Crashes when using AddChainCertificate on go 1.3 and 1.3.2

[sajal]

reproducable code: http://paste.ubuntu.com/8450867/

When provided with a valid certificate, bundle and key , the pasted code works fine on Go 1.2.2, but crashes on 1.3 and 1.3.2 .

Crashdump: http://pastie.org/private/eszbzktmuyk5o1fgztc6nw

Each time it manages to get 5 to 10 requests out before crashing.

To reproduce, run the following :

go build reproduce.go && sudo ./reproduce -cert=/path/to/cert.crt -key=/path/to/key.key -bundle=/path/to/bundle.crt
on another window.
openssl s_client -connect 127.0.0.1:443 -CApath /etc/ssl/certs
This command successfully validates the cert now that we have the chain added.. but...
Run this about 5 to 10 times and it should crash the server...

My environment
Ubuntu 14.04 (3.13.0-34-generic)
libssl-dev:amd64 1.0.1f-1ubuntu2.5

[jtolio]

Just to clarify, I'm assuming this doesn't crash with a go 1.2 release, correct?

[sajal]

correct

[lunixbochs]

Here's a version of the test that generates its own CA+cert using my fork for easier testing: https://gist.github.com/lunixbochs/9f31135372b2760618e9

I'm looking into the crash.

[lunixbochs]

I'm pretty sure this happens when Go garbage collects the CA certificate because it's no longer used, and the underlying C object is freed.

runtime.SetFinalizer(c, func(c *Certificate) {
    C.X509_free(c.x)
})

This can probably be solved by keeping a reference to the certificate on the ctx object, which should probably be done every time we ask OpenSSL to reference an underlying C object of a Go class.

[jtolio]

nice work @lunixbochs