wow. I am surprised how proxy protocl might be used. can we add reg test on that ?
вт, 2 июл. 2019 г. в 01:31, Lukas Tribus <[email protected]>: > Hello Ilya, hello Willy, > > > On Thu, 27 Jun 2019 at 14:04, Lukas Tribus <[email protected]> wrote: > > > > Hello, > > > > On Thu, 27 Jun 2019 at 13:19, Willy Tarreau <[email protected]> wrote: > > > > > > Hi guys, > > > > > > On Thu, Jun 27, 2019 at 03:55:54PM +0500, ???? ??????? wrote: > > > > you are right, commit messages is not my best. > > > > sorry about that > > > > > > > > anyway, if you think it is wrong, you are welcome to provide a fix > > > > (sometimes, I do wrong things, I'm ok with that) > > > > > > Ilya, don't take it bad, bugs always happen and the problem with bugs > > > is to detect them then to figure how to address them. > > > > Indeed, bugs will always happen, it doesn't matter who the author is, > > and that was not my critique. My issue was merely with the amount of > > changes and the description. > > > > I will provide some more technical context tomorrow. > > SSL_state() would return an int, not an enum, so the comparison would > have to be a bitwise AND (but even OpenSSL got it wrong in their own > server example code). > > Even fixing that, it does not work; neither OpenSSL nor LibreSSL > recognizes the empty handshake. I assume this broke a long time ago in > OpenSSL (before the forks). > > An alternative, even simpler call available in both OpenSSL and > LibreSSL would be SSL_in_before(), but that's really just a: > # define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE) > > so it fails just like it's parent function. > > When I say fail, I mean the comparison is never true and we do not > recognize the empty handshake, which I simulated with and without > proxy protocol like this: > > echo -ne "PROXY TCP4 172.30.1.153 172.30.1.153 3052 3443\r\n" | nc > 127.0.0.1 443 > echo -ne "" | nc 127.0.0.1 444 > > > I did not find any way in LibreSSL to make it recognize an empty > handshake, which is why I suggest we remove LibreSSL from the equation > just like we did with BoringSSL. > > I will follow-up with an RFC patch shortly and I'd ask you, Ilya, to > provide feedback. > > > I have yet to verify a possible additional issue with empty handshake > detection in 2.0 and -dev for OpenSSL 1.1.0 that came up during > testing, but are unrelated to this specific change. > > > Regards, > Lukas >
