Hi Artem, thanks for your patch. I commited the first part of your patch but not sure if we need the second part, therefore not commited yet.
Alex Am 14.09.2014 um 13:06 schrieb Artem Pylypchuk <artic...@ua.fm>: > > Hi! I have a new patch to gwlib, it adds two different features related to > openssl. > > 1) > > When sending to a proprietary SSL server which has trouble with SSL method > chosen, one may receive errors like: > > ERROR: SSL write failed: OpenSSL error 1: > error:00000001:lib(0):func(0):reason(1) > > which aren't very verbose :( > > While connection and negotiation errors can be traced by the user outside > gwlib, there is the unlocked_write() function inside conn.c that produces > these write errors. The following patch has allowed me to trace it into this > openssl bug http://cvs.openssl.org/chngview?cn=22565 (bad renegotiation): > > ERROR: SSL write failed: OpenSSL error 1: > error:00000001:lib(0):func(0):reason(1) > ERROR: SSL error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > 2) > The other part of the patch allows the user to manually set the SSL for > Connection, in a workflow like this: > > (it uses a config option use_ssl, that switches either from strictly TLSv1 to > a negotiation that disallows SSLv2 and TLSv1_1, usually ending up in SSLv3 > for my server ) > > > my_ssl_context = SSL_CTX_new(use_ssl ? SSLv23_client_method() : > TLSv1_client_method()); > SSL_CTX_set_mode(my_ssl_context, > SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); > if (use_ssl) { > SSL_CTX_set_options(my_ssl_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1_1); > //tweak SSLv23_client_method() > } > > con = conn_open_tcp_nb(server_addr, server_port, NULL); > SSL *ssl = SSL_new(my_ssl_context); > conn_set_ssl(pc->con, ssl, NULL); //needs patch to Kannel > > > Otherwise, without this second part of the patch, using a SSL method other > than the gwlib-hardcoded default SSLv23_client_method() would require a > workaround like this, creating the SSL inside gwlib and then resetting it: > > con = conn_open_ssl_nb(server_addr, server_port, NULL, NULL); > SSL *conn_ssl = conn_get_ssl(pc->con); > SSL_clear(conn_ssl); > SSL_set_ssl_method(conn_ssl, use_ssl ? SSLv23_client_method() : > TLSv1_client_method()); > if (use_ssl) SSL_set_options(conn_ssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1_1); > > > Note, the conn_set_ssl() public function introduced into conn.h, sets the SSL > only to a Connection created with conn_open_tcp*, and does not override the > existing SSL inside a Connection created by conn_open_ssl*. It also needs the > certkeyfile argument. Some essential reorganization of where SSL_new from the > global context is called inside conn.c was needed to implement this. > > > The first part is very useful to trace openssl library errors on write, and I > think it should be definitely added to Kannel source. The second reorganizes > code inside conn.c and is not quite essential to the user, so you may or may > not accept it. > > > Cheers! > Artem > > -- реклама ----------------------------------------------------------- > Быстрый виртуальный хостинг с SSD. Домен в подарок! > http://freehost.com.ua/unix/<ssl_set.patch>
