From: Christos Tsantilas Date: Wed, 24 May 2017 09:02:40 +0000 (+0300) Subject: Squid crashes when server-first bumping mode is used with openSSL-1.1.0 release X-Git-Tag: M-staged-PR71~164 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b8649ee4b828d6e0b63df3f44e38a8a5676b7eff;p=thirdparty%2Fsquid.git Squid crashes when server-first bumping mode is used with openSSL-1.1.0 release When OpenSSL-1.1.0 or later is used: - The SQUID_USE_SSLGETCERTIFICATE_HACK configure test is false - The SQUID_SSLGETCERTIFICATE_BUGGY configure test is true - Squid hits an assert(0) inside Ssl::verifySslCertificate when trying to retrieve a generated certificate from cache. This is a Measurement Factory project --- diff --git a/configure.ac b/configure.ac index 2a0d03bc23..dcaeba85c2 100644 --- a/configure.ac +++ b/configure.ac @@ -1324,8 +1324,20 @@ if test "x$with_openssl" = "xyes"; then SSLLIB="$LIBOPENSSL_PATH $LIBOPENSSL_LIBS $SSLLIB" AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available]) + # check for API functions + SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate) + LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [ + AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate is available]) + ], [ + missing_SSL_CTX_get0_certificate=yes + ]) + SQUID_STATE_ROLLBACK(check_SSL_CTX_get0_certificate) + # check for other specific broken implementations - SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS + if test "x$missing_SSL_CTX_get0_certificate" = "xyes"; then + SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS + fi SQUID_CHECK_OPENSSL_CONST_SSL_METHOD SQUID_CHECK_OPENSSL_TXTDB SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK diff --git a/src/ssl/support.cc b/src/ssl/support.cc index c9e3b22674..eec48f2165 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -986,9 +986,11 @@ Ssl::configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::Po bool Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties const &properties) { +#if HAVE_SSL_CTX_GET0_CERTIFICATE + X509 * cert = SSL_CTX_get0_certificate(ctx.get()); +#elif SQUID_USE_SSLGETCERTIFICATE_HACK // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e // Try to retrieve certificate directly from Security::ContextPointer object -#if SQUID_USE_SSLGETCERTIFICATE_HACK X509 ***pCert = (X509 ***)ctx->cert; X509 * cert = pCert && *pCert ? **pCert : NULL; #elif SQUID_SSLGETCERTIFICATE_BUGGY