[Bro-Dev] #384: Nearly any broccoli/ssl error causes bro to crash

Bro Tracker bro at tracker.icir.org
Fri Feb 4 18:40:51 PST 2011

#384: Nearly any broccoli/ssl error causes bro to crash
 Reporter:  leres  |       Type:  Problem
   Status:  new    |   Priority:  Normal
Milestone:         |  Component:  Bro
  Version:  1.5.1  |   Keywords:
 I'm trying to get broccoli working with ssl and I'm finding that this
 makes for an exceedingly fragile configuration.

 If a configured cert file is missing, bro starts and runs ok but the first
 time a client connects to the ssl port, bro crashes from
 ChunkedIOSSL::WriteData() with something cryptic in remote.log:

     Feb  4 16:37:36 [error] [child]  [#10000/] can't init
 peer io: [33558530,0,544108320] SSL error: error:02001002:system
 library:fopen:No such file or directory

 Before I figured out that ssl_private_key file needs to be the
 concatenation of the private key and public cert, the crash error in
 remote.log was:

     1296871198.439331 [error] [child]  [#10000/] can't init
 peer io: [151441516,0,1937011567] SSL error: error:0906D06C:PEM
 routines:PEM_read_bio:no start line

 Finally, a client that try to connect without ssl to the ssl port crashes
 bro with this error:

     Feb  4 18:36:22 [error] [child]  [#10000/] can't init
 peer io: [336130315,1,-1] SSL error: error:1408F10B:SSL
 routines:SSL3_GET_RECORD:wrong version number

 It would be nice if there was some way to check the format of ssl cert
 files at startup and complain then if there are obvious problems with
 them. And certainly it is desirable if the worst detected ssl I/O errors
 did was cause the client to be dropped.

Ticket URL: <http://tracker.icir.org/bro/ticket/384>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list