SSLproxy: Child pid 24502 killed by signal 11

Hey it’s me again 😃 I installed SSLProxy and finally got my divert rules in Pfsense in order so traffic is actually received by SSLProxy now, yea 😃 But the problem is that on every connection SSLProxy just crashes

Certificate cache: MISS
Child pid 24502 killed by signal 11

I really don’t know what that means and would appreciate any help!

Here is all the debug/logging:

  • Output of sslproxy -V
SSLproxy v0.9.2-3-g3dea854 (built 2022-03-31)
Copyright (c) 2017-2021, Soner Tari <sonertari@gmail.com>
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.1.1j  16 Feb 2021 (101010af)
rtlinked against OpenSSL 1.1.1j  16 Feb 2021 (101010af)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13 
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.10.0 (with TPACKET_V3)
compiled against sqlite 3.34.1
rtlinked against sqlite 3.34.1
2 CPU cores detected
  • Output of uname -a
Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
  • Exact command line arguments used to run sslproxy:
sslproxy -f default.cnf -D -l connections.log 2> out.log
  • Relevant part of debug mode (-D) output, if applicable
Received privsep req type 00 sz 1 on srvsock 16
Received privsep req type 00 sz 1 on srvsock 18
Started 4 connection handling threads
Starting main event loop.
SNI peek: [itunes.apple.com] [complete], fd=27
Connecting to [23.35.236.24]:443
===> Original server certificate:
Subject DN: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=California/serialNumber=C0806592/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=management:idms.group.1208920/CN=itunes.apple.com
Common Names: itunes.apple.com/partiality.itunes.apple.com/tv.apple.com/siri-search.itunes.apple.com/desktop-store.itunes.apple.com/su.itunes.apple.com/a1.mzstatic.com/sp.itunes.apple.com/bookkeeper.itunes.apple.com/metrics.mzstatic.com/pcr.apple.com/amp-api-edge.apps.apple.com/accertify.mzstatic.com/s.mzstatic.com/is2-ssl.mzstatic.com/itunes.apple.com/music.apple.com/s3.mzstatic.com/sf-api-token-service.itunes.apple.com/store.mzstatic.com/s5.mzstatic.com/embed.itunes.apple.com/sb.music.apple.com/s2.mzstatic.com/vpp-app.itunes.apple.com/s1.mzstatic.com/radio-quickplay.itunes.apple.com/sync.itunes.apple.com/b1.mzstatic.com/api.music.apple.com/api-edge.apps.apple.com/carrierbundle.itunes.apple.com/itunesu.itunes.apple.com/api.itunes.apple.com/is4-ssl.mzstatic.com/amp-api-search-edge.apps.apple.com/upp.itunes.apple.com/finance-app.itunes.apple.com/a4.mzstatic.com/radio.itunes.apple.com/apps.mzstatic.com/vocabulary.itunes.apple.com/s4.mzstatic.com/is3-ssl.mzstatic.com/a5.mzstatic.com/uts-api-siri.itunes.apple.com/api.apps.apple.com/atve.tv.apple.com/amp-api-edge.music.apple.com/bag.itunes.apple.com/amp-api.podcasts.apple.com/itc.mzstatic.com/configuration.apple.com/books.apple.com/init.itunes.apple.com/b4.mzstatic.com/apps.apple.com/b2.mzstatic.com/tf-feedback.itunes.apple.com/b3.mzstatic.com/api.books.apple.com/se-edge.itunes.apple.com/desktop-music-legacy.itunes.apple.com/files.itunes.apple.com/dzc-metrics.mzstatic.com/radio-services.itunes.apple.com/desktop-music.itunes.apple.com/videos.apple.com/api.edu.apple.com/radio-activity.itunes.apple.com/is5-ssl.mzstatic.com/a3.mzstatic.com/sb.tv.apple.com/podcasts.apple.com/api.videos.apple.com/a2.mzstatic.com/is1-ssl.mzstatic.com/se.itunes.apple.com/search.itunes.apple.com/xp.apple.com/pd.itunes.apple.com/b5.mzstatic.com/api.podcasts.apple.com/sitemaps.itunes.apple.com/edge.itunes.apple.com/uts-preview.itunes.apple.com
Fingerprint: 0B:0F:F3:6D:CF:66:23:25:6F:914F:C2:8F:26:6A:FA:73:C4:09:47
Certificate cache: MISS
Child pid 24502 killed by signal 11
  • NAT redirection rules you are using, if applicable
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 8443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
  • List of failing unit tests in make test output
make -C src
make[1]: Entering directory '/root/SSLproxy/src'
------------------------------------------------------------------------------
SSLproxy v0.9.2-3-g3dea854
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check
LIBNET_BASE:    /usr
Build options:  -DHAVE_NETFILTER
Build info:     V:GIT
uname -a:       Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -isystem/usr/include  -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-01\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c
cc -L/usr/lib  -pthread -o sslproxy base64.o build.o cache.o cachedsess.o cachefkcrt.o cachemgr.o cachessess.o cachetgcrt.o cert.o dynbuf.o filter.o log.o logbuf.o logger.o logpkt.o main.o nat.o opts.o privsep.o proc.o protoautossl.o protohttp.o protopassthrough.o protopop3.o protosmtp.o protossl.o prototcp.o proxy.o pxyconn.o pxythr.o pxythrmgr.o ssl.o sys.o thrqueue.o url.o util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3
make[1]: Leaving directory '/root/SSLproxy/src'
make unittest
make[1]: Entering directory '/root/SSLproxy'
make -C src
make[2]: Entering directory '/root/SSLproxy/src'
------------------------------------------------------------------------------
SSLproxy v0.9.2-3-g3dea854
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check
LIBNET_BASE:    /usr
Build options:  -DHAVE_NETFILTER
Build info:     V:GIT
uname -a:       Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -isystem/usr/include  -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-01\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c
cc -L/usr/lib  -pthread -o sslproxy base64.o build.o cache.o cachedsess.o cachefkcrt.o cachemgr.o cachessess.o cachetgcrt.o cert.o dynbuf.o filter.o log.o logbuf.o logger.o logpkt.o main.o nat.o opts.o privsep.o proc.o protoautossl.o protohttp.o protopassthrough.o protopop3.o protosmtp.o protossl.o prototcp.o proxy.o pxyconn.o pxythr.o pxythrmgr.o ssl.o sys.o thrqueue.o url.o util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3
make[2]: Leaving directory '/root/SSLproxy/src'
make -C tests/check
make[2]: Entering directory '/root/SSLproxy/tests/check'
------------------------------------------------------------------------------
SSLproxy v0.9.2-3-g3dea854
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check
LIBNET_BASE:    /usr
Build options:  -DHAVE_NETFILTER
Build info:     V:GIT
uname -a:       Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -L/usr/lib  -pthread -pthread -o sslproxy.test base64.t.o cachedsess.t.o cachefkcrt.t.o cachemgr.t.o cachessess.t.o cachetgcrt.t.o cert.t.o defaults.t.o dynbuf.t.o filter.t.o filterstruct.t.o logbuf.t.o main.t.o opts.t.o proto.t.o pxythrmgr.t.o ssl.t.o sys.t.o url.t.o util.t.o ../../src/base64.o ../../src/build.o ../../src/cache.o ../../src/cachedsess.o ../../src/cachefkcrt.o ../../src/cachemgr.o ../../src/cachessess.o ../../src/cachetgcrt.o ../../src/cert.o ../../src/dynbuf.o ../../src/filter.o ../../src/log.o ../../src/logbuf.o ../../src/logger.o ../../src/logpkt.o ../../src/nat.o ../../src/opts.o ../../src/privsep.o ../../src/proc.o ../../src/protoautossl.o ../../src/protohttp.o ../../src/protopassthrough.o ../../src/protopop3.o ../../src/protosmtp.o ../../src/protossl.o ../../src/prototcp.o ../../src/proxy.o ../../src/pxyconn.o ../../src/pxythr.o ../../src/pxythrmgr.o ../../src/ssl.o ../../src/sys.o ../../src/thrqueue.o ../../src/url.o ../../src/util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3 -lcheck_pic -lrt -lm -lsubunit
