Opened 6 years ago

Closed 6 years ago

Last modified 3 years ago

#610 closed defect (wontfix)

SSL parser bug while parsing SSL key/pem/crt file with BOM in windows system version

Reported by: 家靖 陆 Owned by:
Priority: minor Milestone: 1.6.2
Component: nginx-module Version: 1.6.x
Keywords: ssl bom Cc:
uname -a: windows 7 X86_64
nginx -V: nginx version: nginx/1.6.0
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= -
-conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access
.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-te
mp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fast
cgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsg
i-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msv
c8/lib/pcre-8.34 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --wi
th-http_realip_module --with-http_addition_module --with-http_sub_module --with-
http_dav_module --with-http_stub_status_module --with-http_flv_module --with-htt
p_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-htt
p_auth_request_module --with-http_random_index_module --with-http_secure_link_mo
dule --with-mail --with-openssl=objs.msvc8/lib/openssl-1.0.1h --with-openssl-opt
=enable-tlsext --with-http_ssl_module --with-mail_ssl_module --with-ipv6

Description

Hi:

When the nginx parsing ssl key/pem/crt file -- if these files are started with BOM which is an ordinary situation in windows-- nginx is unable to parse the ssl key header such as:

-----BEGIN CERTIFICATE-----

and throw the Bug:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("D:/DevTools/nginx-1.6.0/conf/server.
key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expect
ing: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
 lib)

After converting the charset to UTF-8 without BOM , it has passed...

so i think someone would better add trim function to filter the BOM(such as regExp \uFEFF), so we can easily use the ssl module..

this type of bug may not be easily found and debug

Change History (2)

comment:1 by Maxim Dounin, 6 years ago

Resolution: wontfix
Status: newclosed

Yes, it's a known problem that some editors on Windows try to add BOM and this breaks various things. Unfortunately, we can't do anything with this. You may want to avoid using such editors on important files.

Note well that certificates and keys are read using the OpenSSL library, and they must be in the PEM format. The format syntax only allows 7-bit ASCII, so BOM is clearly illegal there. You may try to convince OpenSSL developers to ignore BOMs, but I doubt you'll succeed.

comment:2 by Maxim Dounin, 3 years ago

sensitive: 10
Note: See TracTickets for help on using tickets.