Netopeer2-server crash with 2.2.28 with TLS configuration

[srikanthsubbaramu]

Hi Michal,
we have observed a netopeer2-server crash during tls call home, we wanted to know if this issue is ever seen or encountered, the backtrace points to strcmp_avx on certificate verification in libnetconf tls calls, Attached netopeer2 core and tls_certs used to configure the server.

BT:

warning: Unexpected size of section `.reg-xstate/379' in core file.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `netopeer2-server -d -v 2 -t 20 -x /usr/local/bin/scripts/mount-schema.xml'.
Program terminated with signal SIGSEGV, Segmentation fault.
 
warning: Unexpected size of section `.reg-xstate/379' in core file.
#0  0x00007febfda0080b in __strcmp_avx2 () from /lib64/libc.so.6
[Current thread is 1 (Thread 0x7febf67a1700 (LWP 379))]
Missing separate debuginfos, use: yum debuginfo-install netopeer2-gcc-x86-64-rocky8.10-release-prod-0.0.4_main-2.2.28.x86_64
(gdb) bt
#0  0x00007febfda0080b in _**_strcmp_avx2 ()** from /lib64/libc.so.6
#1  0x00007febfe860112 in **nc_server_tls_ks_ref_get_cert_key** () from /usr/local/lib64/libnetconf2.so.4
#2  0x00007febfe861cdc in nc_server_tls_load_server_cert_key () from /usr/local/lib64/libnetconf2.so.4
#3  0x00007febfe86274c in nc_accept_tls_session () from /usr/local/lib64/libnetconf2.so.4
#4  0x00007febfe841359 in nc_connect_ch_endpt () from /usr/local/lib64/libnetconf2.so.4
#5  0x00007febfe841af2 in nc_ch_client_thread () from /usr/local/lib64/libnetconf2.so.4
#6  0x00007febfe3721ca in start_thread () from /lib64/libpthread.so.0
#7  0x00007febfd98f8d3 in clone () from /lib64/libc.so.6
(gdb) quit

tls_certs.zip
core.netopeer2-serve.0.be4dc4a67cf843b685cb16e6f59b8d15.944209.zip

[michalvasko]

Please include your YANG configuration of ietf-netconf-server (output of sysrepocfg -X -m ietf-netconf-server).

[srikanthsubbaramu]

Hi michal,
we dont have the same process running, but this is the configuration that is updated for netconf server,

sysrepocfg -X -m ietf-netconf-server

<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
  <listen>
    <endpoints>
      <endpoint>
        <name>default-ssh</name>
        <ssh>
          <tcp-server-parameters>
            <local-address>0.0.0.0</local-address>
          </tcp-server-parameters>
          <ssh-server-parameters>
            <server-identity>
              <host-key>
                <name>default-key</name>
                <public-key>
                  <central-keystore-reference>genkey</central-keystore-reference>
                </public-key>
              </host-key>
              <host-key>
                <name>default-key1</name>
                <public-key>
                  <central-keystore-reference>ecdsakey</central-keystore-reference>
                </public-key>
              </host-key>
            </server-identity>
            <client-authentication>
              <users>
                <user>
                  <name>root</name>
                  <public-keys>
                    <use-system-keys xmlns="urn:cesnet:libnetconf2-netconf-server"/>
                  </public-keys>
                </user>
              </users>
            </client-authentication>
          </ssh-server-parameters>
        </ssh>
      </endpoint>
      <endpoint>
        <name>default-tls</name>
        <tls>
          <tcp-server-parameters>
            <local-address>0.0.0.0</local-address>
          </tcp-server-parameters>
          <tls-server-parameters>
            <server-identity>
              <certificate>
                <central-keystore-reference>
                  <asymmetric-key>serverkey</asymmetric-key>
                  <certificate>servercert</certificate>
                </central-keystore-reference>
              </certificate>
            </server-identity>
            <client-authentication>
              <ca-certs>
                <central-truststore-reference>cacerts</central-truststore-reference>
              </ca-certs>
              <ee-certs>
                <central-truststore-reference>eecerts</central-truststore-reference>
              </ee-certs>
            </client-authentication>
          </tls-server-parameters>
          <netconf-server-parameters>
            <client-identity-mappings>
              <cert-to-name>
                <id>10</id>
                <fingerprint>02:cc:b3:ce:55:69:11:f5:ba:83:15:32:00:fb:c3:22:e3:2a:16:3e:41</fingerprint>
                <map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type>
                <name>netconf</name>
              </cert-to-name>
            </client-identity-mappings>
          </netconf-server-parameters>
        </tls>
      </endpoint>
    </endpoints>
  </listen>
  <call-home>
    <netconf-client>
      <name>default-client-tls</name>
      <endpoints>
        <endpoint>
          <name>default-tls</name>
          <tls>
            <tcp-client-parameters>
              <remote-address>127.0.0.1</remote-address>
            </tcp-client-parameters>
            <tls-server-parameters>
              <server-identity>
                <certificate>
                  <central-keystore-reference>
                    <asymmetric-key>serverkey</asymmetric-key>
                    <certificate>servercert</certificate>
                  </central-keystore-reference>
                </certificate>
              </server-identity>
              <client-authentication>
                <ca-certs>
                  <central-truststore-reference>cacerts</central-truststore-reference>
                </ca-certs>
                <ee-certs>
                  <central-truststore-reference>eecerts</central-truststore-reference>
                </ee-certs>
              </client-authentication>
            </tls-server-parameters>
            <netconf-server-parameters>
              <client-identity-mappings>
                <cert-to-name>
                  <id>10</id>
                  <fingerprint>02:cc:b3:ce:55:69:11:f5:ba:83:15:32:00:fb:c3:22:e3:2a:16:3e:41</fingerprint>
                  <map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type>
                  <name>netconf</name>
                </cert-to-name>
              </client-identity-mappings>
            </netconf-server-parameters>
          </tls>
        </endpoint>
      </endpoints>
      <connection-type>
        <persistent/>
      </connection-type>
    </netconf-client>
  </call-home>
</netconf-server>

[srikanthsubbaramu]

ietf-netconf-server.zip

[michalvasko]

I have tested this configuration and it seems to be almost exactly the example configuration provided by netopeer2. It worked without any issues for me but I have used the latest versions of all the libraries so there may have been a problem fixed. My suggestion is to update to the latest release and try again. Or you can wait a bit until I make a new release, should be today or later this week.