make -C engine
make[3]: Entering directory '/root/SSLproxy/tests/check/engine'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/root/SSLproxy/tests/check/engine'
make -C pki testreqs
make[3]: Entering directory '/root/SSLproxy/tests/check/pki'
rm -f rsa.srl
make[3]: Leaving directory '/root/SSLproxy/tests/check/pki'
./sslproxy.test
Running suite(s): 
 main
 opts
 filter
 filter_struct
 dynbuf
 logbuf
 cert
 cachemgr
 cachefkcrt
 cachetgcrt
 cachedsess
 cachessess
 ssl
 sys
 base64
 url
 util
 pxythrmgr
 defaults
 proto
100%: Checks: 212, Failures: 0, Errors: 0
make[2]: Leaving directory '/root/SSLproxy/tests/check'
make[1]: Leaving directory '/root/SSLproxy'
make e2etest
make[1]: Entering directory '/root/SSLproxy'
make -C src
make[2]: Entering directory '/root/SSLproxy/src'
------------------------------------------------------------------------------
SSLproxy v0.9.2-3-g3dea854
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check
LIBNET_BASE:    /usr
Build options:  -DHAVE_NETFILTER
Build info:     V:GIT
uname -a:       Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -isystem/usr/include  -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-01\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c
cc -L/usr/lib  -pthread -o sslproxy base64.o build.o cache.o cachedsess.o cachefkcrt.o cachemgr.o cachessess.o cachetgcrt.o cert.o dynbuf.o filter.o log.o logbuf.o logger.o logpkt.o main.o nat.o opts.o privsep.o proc.o protoautossl.o protohttp.o protopassthrough.o protopop3.o protosmtp.o protossl.o prototcp.o proxy.o pxyconn.o pxythr.o pxythrmgr.o ssl.o sys.o thrqueue.o url.o util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3
make[2]: Leaving directory '/root/SSLproxy/src'
make -C tests/testproxy
make[2]: Entering directory '/root/SSLproxy/tests/testproxy'
/bin/sh: 1: /root/.cargo/bin/testproxy: not found
/bin/sh: 1: /root/.cargo/bin/testproxy: not found
GNUmakefile:6: *** Use Testproxy v0.0.4 with this version of SSLproxy, found .  Stop.
make[2]: Leaving directory '/root/SSLproxy/tests/testproxy'
make[1]: *** [GNUmakefile:20: e2etest] Error 2
make[1]: Leaving directory '/root/SSLproxy'
make: *** [GNUmakefile:14: test] Error 2

^- Don’t know if this is an indication of a failed build or if some test files are missing…

My config “default.cnf”:

ProxySpec {
    Proto https
    Addr 0.0.0.0       # inline
    Port 8443       # comments

    # Divert or split
    Divert no

    # Connection options
    CACert Cloud+SwiftBird+SSLProxy+CA.crt
    CAKey Cloud+SwiftBird+SSLProxy+CA.key
    UserAuth no

FilterRule {
    Action Split
    SrcIp *
    DstIp *
    Log *
    CACert Cloud+SwiftBird+SSLProxy+CA.crt
    CAKey Cloud+SwiftBird+SSLProxy+CA.key
    UserAuth no
}
}

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 19 (9 by maintainers)

Most upvoted comments

I have fixed a crash in split mode on the develop branch, which may or may not be the same issue you have, but it is worth trying.

+1
sonertari on Apr 6, 2022
Read more comments on GitHub
← generator-jekyllized: Updated today and new project is failing in a few spots
stellar-ios-mac-sdk: Error on parsing payment operation's response →