From 68216c794e8eb97f0c2d8f791bb58f332943b6ae Mon Sep 17 00:00:00 2001 From: Andre lorbach Date: Fri, 28 Jul 2023 14:58:50 +0200 Subject: [PATCH] openssl: Replaced depreceated method SSLv23_method with TLS_method In OpenSSL 1.1.0 and higher, SSLv23_method causes some errors in TLS handshake from time to time. As this method is depreceated since 1.1.0, I have replaced it with the follow up method TLS_method which is the most generic one. It fixes the random test failures in tests like - sndrcv_tls_ossl_anon_rebind.sh Also added some debug output in OpenSSL error handling, which is useful when analysing debug files. closes: ./sndrcv_tls_ossl_anon_rebind.sh Reference:https://github.com/rsyslog/rsyslog/commit/8d8fe80d871b07ab14f44e4fddb68445601b66b5 Conflict:NA --- runtime/nsd_ossl.c | 19 +++++++++++++++++-- runtime/nsdsel_ptcp.c | 3 +++ tests/tcpflood.c | 6 +++++- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c index 45b0e03..ba62b7d 100644 --- a/runtime/nsd_ossl.c +++ b/runtime/nsd_ossl.c @@ -192,10 +192,19 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou int iSSLErr = 0; if (ssl == NULL) { /* Output Error Info*/ - dbgprintf("osslLastSSLErrorMsg: Error in '%s' with ret=%d\n", pszCallSource, ret); + DBGPRINTF("osslLastSSLErrorMsg: Error in '%s' with ret=%d\n", pszCallSource, ret); } else { /* if object is set, get error code */ iSSLErr = SSL_get_error(ssl, ret); + /* Output Debug as well */ + DBGPRINTF("osslLastSSLErrorMsg: %s Error in '%s': '%s(%d)' with ret=%d, errno=%d, sslapi='%s'\n", + (iSSLErr == SSL_ERROR_SSL ? "SSL_ERROR_SSL" : + (iSSLErr == SSL_ERROR_SYSCALL ? "SSL_ERROR_SYSCALL" : "SSL_ERROR_UNKNOWN")), + pszCallSource, ERR_error_string(iSSLErr, NULL), + iSSLErr, + ret, + errno, + pszOsslApi); /* Output error message */ LogMsg(0, RS_RET_NO_ERRCODE, severity, @@ -1309,8 +1318,12 @@ osslInit_ctx(nsd_ossl_t *const pThis) bHaveExtraCAFiles = 1; } - /* Create main CTX Object */ + /* Create main CTX Object. Use SSLv23_method for < Openssl 1.1.0 and TLS_method for all newer versions! */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L pThis->ctx = SSL_CTX_new(SSLv23_method()); +#else + pThis->ctx = SSL_CTX_new(TLS_method()); +#endif if(bHaveExtraCAFiles == 1) { while((extraCaFile = strsep(&extraCaFiles, ","))) { if(SSL_CTX_load_verify_locations(pThis->ctx, extraCaFile, NULL) != 1) { @@ -1575,6 +1588,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd) "SSL_do_handshake"); ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/); } else { + dbgprintf("osslHandshakeCheck: OpenSSL Client handshake failed with %d " + "- Aborting handshake.\n", resErr); osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client", "SSL_do_handshake"); LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING, diff --git a/runtime/nsdsel_ptcp.c b/runtime/nsdsel_ptcp.c index 7a95dfc..2558f09 100644 --- a/runtime/nsdsel_ptcp.c +++ b/runtime/nsdsel_ptcp.c @@ -158,6 +158,9 @@ IsReady(nsdsel_t *const pNsdsel, nsd_t *const pNsd, const nsdsel_waitOp_t waitOp } const short revent = pThis->fds[idx].revents; + if (revent & POLLNVAL) { + DBGPRINTF("ndssel_ptcp: revent & POLLNVAL is TRUE, something is wrong, revent = %d", revent); + } assert(!(revent & POLLNVAL)); switch(waitOp) { case NSDSEL_RD: diff --git a/tests/tcpflood.c b/tests/tcpflood.c index f08bdad..0797af8 100644 --- a/tests/tcpflood.c +++ b/tests/tcpflood.c @@ -1195,8 +1195,12 @@ initTLS(void) ERR_load_BIO_strings(); ERR_load_crypto_strings(); - /* Create main CTX Object */ + /* Create main CTX Object. Use SSLv23_method for < Openssl 1.1.0 and TLS_method for all newer versions! */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L ctx = SSL_CTX_new(SSLv23_method()); +#else + ctx = SSL_CTX_new(TLS_method()); +#endif if(tlsCAFile != NULL && SSL_CTX_load_verify_locations(ctx, tlsCAFile, NULL) != 1) { printf("tcpflood: Error, Failed loading CA certificate" -- 2.33.0