt
#0  0x000000000055ac31 in ngx_mrb_ssl_get_servername (mrb=0xbfeec0, self=...)
    at /home/vagrant/ngx_mruby/src/http/ngx_http_mruby_ssl.c:88
#1  0x000000000058383d in mrb_vm_exec (mrb=0xbfeec0, proc=0xcd5930, pc=0xd7018c) at /home/vagrant/ngx_mruby/mruby/src/vm.c:1461
#2  0x00000000005815f0 in mrb_vm_run (mrb=0xbfeec0, proc=0xcd5930, self=..., stack_keep=2)
    at /home/vagrant/ngx_mruby/mruby/src/vm.c:935
#3  0x000000000058aba3 in mrb_run (mrb=0xbfeec0, proc=0xcd5930, self=...) at /home/vagrant/ngx_mruby/mruby/src/vm.c:2982
#4  0x000000000054ead8 in ngx_mrb_run (r=0xbfd4e0, state=0xbf8258, code=0xd64cb0, cached=1, result=0x0)
    at /home/vagrant/ngx_mruby/src/http/ngx_http_mruby_module.c:843
#5  0x00000000005512f0 in ngx_http_mruby_content_inline_handler (r=0xbfd4e0)
    at /home/vagrant/ngx_mruby/src/http/ngx_http_mruby_module.c:1586
#6  0x00000000004af074 in ngx_http_core_content_phase (r=0xbfd4e0, ph=0xd85858) at src/http/ngx_http_core_module.c:1169
#7  0x00000000004ae3f7 in ngx_http_core_run_phases (r=0xbfd4e0) at src/http/ngx_http_core_module.c:851
#8  0x00000000004ae365 in ngx_http_handler (r=0xbfd4e0) at src/http/ngx_http_core_module.c:834
#9  0x00000000004bd3e6 in ngx_http_process_request (r=0xbfd4e0) at src/http/ngx_http_request.c:1948
#10 0x00000000004bbd6f in ngx_http_process_request_headers (rev=0xbebb80) at src/http/ngx_http_request.c:1375
#11 0x00000000004bb135 in ngx_http_process_request_line (rev=0xbebb80) at src/http/ngx_http_request.c:1048
#12 0x00000000004b9cf5 in ngx_http_wait_request_handler (rev=0xbebb80) at src/http/ngx_http_request.c:506
#13 0x000000000049d333 in ngx_epoll_process_events (cycle=0xbe74a0, timer=60000, flags=1)
    at src/event/modules/ngx_epoll_module.c:902
#14 0x000000000048bf15 in ngx_process_events_and_timers (cycle=0xbe74a0) at src/event/ngx_event.c:242
#15 0x0000000000499689 in ngx_single_process_cycle (cycle=0xbe74a0) at src/os/unix/ngx_process_cycle.c:310
#16 0x0000000000457bdb in main (argc=1, argv=0x7fffffffe408) at src/core/nginx.c:379
(gdb) l
83	
84	static mrb_value ngx_mrb_ssl_get_servername(mrb_state *mrb, mrb_value self)
85	{
86	  ngx_http_mruby_srv_conf_t *mscf = mrb->ud;
87	
88	  return mrb_str_new(mrb, (char *)mscf->servername->data, mscf->servername->len);
89	}
90	
91	static in_port_t get_in_port(struct sockaddr *sa)
92	{
(gdb) p *mscf
$1 = {state = 0xbf8258, ssl_handshake_code = 0xffffffffffffffff, ssl_handshake_inline_code = 0xffffffffffffffff, 
  server_config_inline_code = 0xc9d558, cf = 0x7fffffffdf50, cscf = 0xc98630, servername = 0x0, cert_path = {len = 0, 
    data = 0x0}, cert_key_path = {len = 0, data = 0x0}, cert_data = {len = 0, data = 0x0}, cert_key_data = {len = 0, 
    data = 0x0}, connection = 0x0}
@matsumotory
Copy link
Owner

The specification of the SSL class is that it can not be used in hook of HTTP request processing. I would like to be able to handle errors by using flags related to phases at run time inside classes and methods.

@matsumotory
Copy link
Owner

In the implementation of trusterd, the request structure has information on each phase, and each method itself determines whether it is a phase that can be executed.

ref: https://github.com/matsumotory/mruby-http2/blob/master/src/mrb_http2_request.h#L21

@yyamano
Copy link
Collaborator Author

yyamano commented Feb 9, 2018

@matsumotory I just want to make sure that Nginx::SSL works only in the handshake and the verify client handler.

@matsumotory
Copy link
Owner

Nginx::SSL class only works in ssl_handshake_handle for now. I do not assume that methods of SSL class except accept_client and reject_client work in verify client handler.

@yyamano
Copy link
Collaborator Author

yyamano commented Feb 14, 2018

Will take care of it. We need to add the limitations to doc too.

@yyamano yyamano mentioned this issue Feb 20, 2018
Merged
3 tasks
@yyamano
Copy link
Collaborator Author

yyamano commented Dec 7, 2018

I added the limitation to docs/class_and_method/README.md#nginxssl-class.

Nginx::SSL class is designed to be used in the ssl handshake handlers. It doesn't work in other handlers like mruby_content_handler_code.

@matsumotory
Copy link
Owner

lgtm!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yyamano @matsumotory