View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004406||unreal||ircd||public||2015-09-01 01:44||2015-09-04 11:20|
|Platform||Linux||OS||Scientific Linux||OS Version||6.7|
|Target Version||Fixed in Version||3.4-beta4|
|Summary||0004406: I/O engine DoS|
|Description||entire ircd freezes while ssl client waits for ssl certificate verification.|
|Steps To Reproduce||i used mirc for this: connect to server on ssl port with certificate that causes security alert to pop up, during this time the ircd is totally frozen for other clients and across the network.|
|Additional Information||messages logged on server:|
[2015/08/31 - 7:31:23PM] -alderaan.r-type.ca- Exiting ssl client [@192.168.10.100.2023]: SSL_accept(): Success
[2015/08/31 - 7:31:23PM] -alderaan.r-type.ca- *** WARNING: Slow I/O engine or high load: fd_select() took 60270 ms! read_callbacks=1, write_callbacks=0
[2015/08/31 - 7:31:23PM] -alderaan.r-type.ca- *** WARNING: Time jumped ~61 seconds ahead! (1441063824 -> 1441063885)
[2015/08/31 - 7:31:23PM] -alderaan.r-type.ca- *** Incorrect time for IRC servers is a serious problem. Time being adjusted (either by TSCTL or by resetting the clock) more than a few seconds forward/backward can lead to serious issues.
[2015/08/31 - 7:31:23PM] -alderaan.r-type.ca- *** Please be sure your clock is always synchronized before the IRCd is started or use the built-in timesynch feature.
[2015/08/31 - 7:31:23PM] -alderaan.r-type.ca- *** [TimeShift] Resetting some timers!
|Tags||No tags attached.|
|3rd party modules|
Hmmm, strange. I can't reproduce it, trying what you describe:
1) Connect mIRC, I'm using version 7.41 and $sslversion is 18.104.22.168.
2) I get a Security alert... with OK / CANCEL (and option to automatically accept)
Then I try to connect another client, which goes fine. No delay. No message in log.
I believe you when you say you are experiencing this and it sounds like a real serious issue, so hope I can reproduce it with some more help.
Maybe you use a different mIRC version / SSL version combination, if so.. which ?
You connect directly to an SSL port? (so +XXXX or -e ....) or do you use STARTTLS?
Is your server located on a LAN or the Internet? (may impact things like add some delay and thus different processing of packets)
I'm using Debian 8.1, OpenSSL 1.0.1k 8 Jan 2015
just realized i was still using a slightly outdated build, am still able to cause this on rev: f44ad7e6084436cfd8fdc8d817c92f25d305f68d
server is using a 32bit os
[2015/09/01 - 4:33:15PM] Unreal3.4-beta2. alderaan.r-type.ca Fhin6OoEM [Linux buildhost 2.6.32-504.16.2.el6.i686 #1 SMP Tue Apr 21 10:34:36 CDT 2015 i686=2351]
[2015/09/01 - 4:33:15PM] -alderaan.r-type.ca- OpenSSL 1.0.1e-fips 11 Feb 2013
[2015/09/01 - 4:33:15PM] -alderaan.r-type.ca- libcurl/7.28.0 OpenSSL/1.0.1e zlib/1.2.3 c-ares/1.10.0 libidn/1.18
[2015/09/01 - 4:33:15PM] UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 MAXNICKLEN=30 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 are supported by this server
[2015/09/01 - 4:33:15PM] MAXTARGETS=20 WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,k,l,psmntirzMQNRTOVKDdGPZSCc NETWORK=R-TypeNet CASEMAPPING=ascii EXTBAN=~,SOcaRrnqj ELIST=MNUCT are supported by this server
[2015/09/01 - 4:33:15PM] STATUSMSG=~&@%+ EXCEPTS INVEX CMDS=USERIP,STARTTLS,KNOCK,DCCALLOW,MAP are supported by this server
client: mirc 7.32, ssl in mirc is 1.0.1c, connecting directly to port 6697, which is marked ssl in the config. this is a local server on my lan.
||i have just confirmed that this also occurs on the 64bit build of the same os|
Tried again, but no luck unfortunately:
* installed and used mIRC 7.32 w/1.0.1c (SAME as yours)
* using SSL port, no STARTTLS (SAME)
* server on LAN (SAME)
* latest version f44ad7e6084436cfd8fdc8d817c92f25d305f68d (SAME?)
* OpenSSL 1.0.1k (DIFFERENT, yours is 1.0.1e)
I'm a bit confused by the /VERSION output you pasted. It says 3.4-beta2 but you say you are using f44ad7e6084436cfd8fdc8d817c92f25d305f68d which is the very latest git version and should show up as beta3.
Is it just an old paste (from before you upgraded) or was the 3.4-beta3 update indeed not actually installed / effective?
||so i erased everything from the user account im using to test 3.4, recompiled directly from latest git (https://github.com/unrealircd/unrealircd/archive/f44ad7e6084436cfd8fdc8d817c92f25d305f68d.zip), /version is still coming up as 3.4 beta 2|
I see, I forgot to run a command indeed (autogen) -- doesn't matter.
So you're using the same version too, you test the same way I do (as discussed on IRC).
Could you attach your unrealircd.conf (or more if you have split it up), or send them to email@example.com
Please xx out any passwords or other sensitive info like IP's.
That would be my last try though. If then I can still not reproduce then I can only ask for shell access to debug, as it's not reproducible here.
||configuration file attached|
Thanks, with your configuration file I can reproduce it 100% :)
EDIT: Strange, and now I can also reproduce it with my own config. Ah well. Happy I can reproduce it now.
Thanks for the report and all your help/patience :)
Still don't understand why I couldn't reproduce it earlier, tried numerous times.. maybe something SSL-client/DLL related as the server didn't change.
Doesn't matter anymore, the issue is fixed now.
Author: Bram Matthys <firstname.lastname@example.org>
Date: Fri Sep 4 11:14:06 2015 +0200
Fix UnrealIRCd hanging on SSL clients, thus freezing the IRCd. Reported by Eman (0004406).
|2015-09-01 01:44||Eman||New Issue|
|2015-09-01 09:26||syzop||Note Added: 0018663|
|2015-09-01 09:26||syzop||Assigned To||=> syzop|
|2015-09-01 09:26||syzop||Status||new => feedback|
|2015-09-01 22:34||Eman||Note Added: 0018664|
|2015-09-01 22:54||Eman||Note Added: 0018665|
|2015-09-02 09:40||syzop||Note Added: 0018666|
|2015-09-02 09:42||syzop||Note Edited: 0018666||View Revisions|
|2015-09-03 12:21||Eman||Note Added: 0018668|
|2015-09-03 18:50||syzop||Note Added: 0018669|
|2015-09-04 03:34||Eman||File Added: unrealircd.conf|
|2015-09-04 03:35||Eman||Note Added: 0018670|
|2015-09-04 10:39||syzop||Note Added: 0018671|
|2015-09-04 10:39||syzop||Status||feedback => confirmed|
|2015-09-04 11:15||syzop||Note Edited: 0018671||View Revisions|
|2015-09-04 11:17||syzop||File Deleted: unrealircd.conf|
|2015-09-04 11:17||syzop||Note Added: 0018672|
|2015-09-04 11:17||syzop||View Status||private => public|
|2015-09-04 11:20||syzop||Note Added: 0018673|
|2015-09-04 11:20||syzop||Status||confirmed => resolved|
|2015-09-04 11:20||syzop||Fixed in Version||=> 3.4-beta4|
|2015-09-04 11:20||syzop||Resolution||open => fixed|