Ubuntu
openssl package

Openssl ignores order from /etc/nsswitch.conf

Bug #1905261 reported by Bartłomiej Żogała
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-meta (Ubuntu)
Expired
Undecided
Unassigned
openssl (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I'm issuing command like below:
openssl s_client -connect subdomain.domain.example.com

I have following nsswitch.confg defined:
'''
$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat systemd
group: compat systemd
shadow: compat

hosts: files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
'''

For host resolution /etc/hosts file should take precedence. But it doesn't work that way and when I have some unresolvable name it tries to connect to DNS ignoring local hosts file. The order can be clearly visible in strace:

'''openat(AT_FDCWD, "/usr/lib/ssl/ct_log_list.cnf", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
connect(5, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(5) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
connect(5, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(5) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=560, ...}) = 0
read(5, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 560
read(5, "", 4096) = 0
close(5) = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=64, ...}) = 0
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=93, ...}) = 0
read(5, "# The \"order\" line is only used "..., 4096) = 93
read(5, "", 4096) = 0
close(5) = 0
futex(0x7f3d2d2b5ba4, FUTEX_WAKE_PRIVATE, 2147483647) = 0
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=64, ...}) = 0
read(5, "# Generated by NetworkManager\nse"..., 4096) = 64
read(5, "", 4096) = 0
close(5) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=335124, ...}) = 0
mmap(NULL, 335124, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7f3d2de05000
close(5) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P#\0\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0644, st_size=47568, ...}) = 0
mmap(NULL, 2168632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f3d2cab0000
mprotect(0x7f3d2cabb000, 2093056, PROT_NONE) = 0
mmap(0x7f3d2ccba000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0xa000) = 0x7f3d2ccba000
mmap(0x7f3d2ccbc000, 22328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3d2ccbc000
close(5) = 0
mprotect(0x7f3d2ccba000, 4096, PROT_READ) = 0
munmap(0x7f3d2de05000, 335124) = 0
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 5
'''

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: openssl 1.1.1-1ubuntu2.1~18.04.6
ProcVersionSignature: Ubuntu 4.15.0-124.127-generic 4.15.18
Uname: Linux 4.15.0-124-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.9-0ubuntu7.20
Architecture: amd64
Date: Mon Nov 23 10:49:41 2020
InstallationDate: Installed on 2015-05-08 (2026 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=pl_PL.UTF-8
 SHELL=/bin/bash
SourcePackage: openssl
UpgradeStatus: Upgraded to bionic on 2018-08-26 (819 days ago)

Revision history for this message
Bartłomiej Żogała (nusch) wrote :
Revision history for this message
Dan Bungert (dbungert) wrote :

Looks like the linux-meta task was added recently, was that intended? I'm not certain that this would be a kernel bug. Marking that part incomplete - additional info would help.

Changed in linux-meta (Ubuntu):
status: New → Incomplete
Revision history for this message
Dan Bungert (dbungert) wrote :

While my strace output looks similar, it may be still working as intended. I added a hosts entry for ubuntu.com pointing to a different server, and received output indicating that I connected to the other server. Perhaps that has been fixed since the bug was filed? Alternately, would you update with more steps to reproduce?

Changed in openssl (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssl (Ubuntu) because there has been no activity for 60 days.]

Changed in openssl (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux-meta (Ubuntu) because there has been no activity for 60 days.]

Changed in linux-meta (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.