On Feb 23, 2010 at 17:47, Klaus Darilion <[email protected]> wrote: > Is it possible to overrule this behavior, e.g. for testing?
No, but if you mean the cipher_list=RSA bug, then there's no need to overwrite it, it should be still triggered. If you need an overwrite switch, I could add a new force_no_krb_workaround param. Andrei > > Am 23.02.2010 16:37, schrieb Andrei Pelinescu-Onciul: > >Module: sip-router > >Branch: master > >Commit: 51ee5da9ebf09447f71d4393f7c5b703305ff46d > >URL: > >http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=51ee5da9ebf09447f71d4393f7c5b703305ff46d > > > >Author: Andrei Pelinescu-Onciul<[email protected]> > >Committer: Andrei Pelinescu-Onciul<[email protected]> > >Date: Tue Feb 23 16:10:21 2010 +0100 > > > >tls: disable kerberos more thoroughly [fix] > > > >Older openssl versions (< 0.9.8e release) have a bug in the > >kerberos code (it uses the wrong malloc, for more details see > >openssl bug # 1467). While there is already a workaround for this > >openssl bug in the sr code (see commits 36cb8f& 560a42), in some > >situations this workaround causes another bug (crash on connection > >opening when openssl is compiled with kerberos support and > >kerberos is enabled for key exchange). > >The current fix will disable automatically all the ciphers containing > >KRB5 if the openssl version is< 0.9.8e beta1 or it is between > >0.9.9-dev and 0.9.9-beta1. > >It iss equivalent to setting cipher_list to "<prev. value>:!KRB5". > > > >Impact: this fix is needed only if openssl is compiled with > >kerberos support and the version is< 0.9.8e. It also affects at > >least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos > >openssl package they play some strange games with the version and > >report 0.9.8b via SSLeay). > > > >Tested-by: Klaus Darilion klaus.mailinglists at pernau.at > >Reported-by: Klaus Darilion klaus.mailinglists at pernau.at > >Reported-by: Andreas Rehbein rehbein at e-technik.org > >Reported-by: Martin Koenig koenig starface.de > > > >--- > > > > modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++---- > > 1 files changed, 31 insertions(+), 4 deletions(-) > > > >diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c > >index b0d5d3c..c4f25e8 100644 > >--- a/modules/tls/tls_domain.c > >+++ b/modules/tls/tls_domain.c > >@@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d) > > return 0; > > } > > > >+#define C_DEF_NO_KRB5 "DEFAULT:!KRB5" > >+#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1) > >+#define C_NO_KRB5_SUFFIX ":!KRB5" > >+#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1) > > > > /* > > * Configure cipher list > >@@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d) > > { > > int i; > > int procs_no; > >- > >- if (!d->cipher_list.s) return 0; > >+ char* cipher_list; > >+ > >+ cipher_list=d->cipher_list.s; > >+#ifdef TLS_KSSL_WORKARROUND > >+ if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */ > >+ if (d->cipher_list.s==0) { > >+ /* use "DEFAULT:!KRB5" */ > >+ cipher_list="DEFAULT:!KRB5"; > >+ } else { > >+ /* append ":!KRB5" */ > >+ > >cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1); > >+ if (cipher_list) { > >+ memcpy(cipher_list, d->cipher_list.s, > >d->cipher_list.len); > >+ memcpy(cipher_list+d->cipher_list.len, > >C_NO_KRB5_SUFFIX, > >+ C_NO_KRB5_SUFFIX_LEN); > >+ > >cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0; > >+ shm_free(d->cipher_list.s); > >+ d->cipher_list.s=cipher_list; > >+ d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN; > >+ } > >+ } > >+ } > >+#endif /* TLS_KSSL_WORKARROUND */ > >+ if (!cipher_list) return 0; > > procs_no=get_max_procs(); > > for(i = 0; i< procs_no; i++) { > >- if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == > >0 ) { > >- ERR("%s: Failure to set SSL context cipher list\n", > >tls_domain_str(d)); > >+ if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) { > >+ ERR("%s: Failure to set SSL context cipher list > >\"%s\"\n", > >+ tls_domain_str(d), cipher_list); > > return -1; > > } > > } > > > > > >_______________________________________________ > >sr-dev mailing list > >[email protected] > >http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
