Search code examples
c++opensslthrift

Thrift random crashes on SSL_accept

I'm developing a client and a Threaded server in C++ but I'm facing problems with OpenSSL/TLS integration.

So far, I've followed the ThriftServer.cpp and ThriftClient.cpp but I'm getting random errors which cause the crash of my application. Specifically, the crash happens when a client tries to call the defined thrift interface on the server (already live)

/* server init with PEM public/private certificates 
 * and trusted certificates, socketFactory->accept(true),  
 * transport->open() */

myServer->start();  //running on separated thread, calling thriftserver->serve();

/* client init with PEM public/private certificates 
 * and trusted certificates, socketFactory->accept(true),  
 * transport->open() */

myClient->beginSession(); //Thrift API call - crash

The crashes are really generic: sometimes it gives me

TConnectedClient died: SSL_accept: error 0

and sometimes

TConnectedClient died: SSL_accept: parse tlsext

and both ending with SIGSEV.

I am running a Debian 8.1 x64 with latest OpenSSL 1.0.2d compiled from sources and flag enable-tlsext, thrift from github/trunk and libevent from github/trunk.

I've tried my custom self-signed certificates and the testing certificates shipped with Thrift: in both cases it doesn't work, but they are working with openssl s_client and openssl s_server

Any idea about the cause of these errors?

EDIT

I've compiled OpenSSL with Thread support (threads flag on ./configure) and now my application triggers always the error

SSL_shutdown: broken pipe

when the client tries to contact the server. Digging more in details, the openssl s_client triggers a 

sslv3 alert handshake failure

using TLSv1.2 as protocol. I've checked this other Stackoverflow question but it didn't help, as long as I'm using the latest OpenSSL snapshot already

Solution

  • Regarding the SSL_shutdown problem, according to this document, you are supposed ignore the SIGPIPE signal to avoid server crashes:

    SIGPIPE signal

    Applications running OpenSSL over network connections may crash if SIGPIPE is not ignored. This happens when they receive a connection reset by remote peer exception, which somehow triggers a SIGPIPE signal. If not handled, this signal would kill the application.

    This can be done with:

    #include <csignal>
// ...
signal(SIGPIPE, SIG_IGN);