From: Christos Tsantilas Date: Mon, 29 May 2017 02:10:50 +0000 (+1200) Subject: Crashes when server-first bumping mode is used with openSSL-1.1.0 release X-Git-Tag: SQUID_4_0_20~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3b7e8f3a41c425d5a1c636f202761497afa3f31;p=thirdparty%2Fsquid.git Crashes when server-first bumping mode is used with openSSL-1.1.0 release When OpenSSL-1.1.0 or later is used: - The SQUID_USE_SSLGETCERTIFICATE_HACK configure test is false - The SQUID_SSLGETCERTIFICATE_BUGGY configure test is true - Squid hits an assert(0) inside Ssl::verifySslCertificate when trying to retrieve a generated certificate from cache. This is a Measurement Factory project --- diff --git a/configure.ac b/configure.ac index ec58e502a3..0441249718 100644 --- a/configure.ac +++ b/configure.ac @@ -1347,8 +1347,20 @@ if test "x$with_openssl" = "xyes"; then SSLLIB="$LIBOPENSSL_PATH $LIBOPENSSL_LIBS $SSLLIB" AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available]) + # check for API functions + SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate) + LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [ + AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate is available]) + ], [ + missing_SSL_CTX_get0_certificate=yes + ]) + SQUID_STATE_ROLLBACK(check_SSL_CTX_get0_certificate) + # check for other specific broken implementations - SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS + if test "x$missing_SSL_CTX_get0_certificate" = "xyes"; then + SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS + fi SQUID_CHECK_OPENSSL_CONST_SSL_METHOD SQUID_CHECK_OPENSSL_TXTDB SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK diff --git a/src/ssl/support.cc b/src/ssl/support.cc index c9e3b22674..eec48f2165 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -986,9 +986,11 @@ Ssl::configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::Po bool Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties const &properties) { +#if HAVE_SSL_CTX_GET0_CERTIFICATE + X509 * cert = SSL_CTX_get0_certificate(ctx.get()); +#elif SQUID_USE_SSLGETCERTIFICATE_HACK // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e // Try to retrieve certificate directly from Security::ContextPointer object -#if SQUID_USE_SSLGETCERTIFICATE_HACK X509 ***pCert = (X509 ***)ctx->cert; X509 * cert = pCert && *pCert ? **pCert : NULL; #elif SQUID_SSLGETCERTIFICATE_BUGGY