On 16/05/2017 03:04 μμ, Amos Jeffries wrote:
Building Squid-5 r15136 against the latest libssl 1.1.0e on Ubuntu.
src/ssl/support.cc: In function ‘bool
Ssl::verifySslCertificate(Security::ContextPointer&, const
Ssl::CertificateProperties&)’:
src/ssl/support.cc:995:34: error: invalid use of incomplete type ‘struct
ssl_ctx_st’
X509 ***pCert = (X509 ***)ctx->cert;
I am not getting this compile error when I am trying to use
openSSL-1.1.0, but I am getting a crash when squid is running and uses
server-first bumping mode.
The crash is caused because the SQUID_USE_SSLGETCERTIFICATE_HACK is
false and SQUID_SSLGETCERTIFICATE_BUGGY is true.
I am attaching a patch which fixes this bug for squid-5.
Should I just update this hack code to use the
X509_STORE_CTX_get0_cert() getter ?
or is this a sign of a deeper bug with the
SQUID_USE_SSLGETCERTIFICATE_HACK autoconf test that needs to be fixed?
In my tests no, there is not need to be fixed.
Are you using an unmodified squid?
Amos
Squid crashes when ServerFirst bumping mode is used with openSSL-1.1.0 release
When OpenSSL-1.1.0 or later is used:
- The SQUID_USE_SSLGETCERTIFICATE_HACK configure test is false
- The SQUID_SSLGETCERTIFICATE_BUGGY configure test is true
- Squid hits an assert(0) inside Ssl::verifySslCertificate when trying to
retrieve a generated certificate from cache.
This is a Measurement Factory project
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc 2017-04-29 16:19:15 +0000
+++ src/ssl/support.cc 2017-05-17 16:26:34 +0000
@@ -969,43 +969,45 @@
Security::CertPointer cert;
Ssl::EVP_PKEY_Pointer pkey;
if (!readCertAndPrivateKeyFromMemory(cert, pkey, data))
return false;
if (!cert || !pkey)
return false;
if (!SSL_use_certificate(ssl, cert.get()))
return false;
if (!SSL_use_PrivateKey(ssl, pkey.get()))
return false;
return true;
}
bool
Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties const &properties)
{
+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+ X509 * cert = SSL_CTX_get0_certificate(ctx.get());
+#elif SQUID_USE_SSLGETCERTIFICATE_HACK
// SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
// Try to retrieve certificate directly from Security::ContextPointer object
-#if SQUID_USE_SSLGETCERTIFICATE_HACK
X509 ***pCert = (X509 ***)ctx->cert;
X509 * cert = pCert && *pCert ? **pCert : NULL;
#elif SQUID_SSLGETCERTIFICATE_BUGGY
X509 * cert = NULL;
assert(0);
#else
// Temporary ssl for getting X509 certificate from SSL_CTX.
Security::SessionPointer ssl(Security::NewSessionObject(ctx));
X509 * cert = SSL_get_certificate(ssl.get());
#endif
if (!cert)
return false;
ASN1_TIME * time_notBefore = X509_get_notBefore(cert);
ASN1_TIME * time_notAfter = X509_get_notAfter(cert);
bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0);
if (!ret)
return false;
return certificateMatchesProperties(cert, properties);
}
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
