Skip to content

.NET segfaults instead of showing error when OpenSSL config is invalid #122538

New issue
New issue
Open
#122569
Open
.NET segfaults instead of showing error when OpenSSL config is invalid#122538
#122569
Assignees
copilot-swe-agent
Labels
area-System.Securityhelp wanted[up-for-grabs] Good issue for external contributors
Milestone
11.0.0
@anicka-net

Description

@anicka-net
anicka-net
opened on Dec 14, 2025

Description

When OpenSSL 3.x has a configuration error, .NET crashes with SIGSEGV instead of reporting the problem.

Root cause: src/native/libs/System.Security.Cryptography.Native/pal_ssl.c uses assert() for error checking in DetectCiphersuiteConfiguration(). In release builds, these asserts are compiled out (NDEBUG defined), so when OpenSSL functions fail, no error checking happens and the code crashes dereferencing NULL pointers.

Core dump shows crash in:

#0  SSL_CTX_set_cipher_list (libssl.so.3.5.3)
#1  CryptoNative_EnsureLibSslInitialized (libSystem.Security.Cryptography.Native.OpenSsl.so)

Problematic code (lines 118, 128 in pal_ssl.c):

SSL_CTX* ctx = SSL_CTX_new(TLS_method());
assert(ctx != NULL);  // Compiled out in release builds!

int rv = SSL_CTX_set_cipher_list(ctx, "ALL");
assert(rv);  // Compiled out in release builds!



### Reproduction Steps

1. Break OpenSSL config by editing `/etc/ssl/openssl.cnf`:
   ```ini
   [provider_sect]
   default = default_sect
   legacy = legacy_sect      # References section below

   [default_sect]
   activate = 1

   ##[legacy_sect]            # Section header commented out!
   activate = 1

  1. Create minimal .NET project:

    mkdir test && cd test
dotnet new console

  2. Run:

    dotnet run

Expected behavior

Clear error message:

FATAL: SSL_CTX_set_cipher_list failed
Check OpenSSL configuration: /etc/ssl/openssl.cnf
OpenSSL provider 'legacy_sect' section not found

Similar to how Apache, Nginx, and OpenSSL CLI report configuration errors.

Actual behavior

Segmentation fault (core dumped)

Exit code 139 (SIGSEGV). No diagnostic information.

Note: dotnet build works (uses cached packages), but dotnet run crashes when checking NuGet over HTTPS.

Regression?

Unknown.

Known Workarounds

No response

Configuration

.NET SDK: 10.0.101 (also tested: 8.0.22, 9.0)
Runtime: 10.0.1
OS: openSUSE Tumbleweed (affects all Linux distros)
OpenSSL: 3.5.3 (likely affects all 3.x versions)
Architecture: x86_64

Other information

Replace asserts with proper error handling in pal_ssl.c:

pal_ssl.patch

Metadata

Metadata

Assignees

Labels

area-System.Securityhelp wanted[up-for-grabs] Good issue for external contributors

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions