FreeTDS with Openssl 1.1.1m fails to connect

[5u623l20]

I am the maintainer of the freetds port in FreeBSD and reporting a failure of connection on behalf of other users:

Command:
setenv TDSDUMP /tmp/freetds.log
tsql -S host -U username -P password

tail /tmp/freetds.log
tls.c:130:in tds_pull_func_login
tls.c:130:in tds_pull_func_login
tls.c:130:in tds_pull_func_login
tls.c:1065:handshake succeeded!!
login.c:1053:quietly sending TDS 7+ login packet
token.c:418:tds_process_login_tokens()

This is the case when we are using OpenSSL 1.1.1m. But in case we are using OpenSSL 1.1.1k or GNUTLS it works without any problems.

Here is the buildlog:
https://pdr.bofh.network/data/latest-per-pkg/freetds/1.3.9%2C1/130-default.log

And in case it's difficult to find I can find some warnings although it doesn't look like a showstopper to me:

random.c:59:6: warning: 'RAND_pseudo_bytes' is deprecated [-Wdeprecated-declarations]
        if (RAND_pseudo_bytes(out, len) >= 0)
            ^
/usr/include/openssl/rand.h:44:1: note: 'RAND_pseudo_bytes' has been explicitly marked deprecated here
DEPRECATEDIN_1_1_0(int RAND_pseudo_bytes(unsigned char *buf, int num))
^
/usr/include/openssl/opensslconf.h:153:34: note: expanded from macro 'DEPRECATEDIN_1_1_0'
# define DEPRECATEDIN_1_1_0(f)   DECLARE_DEPRECATED(f)
                                 ^
/usr/include/openssl/opensslconf.h:116:55: note: expanded from macro 'DECLARE_DEPRECATED'
#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
                                                      ^
1 warning generated.

[fziglio]

The warning should be removed surely but it's not the issue. I cannot see why a minor update could lead to this. Instead what I would check is if they removed some cipher with the update. Recently in many cases the OpenSSL requirements for cipher are not satisfied by MS.

[CyberCr33p]

On my system "OpenSSL 1.1.1k-freebsd 24 Aug 2021" and "OpenSSL 1.1.1o-freebsd 3 May 2022" have same ciphers.

[CyberCr33p]

This issue is not FreeBSD related as it exist also with Linux:

1. FreeTDS 1.3.10 + OpenSSL 1.1.1k = SUCCESS
2. FreeTDS 1.3.10 + OpenSSL 1.1.1l = FAIL

So the first version that doesn't work is 1.1.1l.

[fziglio]

Can you try this?

diff --git a/src/tds/tls.c b/src/tds/tls.c
index 64c6bba2..bc63e2cf 100644
--- a/src/tds/tls.c
+++ b/src/tds/tls.c
@@ -826,18 +826,25 @@ tds_check_wildcard_test(void)
 static int
 check_name_match(ASN1_STRING *name, const char *hostname)
 {
-       char *name_utf8 = NULL;
+       char *name_utf8 = NULL, *tmp_name;
        int ret, name_len;
 
        name_len = ASN1_STRING_to_UTF8((unsigned char **) &name_utf8, name);
        if (name_len < 0)
                return 0;
 
+       tmp_name = tds_strndup(name_utf8, name_len);
+       OPENSSL_free(name_utf8);
+       if (!tmp_name)
+               return 0;
+
+       name_utf8 = tmp_name;
+
        tdsdump_log(TDS_DBG_INFO1, "Got name %s\n", name_utf8);
        ret = 0;
        if (strlen(name_utf8) == name_len && check_wildcard(name_utf8, hostname))
                ret = 1;
-       OPENSSL_free(name_utf8);
+       free(name_utf8);
        return ret;
 }
 

[CyberCr33p]

Yes it works with 1.1.1l so I guess it will work with newer versions too. Thank you. I will ask @5u623l20 to create a patch for FreeBSD port until you release a new version with this patch.

[5u623l20]

Will take care of it tomorrow.

[CyberCr33p]

Thank you both.

[fziglio]

Fixed in 1.3.11

[avkarenow]

Unfortunately, the problem with connection still appears with OpenSSL 1.1.1t-freebsd on FreeBSD 13.2. I temporarily switched to GnuTLS which can properly handle connections.