curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

curl_easy_perform() crash (more info)

From: Daniel Polski via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 10 Sep 2019 12:08:32 +0200

curl 7.65.3
openssl 1.1.1b

I'm still hunting for the crash bug in my application and found
something interesting: "old SSL session ID is stale, removing" (marked
"<-- this row") is reported twice about the same time in the verbose
curl output below.

Are 2 threads trying to remove the same session without locking? As far
as I understand from openssl.c that should be prevented by the call to
Curl_ssl_sessionid_lock(conn)?

I setup a share which I initialize once with:
CURLSH *sslShare;
sslShare = curl_share_init();
curl_share_setopt(sslShare, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);

and then different threads call a function which in turn set it like
this before calling curl_easy_perform:
CURL *curl = curl_easy_init();
(...)
curl_easy_setopt(curl, CURLOPT_SHARE,             sslShare);
res = curl_easy_perform(curl);

Should that be enough for session share protection, or do I also have to
configure own locking similar to this:
curl_share_setopt(sslShare, CURLSHOPT_LOCKFUNC, a_lock_cb);
curl_share_setopt(sslShare, CURLSHOPT_UNLOCKFUNC, an_unlock_cb);

?

Thanks,
/Daniel

Verbose curl output:

* STATE: PERFORM => DONE handle 0x623000220508; line 1933 (connection #0)
* multi_done
* Connection #0 to host www.nordnet.se left intact
* Expire cleared (transfer 0x623000220508)
* * old SSL session ID is stale, removing          <------------ this row
old SSL session ID is stale, removing <------------this row
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=SE;
serialNumber=516406-0021; C=SE; L=Stockholm; O=Nordnet Bank AB;
CN=www.nordnet.se
*  start date: May 28 00:00:00 2019 GMT
*  expire date: Aug 13 12:00:00 2020 GMT
*  subjectAltName: host "www.nordnet.se" matched cert's "www.nordnet.se"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2
Extended Validation Server CA
*  SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x62300024c108; line 1566 (connection #0)
* Server auth using Basic with user [removed]
> GET /next/2/news/1001099919 HTTP/1.1

Stack at crash:

0x7ffff72c2605
0x7ffff72c0968
ASN1_item_free() at 0x7ffff72c0a85
OPENSSL_sk_pop_free() at 0x7ffff73fc4f0
SSL_SESSION_free() at 0x7ffff752c3b6
Curl_ossl_session_free() at openssl.c:1,399 0x5555557829af
Curl_ssl_kill_session() at vtls.c:374 0x55555573b6d4
Curl_ssl_delsessionid() at vtls.c:398 0x55555573b7b0
ossl_new_session_cb() at openssl.c:2,268 0x55555578406e
0x7ffff752582a
0x7ffff7544153
0x7ffff753997e
SSL_do_handshake() at 0x7ffff75259c4
ossl_connect_step2() at openssl.c:2,798 0x555555785c78
ossl_connect_common() at openssl.c:3,608 0x5555557885d8
Curl_ossl_connect_nonblocking() at openssl.c:3,642 0x555555788706
Curl_ssl_connect_nonblocking() at vtls.c:275 0x55555573b1c4
https_connecting() at http.c:1,559 0x5555557469f7
Curl_protocol_connecting() at url.c:1,477 0x555555750912
multi_runsingle() at multi.c:1,563 0x55555571f9af
curl_multi_perform() at multi.c:2,090 0x555555720b16
easy_transfer() at easy.c:624 0x5555557181a7
easy_perform() at easy.c:718 0x555555718426
curl_easy_perform() at easy.c:737 0x55555571848d
nordnetApi::query() at nordnetApi.cpp:255 0x5555556a1019
nordnetApi::newsItem() at basic_string.h:656 0x5555556b27ac
feedProcessor::run() at feedProcessor.cpp:1,383 0x55555566e7bc
runThread() at Thread.cpp:25 0x55555558c5e4
start_thread() at pthread_create.c:486 0x7ffff7207182
clone() at clone.S:95 0x7ffff6cd5b1f
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-09-10