Kestrel: Segfault when specifying default certificate on Ubuntu 20.04 #81964
Comments
|
@VMelnalksnis Can you tell us more about your project? I followed your steps with a simple React app ( Have you tried your steps with a toy project (i.e. not your real one) to see whether it's somehow related to your project (vs proxmox, ubuntu, libssl, etc)? |
|
@amcasey I tried to run After changing the target framework to net6.0 it worked. I also tried to publish with The project is this one https://github.com/VMelnalksnis/Gnomeshade/tree/master/source/Gnomeshade.WebApi. The only things changed for Kestrel were content root, web root and cipher suites policy for TLS, but I also tried without it. |
|
@VMelnalksnis Thanks! It's very helpful to know that it repros in a new project. I'll play around with |
|
@VMelnalksnis Sorry, I'm still not seeing it. Is the If you can repro the issue consistently, can you collect and share a dump? |
|
Hi @VMelnalksnis. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time. |
|
@amcasey No, that was only the part that caused the crash. I have other sections for other libraries as well, such as ElasticApm and ConnectionStrings, and I can post those as well if they're relevant. Here's the full "Kestrel": {
"EndpointDefaults": {
"Protocols": "Http1AndHttp2"
},
"Endpoints": {
"Https": {
"Url": "https://some.fully.qualified.name.com:443",
"CheckCertificateRevocation": true,
"ClientCertificateMode": "Optional",
"SslProtocols": ["Tls13"],
}
},
"Certificates": {
"Default": {
"Path": "/path/to/host/certificate.p12",
"Password": "password"
}
}
}I tried the same configuration by changing each value separately as well: As for the dump, I'm not entirely sure where to look for it. The common answers for Ubuntu were not correct, I'm guessing because it's an LXC and/or on Proxmox; I'll keep looking. |
|
@VMelnalksnis Thanks! Since you have a repro with the |
|
We have some docs here about how to collect dotnet dumps, but this is a native crash, so I'm not sure they'll work in this case. I'll see if I can figure out how to collect a core dump on Ubuntu 20.04. |
|
Well, that was harder than it needed to be... I managed to cobble together these commands to get core files to appear in ulimit -c unlimited
sudo sysctl -w kernel.core_pattern=/var/crash/core.%e.%p.%h.%tI think you can get back to normal with ulimit -c 0
systemctl restart apportMostly from here. No warranty, express or implied. 😛 |
|
@amcasey Thanks for the info - when running non-self-contained, setting |
|
I'm seeing |
|
Based on the stack, I'm guessing |
|
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones Issue DetailsIs there an existing issue for this?
Describe the bugAfter upgrading an ASP.NET Core project from .NET 6 to .NET 7, the application fails to start with a segmentation fault when specifying a default certificate for Kestrel. Expected BehaviorApplication works with a certificate on .NET 7 same as before on .NET 6. Steps To Reproduce
Alternatively, can just specify the certificate from the start and see that the application crashes before starting. Exceptions (if any)I've seen two types of segfaults in the hypervisor syslog: and starting the application with default certificates: .NET Version7.0.102 Anything else?Running on Ubuntu 20.04.5 LTS LXC container on Proxmox 7.3-4.
|
|
This is new in .NET 7 because .NET 7 has server-side OCSP stapling, and this error stack indicates that its trying to fetch an OCSP response from the CA for stapling purposes. Is it possible for you to attach your Even better would be any steps possible to reproduce this. If you can include the public certificate from the p12 file, that would also very helpful. You can get the public certificate from the PKCS12 file with a command like: and it should output the |
|
Here's the library and the certificate: data.zip |
|
Okay, so digging in here a little bit: We're basically failing (approximately) in OpenSSL here: I say approximately because I wasn't able to find the exact sources for your distro's OpenSSL libcrypto, but was able to follow the offsets thanks to the provided binary.
So we're null dereferencing somewhere in
It all starts here in managed code: That eventually makes its way to ikey = X509_get0_pubkey_bitstr(issuer);
return OCSP_cert_id_new(dgst, iname, ikey, serial);If Going back to the managed side: if (_ocspUrls is null && _ca is not null)We check if From the native stack, it looks like the issuer certificate has a I'm going to keep digging in to this, but thought I would post what I have so far in case someone (@bartonjs) has a psychic debugging moment. |
|
As some supporting research, if I do something like this: FILE *fp = fopen("/Users/vcsjones/Downloads/data/certificate.crt", "r");
assert(fp);
X509 *cert = PEM_read_X509(fp, NULL, NULL, NULL);
assert(cert);
OCSP_cert_to_id(NULL, cert, NULL); // Pass in NULL issuerThen it fails at the exact same offset. So |
|
I can repro this now. |
|
Steps to reproduce:
|
|
Yep. The issuer is NULL. issuerKey=0x0000000000000000 |
|
I synced up with @vcsjones offline earlier, and it sounds like he has a strong grip on the problem and the solution. |
ghost
added
the
in-pr
|
I just realized I never gave a proper write-up of the issue here, only obtuse debugging notes. Apologies. The issue you are running in to is due to a new feature in .NET 7 called OCSP stapling. Unfortunately there is an issue with the implementation when handling an X.509 chain that has exactly two certificates in it, an end-entity and a root, which your certificate chain (appears) to have. This has been fixed for .NET 8, and we are in the process of attempting to get it serviced in to a future .NET 7 release. If or when that happens I can't say for certain, but I'll give an update here when a servicing decision has been made. In the mean time, you have a few options.
|
|
Thanks for the detailed write-up and workaround. I guess I should finally fix my setup and create an offline root CA. |
|
Thank you for this workaround. Could this maybe be documented somewhere more prominently ( if it won't be fixed in a .NET 7 release?) |
|
@Qowy based on the servicing pull request, it looks like it will be merged in for the 7.0.5 servicing release. |
ghost
removed
the
in-pr
|
The fix has been merged for the 7.0.5 release. |
ghost
locked as resolved and limited conversation to collaborators
Is there an existing issue for this?
Describe the bug
After upgrading an ASP.NET Core project from .NET 6 to .NET 7, the application fails to start with a segmentation fault when specifying a default certificate for Kestrel.
Expected Behavior
Application works with a certificate on .NET 7 same as before on .NET 6.
Steps To Reproduce
appsettings.json:Main process exited, code=killed, status=11/SEGVAlternatively, can just specify the certificate from the start and see that the application crashes before starting.
Exceptions (if any)
I've seen two types of segfaults in the hypervisor syslog:
after updating
appsettings.jsonand starting the application with default certificates:
.NET Version
7.0.102
Anything else?
Running on Ubuntu 20.04.5 LTS LXC container on Proxmox 7.3-4.
libbssl version:
The text was updated successfully, but these errors were encountered: