envoyproxy/envoy

quic: configuring access log %DOWNSTREAM_PEER_URI_SAN% causes crash.

Open

#23.940 aperta il 10 nov 2022

Vedi su GitHub
 (4 commenti) (0 reazioni) (0 assegnatari)C++ (5373 fork)batch import
area/quicbughelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

HTTP/3 crashes upon local and peer certs retrieval. Below is an example crash call stack:

F1102 20:47:54.651913 8626 logging.cc:58] assert.h assertion failed at third_party/openssl/boringssl/src/ssl/ssl_x509.cc:163 in void bssl::check_ssl_x509_method(const SSL *): ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method *** Check failure stack trace: *** @ 0x55c9de433be9 absl::log_internal::LogMessage::SendToLog() @ 0x55c9de4333e6 absl::log_internal::LogMessage::Flush() @ 0x55c9de434069 absl::log_internal::LogMessageFatal::~LogMessageFatal() @ 0x55c9de3d5194 __assert_fail @ 0x55c9dd924e3a SSL_get_peer_certificate @ 0x55c9dd36735c Envoy::Extensions::TransportSockets::Tls::ConnectionInfoImplBase::uriSanPeerCertificate() @ 0x55c9dd034a2a std::__u::__function::__policy_invoker<>::__call_impl<>() @ 0x55c9dd03ab4e Envoy::Formatter::StreamInfoSslConnectionInfoFieldExtractor::extract() @ 0x55c9dd02d9eb Envoy::Formatter::StreamInfoFormatter::format() @ 0x55c9dd0292d3 Envoy::Formatter::FormatterImpl::format() @ 0x55c9dbcd2ce5 Envoy::Extensions::AccessLoggers::File::FileAccessLog::emitLog() @ 0x55c9dce31490 Envoy::Http::FilterManager::log() @ 0x55c9dce22009 Envoy::Http::ConnectionManagerImpl::doDeferredStreamDestroy() @ 0x55c9dce2197c Envoy::Http::ConnectionManagerImpl::doEndStream() @ 0x55c9dcf614ae Envoy::Http::FilterManager::encodeData() @ 0x55c9dcf476e0 Envoy::Router::UpstreamRequest::decodeData() @ 0x55c9dcf6149a Envoy::Http::FilterManager::encodeData() @ 0x55c9dbb6a51d Envoy::Http::ResponseDecoderWrapper::decodeData() @ 0x55c9dbb6a51d Envoy::Http::ResponseDecoderWrapper::decodeData() @ 0x55c9dce7fbcb Envoy::Http::Http1::ClientConnectionImpl::onMessageCompleteBase() @ 0x55c9dce78733 Envoy::Http::Http1::ConnectionImpl::onMessageCompleteImpl() @ 0x55c9dce7844d Envoy::Http::Http1::ConnectionImpl::onMessageComplete() @ 0x55c9dd7940a8 http_parser_execute @ 0x55c9dce75308 Envoy::Http::Http1::ConnectionImpl::dispatchSlice() @ 0x55c9dce73f32 Envoy::Http::Http1::ConnectionImpl::dispatch() @ 0x55c9dce739be Envoy::Http::Http1::ClientConnectionImpl::dispatch() @ 0x55c9dbddc365 Envoy::Http::CodecClient::onData()

The issue lies in the usage of boringSSL X509 specific interfaces like SSL_get_peer_cert() in this implementation. But unfortunately QUICHE doesn't install the same set of x509 methods.

This is a deterministic failure if a user configures Envoy to use HTTP/3 downstream and to retrieve peer cert at the same time, i.e. configuring access log or forwarding client certs.

Guida contributor