[Bro-Dev] #384: Nearly any broccoli/ssl error causes bro to crash
Bro Tracker
bro at tracker.icir.org
Fri Feb 4 18:40:51 PST 2011
#384: Nearly any broccoli/ssl error causes bro to crash
-------------------+---------------------
Reporter: leres | Type: Problem
Status: new | Priority: Normal
Milestone: | Component: Bro
Version: 1.5.1 | Keywords:
-------------------+---------------------
I'm trying to get broccoli working with ssl and I'm finding that this
makes for an exceedingly fragile configuration.
If a configured cert file is missing, bro starts and runs ok but the first
time a client connects to the ssl port, bro crashes from
ChunkedIOSSL::WriteData() with something cryptic in remote.log:
Feb 4 16:37:36 [error] [child] [#10000/128.3.64.22:62180] can't init
peer io: [33558530,0,544108320] SSL error: error:02001002:system
library:fopen:No such file or directory
Before I figured out that ssl_private_key file needs to be the
concatenation of the private key and public cert, the crash error in
remote.log was:
1296871198.439331 [error] [child] [#10000/127.0.0.1:63488] can't init
peer io: [151441516,0,1937011567] SSL error: error:0906D06C:PEM
routines:PEM_read_bio:no start line
Finally, a client that try to connect without ssl to the ssl port crashes
bro with this error:
Feb 4 18:36:22 [error] [child] [#10000/128.3.64.22:60066] can't init
peer io: [336130315,1,-1] SSL error: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
It would be nice if there was some way to check the format of ssl cert
files at startup and complain then if there are obvious problems with
them. And certainly it is desirable if the worst detected ssl I/O errors
did was cause the client to be dropped.
--
Ticket URL: <http://tracker.icir.org/bro/ticket/384>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list