Re: s6-tlsd immediately sending EOF during TLS handshake

From: Guillermo <>
Date: Sun, 16 Feb 2020 12:00:10 -0300

El vie., 14 feb. 2020 a las 22:59, Laurent Bercot escribió:
> Indeed, the client's error message indicates that the handshake did
> not complete. But in that case, that would mean the error is in
> libtls, not s6-tlsd.

If this turns out to be a bug in LibreSSL triggered by the OP's
particular certificate and key, it will be hard to debug. It could be
worth trying to obtain a backtrace with GDB. s6-networking and skalibs
would have to be rebuilt with debugging symbols (CFLAGS=-ggdb
./configure $configure-arguments), and debugging symbols for LibreSSL
would also have to be installed, which apparently is possible on Void:


Then I'd try launching s6-tlsserver with:

$(which export) CERTFILE /etc/letsencrypt/live/$REDACTED/fullchain.pem \
$(which export) KEYFILE /etc/letsencrypt/live/$REDACTED/privkey.pem \
s6-tcpserver 443 ./script

where 'script' is:

#!/bin/execlineb -P
# Possibly drop privileges with s6-setuidgid
getpid PID
importas -u PID PID
background -d {
  redirfd -w 1 gdb-output.txt
  gdb -batch -ex continue -ex bt s6-tlsd $PID
s6-tlsd exit 0

This should hopefully attach the s6-tlsd process to GDB in batch mode,
and when the s6-tlsclient invocation makes it segfault, create a
backtrace in file gdb-output.txt. I don't have s6-networking, but this
works for me when used with s6-ipcserver and a test program that
raises SIGSEGV on purpose:

$ cat test-program.c
#include <signal.h>
#include <unistd.h>

void do_it_for_real () {

void do_it () {

int main () {
  return 0;

$ s6-ipcserver -v socket ./script &
s6-ipcserverd: info: starting
s6-ipcserverd: info: status: 0/40

$ s6-ipcclient socket exit 0
s6-ipcserverd: info: allow 1000:1000 pid 556 count 1/40
s6-ipcserverd: info: status: 1/40
s6-ipcserverd: info: end pid 556 uid 1000 signal 11
s6-ipcserverd: info: status: 0/40

$ cat gdb-output.txt
0x00007fe21b52f3a8 in nanosleep () from /lib64/

Program received signal SIGSEGV, Segmentation fault.
0x00007fe21b498ec1 in raise () from /lib64/
#0 0x00007fe21b498ec1 in raise () from /lib64/
#1 0x000056114282316d in do_it_for_real () at test-program.c:6
#2 0x000056114282317e in do_it () at test-program.c:10
#3 0x000056114282318f in main () at test-program.c:14
[Inferior 1 (process 556) detached]

Hope that helps,
Received on Sun Feb 16 2020 - 15:00:10 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC