[SOLVED] broken CUPS on 15.0 and -current: certificate creation fails (bug?), Cups crashes

MisterL · 07-29-2022, 10:36 AM

Hi,
my CUPS setup once worked fine and broke. It's on arm, but I was able to reproduce the error on x64, both 15.0 and a fresh installed -current.

Here's what's happening:
when connecting to the cups interface via HTTPS, remotely or on the localhost, the cups process dies. Connecting via plain HTTP causes no issue. Since CUPS redirects you to https in the admin-parts of the WebUI, it becomes impossible to manage.

On a side note: CUPS generates its own certificates, but this doesn't work, too. I have to set "ServerKeychain /etc/cups/ssl" explicitly in /etc/cups/cups-files.conf, although it is supposed to be the default value.

In dmesg I get:

Code:

[ 1474.316492] cupsd[1791]: segfault at 7f3fc620bd70 ip 00007f3fc620bd70 sp 00007ffe10930b98 error 15 in libc-2.35.so[7f3fc620b000+2000]
[ 1474.316538] Code: 00 00 30 bd 20 c6 3f 7f 00 00 40 bd 20 c6 3f 7f 00 00 40 bd 20 c6 3f 7f 00 00 50 bd 20 c6 3f 7f 00 00 50 bd 20 c6 3f 7f 00 00 <60> bd 20 c6 3f 7f 00 00 60 bd 20 c6 3f 7f 00 00 70 bd 20 c6 3f 7f

Here's the last lines of strace:

Code:

read(12, "href=\"help/api-filter.html\">Filt"..., 214) = 214
sendto(11, "\27\3\3\0\347\270r\225\30\330\254y\227\314\214\344\31\216\236X\200\256~\221\7\342\264]\254R\23 "..., 236, 0, NULL, 0) = 236
write(5, "D [29/Jul/2022:15:16:35 +0200] ["..., 65) = 65
write(5, "D [29/Jul/2022:15:16:35 +0200] ["..., 74) = 74
write(5, "d [29/Jul/2022:15:16:35 +0200] c"..., 114) = 114
epoll_ctl(3, EPOLL_CTL_MOD, 11, {events=EPOLLIN, data={u32=498518080, u64=94923570726976}}) = 0
write(5, "D [29/Jul/2022:15:16:35 +0200] ["..., 63) = 63
write(5, "d [29/Jul/2022:15:16:35 +0200] c"..., 56) = 56
close(12)                               = 0
write(5, "D [29/Jul/2022:15:16:35 +0200] ["..., 82) = 82
write(5, "D [29/Jul/2022:15:16:35 +0200] ["..., 62) = 62
write(5, "D [29/Jul/2022:15:16:35 +0200] c"..., 92) = 92
sendto(11, "\27\3\3\0\0230\356\247\373\0352\252\3279\1*D\2772\206\323c9\22", 24, 0, NULL, 0) = 24
shutdown(11, SHUT_RD)                   = -1 ENOTCONN (Transport endpoint is not connected)
write(5, "d [29/Jul/2022:15:16:35 +0200] c"..., 114) = 114
epoll_ctl(3, EPOLL_CTL_MOD, 11, {events=EPOLLIN, data={u32=498518080, u64=94923570726976}}) = 0
write(5, "D [29/Jul/2022:15:16:35 +0200] ["..., 68) = 68
write(5, "d [29/Jul/2022:15:16:35 +0200] c"..., 96) = 96
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x7fd802a0bd70} ---
+++ killed by SIGSEGV +++

Steps to reproduce:
1) Install slackware and upgrade if necessary
2) chmod +x /etc/rc.d/rc.cups
3) set "LogLevel debug2" in /etc/cups/cupsd.conf
4) /etc/rc.d/rc.cups start
5) lynx https://localhost:631
6) see /var/log/cups/error_log and uncomment "ServerKeychain ssl" in /etc/cups/cups-files.conf (or the full path)
7) Restart cups, repeat 5) and press "y" when asked to accept the self-signed cert (twice)
8) see cert+key get created in /etc/cups/ssl and check if cups has crashed. Try some more https connections to make it crash

I hope someone will be able to reproduce the problem, I'm stuck

Cheers,
MisterL

willysr · 07-30-2022, 04:16 AM

that's probably because your browser redirects you to https by default (it's a feature found in all modern browser to eliminate http:// usage).
try to enter http protocol to gain access to CUPS web-based interface

MisterL · 07-30-2022, 05:20 AM

Hi willysr,
thanks for taking the time to reply.
I'm afraid this isn't a client problem and my browser doesn't use https automatically. As I wrote in my initial post, connecting via http only works fine.
Unfortunately that's no solution as some pages in the UI require https and I can't disable it completely, so any https connection will kill the server process.

Cheers,
MisterL

MisterL · 08-05-2022, 10:39 AM

I've put an nginx proxy to do the ssl stuff now, I couldn't find any other way to keep cupsd from crashing. In the default configuration cups can't create its self signed certs, so it can never be accessed via https and so it never crashes, I suppose. This may be okay when it's local only and never accessed via network.

I don't know if y'all tried to reproduce it with a clean install including latest, but if so: please leave a short message even if you couldn't reproduce the error :-)

Cheers,
MisterL

bryjen · 09-04-2022, 02:12 PM

I've noticed this recently as well. Browsing the web UI works OK over HTTP, but when it redirects to HTTPS for the Administration page, cupsd crashes from a segfault. I have a manually-generated self-signed certificate configured for CUPS. Some googling found issue #409 on the OpenPrinting/cups Github site. I haven't noticed crashes due to print jobs, but the underlying cause there is an interaction with OpenSSL that seems likely to also be relevant to this problem. I reverted my cups package from the 2.4.2 version that's currently in /patches/ to the 2.3.3op2 version from the 15.0 release. The older version does not have a problem with HTTPS. It appears to be using GnuTLS instead of OpenSSL.

bryjen · 09-04-2022, 02:13 PM

URL to issue https://github.com/OpenPrinting/cups/issues/409

kjhambrick · 09-04-2022, 03:01 PM

Hmmm

I wonder if the cups Patch for OpenSSL that bryjen referenced: Fix OpenSSL crash bug - "tls" pointer wasn't cleared after freeing it (Issue #409) should be applied to cups in 15.0 and current ?

Thanks to bryjen and MisterL

-- kjh

MisterL · 09-13-2022, 09:34 AM

Thanks for the confirmation!
I've found some time to test the patch from cups' github repo and this fixes the crashes. I mailed a bug report to PV, hope he'll fix the package.

Thanks for your help! :-)

tmmukunn · 09-15-2022, 07:37 PM

It sounds like the openssl option they added for 2.4.x is buggy. Perhaps Pat would consider just using gnutls until they work things out.

I spent a bit of time trying to get cups working with a cert issued by a two tier CA on my slackware 15 box. Finally saw the issue below after noticing this post and the other CUPS issue link posted, which told me its not going to work currently with their openssl implementation. It does work with the gnutl option in cups 2.3.3op2.

https://github.com/OpenPrinting/cups/issues/465