openssl: s_server crashes with "gethostbyname failure" on iOS connect

Using Ubuntu 14.04 with latest packages OpenSSL 1.0.1f 6 Jan 2014

When connecting with iPhone and iOS 10, I’m getting this crash on the server side:

openssl s_server -accept 443 -chain -cert cert/example/example.cert -key cert/example/example.key -www -debug -msg -state
Enter pass phrase for cert/example/example.key:
Using default temp DH parameters
ACCEPT
gethostbyname failure
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   0 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

Tried to upgrade to the libssl and openssl used in Ubuntu 16.04: OpenSSL 1.0.2g 1 Mar 2016 and got the same error.

Note all other clients, browsers, etc… works without a problem on the same server.

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 28 (17 by maintainers)

Commits related to this issue

apps/s_socket.c: Fix do_accept do_accept() checked that the peer IP address had a PTR record, and would fail if not. The retrieved named was then never used, even though passed around. All this is ... — committed to levitte/openssl by levitte 6 years ago
apps/s_socket.c: Fix do_accept do_accept() checked that the peer IP address had a PTR record, and would fail if not. The retrieved named was then never used, even though passed around. All this is ... — committed to openssl/openssl by levitte 6 years ago

Most upvoted comments

Ah, but what you’re saying is that the client address has a PTR record to 2-53-37-28.orange.net.il, but that one doesn’t exist in DNS, right? This is commonly seen as unacceptable (insecure).

So ok, it might be a bit strong for s_server to stop running because of this… it would be enough if it just refused to talk with that client, but otherwise resumed listening. So a tentative patch would be this:

diff --git a/apps/s_socket.c b/apps/s_socket.c
index 77a7688f8d..cac0f114da 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -308,9 +308,14 @@ int do_server(int port, int type, int *ret,
     }
     for (;;) {
         if (type == SOCK_STREAM) {
-            if (do_accept(accept_socket, &sock, &name) == 0) {
+            switch (do_accept(accept_socket, &sock, &name)) {
+            case -1:
                 SHUTDOWN(accept_socket);
                 return (0);
+            case 0:
+                continue;
+            default:
+                break;
             }
         } else
             sock = accept_socket;
@@ -395,7 +400,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
 /*      struct linger ling; */
 
     if (!ssl_sock_init())
-        return (0);
+        return (-1);
 
 # ifndef OPENSSL_SYS_WINDOWS
  redoit:
@@ -425,7 +430,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
         fprintf(stderr, "errno=%d ", errno);
         perror("accept");
 # endif
-        return (0);
+        return (-1);
     }
 
 /*-
@@ -456,7 +461,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
         if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
             perror("OPENSSL_malloc");
             closesocket(ret);
-            return (0);
+            return (-1);
         }
         BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);

levitte on May 11, 2017