#58 segfault problem disabling server-side SSLv3 with Tls

[Mark Roseman]

I've been trying to upgrade to latest 8.5.x versions of Tcl and latest Tls.

I'm finding that if I try to create a tls::socket and specify not to allow connections via SSL v3, a client attempting to connect via SSL v3 is causing a segmentation fault in the server (tried on Linux and Mac so far).

Is anyone else seeing this behaviour?

Based on latest builds in Teacup:
teacup get base-tcl-thread 8.5.18.0.299041 macosx10.5-i386-x86_64
teacup get tls 1.6.5 macosx10.5-i386-x86_64

Example script (note depends on presence of three certificate files):

load ./libtls1.6.5.dylib
source tls.tcl

tls::init -request 0 -require 0 -ssl2 0 -ssl3 0 -tls1 1 -tls1.1 1 -tls1.2 1 -certfile cert.pem -cafile ca.pem -keyfile private.pem -command Dbg
tls::socket -server Accept 1199

proc Accept {sock args} {fconfigure $sock -blocking 0; fileevent $sock readable [list Handshake $sock]}
proc Handshake {sock} {tls::handshake $sock}
proc Dbg {args} {puts stderr "Dbg: $args"}

vwait forever

To generate error, try connecting via e.g.
curl https://127.0.0.1:1199 --verbose -k -sslv3

Output from the server:
[imac:~/tmp/ssl] roseman% ./application-base-tcl-thread-8.5.18.0.299041-macosx10.5-i386-x86_64 srv.tcl
Dbg: info sock8 handshake start {before/accept initialization}
Dbg: info sock8 accept loop {before/accept initialization}
Dbg: info sock8 alert write {handshake failure}
Dbg: info sock8 accept exit {SSLv3 read client hello C}
Dbg: info sock8 accept exit {SSLv3 read client hello C}
Dbg: error sock8 {wrong version number}
Segmentation fault
[imac:~/tmp/ssl] roseman%

Change the tls::init line to specify "-ssl3 1" and no crash.

[Ashok P. Nadkarni]

I have a patch (attached) that fixes this for me on Windows with Tcl 8.6.4. Unfortunately, I cannot build for your platform. Please update the ticket if you build and try it.

/Ashok

[Ashok P. Nadkarni]

For future reference - the issue was that on getting an erro from SSL_accept, the TLS extension does not actually "remember" it and the next upper level I/O again calls SSL_accept (via Tls_WaitForConnection) to perform the handshake on the same connection. THe openssl library expect that SSL state structure to be in an initialized state whereas it is actually in an error (and failed negotiation) state. The crash results from attempting to access non-existent negotiated ciphers.

[Mark Roseman]

Thanks Ashok. I'm not at present set up to do builds etc. so I can't try this fix out at the moment, but I'm grateful for the quick response...

[Ashok P. Nadkarni]

Fix checked into CVS and tested on Windows.

[Ashok P. Nadkarni]

This fix is in TLS 1.6.6 downloadable from teapot.