[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: Porting conserver to OpenSSL 1.1

John Stoffel john@stoffel.org
Fri, 28 Jul 2017 16:01:01 GMT

>>>>> "solo-conserver" == solo-conserver  <solo-conserver@goeswhere.com> writes:

solo-conserver> On Tue, Jul 25, 2017 at 05:43:06PM -0400, John Stoffel wrote:
>> I wonder if the issue is that it looks like you're trying to use
>> sslv3, but I bet you need to change to using TLSv1 or v2 instead,
>> since ssl2 and ssl3 are deprecated now.

solo-conserver> This is fixed by OpenSSL itself by macros; requests for SSL2/3 are just
solo-conserver> requests for "the latest TLS version" now:

solo-conserver> https://github.com/openssl/openssl/blob/d445302418b41b76c15e103954b1311d98077480/include/openssl/ssl.h#L1750

solo-conserver> I can see this in the tcpdump; the client is happily talking 1.2.

That's good to know.  

>> Can you post your patches?  Or a link to a git repo I could pull and
>> glance over?  But I warn you all, I'm not a strong C hacker at all...

solo-conserver> I didn't realise the mailing list would strip the patch, bah! Here's a repo:

solo-conserver> https://github.com/FauxFaux/conserver

solo-conserver> The patch:

solo-conserver> https://github.com/FauxFaux/conserver/commit/08be145f18fe4dda5e7cb4cd8fc65420e45348f3

I'm looking at this now.  Got busy with other stuff past few days...

solo-conserver> You can see the problem just by running:
solo-conserver> autoreconf -vf
solo-conserver> ./configure --with-openssl
solo-conserver> make
solo-conserver> make test

Can you give more details on your evironment, and the exact version of
openssl you have installed?

Also, looking at your patch, I see that you removed DH_new() call, but
never replaced it.  So I wonder if that's part of the problem?