Patch for LFTP - SSL fix

Tue, 04 Aug 2009 07:09:53 -0700 

Hello,
I am sending a short patch for LFTP - the patch is against the 3.7.15 released version. 


This patch fixes our problem with  SSL connections to older servers (in 
particular to GXS), where a new OpenSSL implementation by default sends 
the ticket extension to TLS and the server drops the connection with 
"unexpected message" SSL alert. This causes strange drops of the data 
connections in FTP passive mode.



The fix adds a new configuration option "ssl:allow-tls-extension" that 
is set to "no" by default. This option disables explicitly use of the 
ticket extension to TLS protocol.


Best Regards

Tomas


--- lftp-3.7.15/ChangeLog	2008-04-18 09:58:36.000000000 +0200
+++ lftp-3.7.15-new/ChangeLog	2009-08-04 10:51:11.000000000 +0200
@@ -1,3 +1,9 @@
+2009-08-04  Tomas Fencl <[email protected]>
+
+	* lftp_ssl.cc: fixed TLS hanshake errors with new version of OpenSSL. 
+          The ticket extension is disabled by default and can be enable by 
+          a new configuration option ssl:allow-tls-extension.
+
 2008-04-06  Nix  <[email protected]>
 
 	* configure.ac: Provide missing bits needed for strtoumax et al.

--- lftp-3.7.15/src/lftp_ssl.cc	2008-11-27 06:56:39.000000000 +0100
+++ lftp-3.7.15-new/src/lftp_ssl.cc	2009-08-04 10:51:11.000000000 +0200
@@ -746,7 +746,25 @@
 #else
    SSLeay_add_ssl_algorithms();
    ssl_ctx=SSL_CTX_new(SSLv23_client_method());
+
+#if defined(SSL_OP_NO_TICKET)
+   /* Reverts changes in openssl library that cause SSL hanshake failures
+    * default setting disables "ticket" extension to TLS and and adds an option 
+    * to enable it in lftp configuration
+    */
+
+   const char ssl_no_ticket=ResMgr::Query("ssl:allow-tls-extension",0)[0];
+   if (ssl_no_ticket=='n') {
+      Log::global->Format(8,"Disabling Ticket extension to TLS protocol\n");
+      SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_TICKET);
+   } else {
+      Log::global->Format(8,"Enabling Ticket extension to TLS protocol\n");
+      SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+   }
+#else
    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+#endif
+
    SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,lftp_ssl_openssl::verify_callback);
 //    SSL_CTX_set_default_passwd_cb(ssl_ctx,lftp_ssl_passwd_callback);
 

--- lftp-3.7.15/src/resource.cc	2009-03-17 11:59:59.000000000 +0100
+++ lftp-3.7.15-new/src/resource.cc	2009-08-04 10:51:11.000000000 +0200
@@ -347,6 +347,7 @@
 # if USE_OPENSSL
    {"ssl:ca-path",		 "",	  ResMgr::DirReadable,ResMgr::NoClosure},
    {"ssl:crl-path",		 "",	  ResMgr::DirReadable,ResMgr::NoClosure},
+   {"ssl:allow-tls-extension",	 "no",	  ResMgr::BoolValidate,0},
 # endif
 #endif
    {0}






















					Reply via email to