Bug (with patch): redbean SIGSEGV when https certificates given on CLI (-C, -K) #1458
Description
Contact Details
What happened?
I have always passed my HTTPS certificates to redbean via CLI arguments like in the following (instead of including them in the ZIP) but, after the recent changes in November, this feature stopped working
./redbean -C fullchain.pem -K privkey.pem
Clients do not get a reply when connecting using the hostname: I notice a crash in the worker process. When however, a client connects using the IP address, there comes an answer and no crash. This is how a crash looks like
error: Uncaught SIGSEGV (SEGV_MAPERR) on hvm44 pid 3938282 tid 3938282 [974/1999]
/opt/sm/redbean.bin
Linux Cosmopolitan 4.0.2 MODE=aarch64; #1 SMP Debian 6.1.119-1 (2024-11-22) hvm44 6.1.0-28-arm64
cosmoaddr2line /opt/sm/redbean.bin 80017e640 80017f234 8001a3610 8001a6a58 8001a8f00 8001ad748 800017dc8 80001a960 80001b0c8 80001ba40 80001be40 80001c584 8002432cc 800002bc
0 800000140
faulting address is 0000000000000000
0000000000000000 x0 000000000000000a x8 0000ffff833fd020 x16 000000080030cb60 x24
0000000000000002 x1 0000000000000001 x9 c5931c762efda61d x17 0000000000000019 x25
000000080030cb60 x2 00000000000000ff x10 0000000000000000 x18 0000ffff833a6090 x26
0000ffff833a6099 x3 e628641eb3ae713a x11 0000000000000014 x19 0000000000000000 x27
0000000000000014 x4 cdaadf8df0b76c1a x12 0000ffff833a6099 x20 00000008003e2f80 x28
ffffffffffffffff x5 5a6c61f22867af71 x13 0000000000000000 x21 0000ffffc385af90 x29
0000ffff833a60ad x6 cdaadf8df0b76c1a x14 000000080030cb60 x22 000000080017f234 x30
0000000000000000 x7 00000008002a1c00 x15 ffffffffffffffff x23 0000ffffc385af80 x31
c22bad8d43d52ee9 .. e01c288eba15fc38 v0 8c2428a6b0705e9a ... fffcb93bf0884868 v1
1d00240026003300 .. 030304030405002b v2 da2f14ab282264a6 ... a5e5486609e82000 v3
002b00312e312f70 .. 747468083268020c v4 20001d0024002600 ... 3300030304030405 v5
4000000100000001 .. 0000040000000400 v6 4010040140100401 ... 4010040140100401 v7
0000ffffc385af80 sp 80017e640 pc in TlsRouteFind at /home/christos/src/cosmopolitan/net/https/certs.c:201
0000ffffc385af80 sp 80017f234 lr in TlsRoute at /home/christos/src/cosmopolitan/net/https/certs.c:245
0000ffffc385b000 fp 8001a3610 lr in ssl_parse_servername_ext at /home/christos/src/cosmopolitan/third_party/mbedtls/ssl_srv.c:167
0000ffffc385b040 fp 8001a6a58 lr in ssl_parse_client_hello at /home/christos/src/cosmopolitan/third_party/mbedtls/ssl_srv.c:1951
0000ffffc385b080 fp 8001a8f00 lr in mbedtls_ssl_handshake_server_step at /home/christos/src/cosmopolitan/third_party/mbedtls/ssl_srv.c:4494
0000ffffc385b130 fp 8001ad748 lr in mbedtls_ssl_handshake at /home/christos/src/cosmopolitan/third_party/mbedtls/ssl_tls.c:6445
0000ffffc385b160 fp 800017dc8 lr in TlsSetup at /home/christos/src/cosmopolitan/tool/net/redbean.c:1610
0000ffffc385b1a0 fp 80001a960 lr in HandleMessages at /home/christos/src/cosmopolitan/tool/net/redbean.c:6383
0000ffffc385b200 fp 80001b0c8 lr in HandleConnection at /home/christos/src/cosmopolitan/tool/net/redbean.c:6620
0000ffffc385b260 fp 80001ba40 lr in HandlePoll at /home/christos/src/cosmopolitan/tool/net/redbean.c:6780
0000ffffc385b2a0 fp 80001be40 lr in EventLoop at /home/christos/src/cosmopolitan/tool/net/redbean.c:6953
0000ffffc385b2e0 fp 80001c584 lr in DisableRawMode at /home/christos/src/cosmopolitan/tool/net/redbean.c:5329
(inlined by) ReplEventLoop at /home/christos/src/cosmopolitan/tool/net/redbean.c:6968
(inlined by) RedBean at /home/christos/src/cosmopolitan/tool/net/redbean.c:7279
0000ffffc385b3e0 fp 8002432cc lr in __gc at /home/christos/src/cosmopolitan/libc/sysv/gc.S:36
0000ffffc385b480 fp 800002bc0 lr in cosmo at /home/christos/src/cosmopolitan/libc/runtime/cosmo2.c:197
0000ffffc385b4a0 fp 800000140 lr in _start at /home/christos/src/cosmopolitan/libc/crt/crt.S:171
This is the patch that fixes my problem
From 8f63a61cfda51c77d95ee2ce2e73fb9acd2f5ed5 Mon Sep 17 00:00:00 2001
From: Christos Gitsis <cgitsis@gmail.com>
Date: Fri, 19 Dec 2025 15:25:41 +0100
Subject: [PATCH] https: fix SIGSEGV and handshake failure with CLI certs
This patch fixes a null pointer dereference in TlsRouteFind that occurs
when redbean is started with command line certificates (-C and -K) but
without any internal certificates in the ZIP assets.
---
net/https/certs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/https/certs.c b/net/https/certs.c
index 1d06919e6..11e3afa00 100644
--- a/net/https/certs.c
+++ b/net/https/certs.c
@@ -198,6 +198,7 @@ static bool TlsRouteFind(struct Certs *certs, mbedtls_pk_type_t type,
mbedtls_ssl_context *ssl, const unsigned char *host,
size_t size, int64_t ip) {
int i;
+ if (!certs) return false;
for (i = 0; i < certs->n; ++i) {
if (IsServerCert(certs->p + i, type) &&
(((certs->p[i].cert->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) &&
@@ -218,6 +219,7 @@ static bool TlsRouteFind(struct Certs *certs, mbedtls_pk_type_t type,
static bool TlsRouteFirst(struct Certs *certs, mbedtls_pk_type_t type,
mbedtls_ssl_context *ssl) {
int i;
+ if (!certs || !certs->p) return false;
for (i = 0; i < certs->n; ++i) {
if (IsServerCert(certs->p + i, type)) {
CHECK_EQ(0, mbedtls_ssl_set_hs_own_cert(ssl, certs->p[i].cert,
@@ -239,6 +241,8 @@ int TlsRoute(void *ctx, mbedtls_ssl_context *ssl, const unsigned char *host,
int64_t ip;
bool ok1, ok2;
struct Certs *certs = ctx;
+ if (!certs || !certs->n)
+ return 0;
ip = ParseIp((const char *)host, size);
ok1 = TlsRouteFind(certs, MBEDTLS_PK_ECKEY, ssl, host, size, ip);
ok2 = TlsRouteFind(certs, MBEDTLS_PK_RSA, ssl, host, size, ip);
--
2.47.3
Version
Redbean b444b3a (Dec 2 2025)
What operating system are you seeing the problem on?
Linux