packages/rsyslog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rsyslog/backport-openssl-Replaced-depreceated-method-SSLv23_method-with.patch
Qiumiao Zhang b83e0b1c2a backport patches from upstream 
Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
2024-03-21 03:38:16 +00:00

111 lines
4.0 KiB
Diff
Raw Blame History

From 68216c794e8eb97f0c2d8f791bb58f332943b6ae Mon Sep 17 00:00:00 2001
From: Andre lorbach <alorbach@adiscon.com>
Date: Fri, 28 Jul 2023 14:58:50 +0200
Subject: [PATCH] openssl: Replaced depreceated method SSLv23_method with
TLS_method
In OpenSSL 1.1.0 and higher, SSLv23_method causes some errors
in TLS handshake from time to time. As this method is depreceated
since 1.1.0, I have replaced it with the follow up method
TLS_method which is the most generic one.
It fixes the random test failures in tests like
- sndrcv_tls_ossl_anon_rebind.sh
Also added some debug output in OpenSSL error handling, which is
useful when analysing debug files.
closes: ./sndrcv_tls_ossl_anon_rebind.sh
Reference:https://github.com/rsyslog/rsyslog/commit/8d8fe80d871b07ab14f44e4fddb68445601b66b5
Conflict:NA
---
runtime/nsd_ossl.c | 19 +++++++++++++++++--
runtime/nsdsel_ptcp.c | 3 +++
tests/tcpflood.c | 6 +++++-
3 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 45b0e03..ba62b7d 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -192,10 +192,19 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
int iSSLErr = 0;
if (ssl == NULL) {
/* Output Error Info*/
- dbgprintf("osslLastSSLErrorMsg: Error in '%s' with ret=%d\n", pszCallSource, ret);
+ DBGPRINTF("osslLastSSLErrorMsg: Error in '%s' with ret=%d\n", pszCallSource, ret);
} else {
/* if object is set, get error code */
iSSLErr = SSL_get_error(ssl, ret);
+ /* Output Debug as well */
+ DBGPRINTF("osslLastSSLErrorMsg: %s Error in '%s': '%s(%d)' with ret=%d, errno=%d, sslapi='%s'\n",
+ (iSSLErr == SSL_ERROR_SSL ? "SSL_ERROR_SSL" :
+ (iSSLErr == SSL_ERROR_SYSCALL ? "SSL_ERROR_SYSCALL" : "SSL_ERROR_UNKNOWN")),
+ pszCallSource, ERR_error_string(iSSLErr, NULL),
+ iSSLErr,
+ ret,
+ errno,
+ pszOsslApi);
/* Output error message */
LogMsg(0, RS_RET_NO_ERRCODE, severity,
@@ -1309,8 +1318,12 @@ osslInit_ctx(nsd_ossl_t *const pThis)
bHaveExtraCAFiles = 1;
}
- /* Create main CTX Object */
+ /* Create main CTX Object. Use SSLv23_method for < Openssl 1.1.0 and TLS_method for all newer versions! */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
pThis->ctx = SSL_CTX_new(SSLv23_method());
+#else
+ pThis->ctx = SSL_CTX_new(TLS_method());
+#endif
if(bHaveExtraCAFiles == 1) {
while((extraCaFile = strsep(&extraCaFiles, ","))) {
if(SSL_CTX_load_verify_locations(pThis->ctx, extraCaFile, NULL) != 1) {
@@ -1575,6 +1588,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
"SSL_do_handshake");
ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
} else {
+ dbgprintf("osslHandshakeCheck: OpenSSL Client handshake failed with %d "
+ "- Aborting handshake.\n", resErr);
osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client",
"SSL_do_handshake");
LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
diff --git a/runtime/nsdsel_ptcp.c b/runtime/nsdsel_ptcp.c
index 7a95dfc..2558f09 100644
--- a/runtime/nsdsel_ptcp.c
+++ b/runtime/nsdsel_ptcp.c
@@ -158,6 +158,9 @@ IsReady(nsdsel_t *const pNsdsel, nsd_t *const pNsd, const nsdsel_waitOp_t waitOp
}
const short revent = pThis->fds[idx].revents;
+ if (revent & POLLNVAL) {
+ DBGPRINTF("ndssel_ptcp: revent & POLLNVAL is TRUE, something is wrong, revent = %d", revent);
+ }
assert(!(revent & POLLNVAL));
switch(waitOp) {
case NSDSEL_RD:
diff --git a/tests/tcpflood.c b/tests/tcpflood.c
index f08bdad..0797af8 100644
--- a/tests/tcpflood.c
+++ b/tests/tcpflood.c
@@ -1195,8 +1195,12 @@ initTLS(void)
ERR_load_BIO_strings();
ERR_load_crypto_strings();
- /* Create main CTX Object */
+ /* Create main CTX Object. Use SSLv23_method for < Openssl 1.1.0 and TLS_method for all newer versions! */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ctx = SSL_CTX_new(SSLv23_method());
+#else
+ ctx = SSL_CTX_new(TLS_method());
+#endif
if(tlsCAFile != NULL && SSL_CTX_load_verify_locations(ctx, tlsCAFile, NULL) != 1) {
printf("tcpflood: Error, Failed loading CA certificate"
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink