Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test server: take care of siginterrupt() deprecation #6529

Closed
wants to merge 1 commit into from

Conversation

@monnerat
Copy link
Contributor

@monnerat monnerat commented Jan 26, 2021

openssl >= 1.1.0 deprecates *_client_method() functions other than TLS_client_method(). Take care of it with conditionals.

Test server uses deprecated siginterrupt() after signal(). Depending on availability, merge both using sigaction().

@monnerat monnerat force-pushed the monnerat:deprecations branch from 825b6d8 to 580e5f8 Jan 26, 2021
@jay
Copy link
Member

@jay jay commented Jan 26, 2021

I'd split this into 2 commits Ah, I see you did that already...

@monnerat monnerat force-pushed the monnerat:deprecations branch from 3a5496b to d2b1bc4 Jan 26, 2021
@bagder
Copy link
Member

@bagder bagder commented Jan 27, 2021

Those FreeBSD test failures look like they're not just regular flakiness...

@monnerat
Copy link
Contributor Author

@monnerat monnerat commented Jan 27, 2021

Those FreeBSD test failures look like they're not just regular flakiness...

Yes, I agree and have looked at them carefully. However I don't see how they can be related to this PR: the failing tests deal with direct ftps and we have a proxy input and an http2 server logs. Unless I misunderstand something, it's like the test environment sets the target port for client where the wrong server listens.

The failing tests are all tests using ftps server and performing a data transfer.

In any case, I will change a commit a little bit, so consider this PR on hold. Thanks.

@monnerat monnerat force-pushed the monnerat:deprecations branch 2 times, most recently from 6f7272d to 7b4833d Jan 27, 2021
@@ -2672,6 +2691,11 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif

/* As OpenSSL may disable protocol versions by default, clear these
options first.

This comment has been minimized.

@jay

jay Jan 28, 2021
Member

Are you sure about this? I don't see it documented that way, I checked https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_clear_options.html

This comment has been minimized.

@bagder

bagder Jan 28, 2021
Member

Also, it seems like an unrelated change. It is not here to "suppress deprecation warnings" surely?

What's the reason for adding this function call? Everything that changes the setup of OpenSSL creates a risk and we need to be careful.

This comment has been minimized.

@monnerat

monnerat Jan 28, 2021
Author Contributor

Are you sure about this?

@jay : On the page you linked:

SSL_CTX_set_options() adds the options set via bitmask in options to ctx. Options already set before are not cleared!

and

SSL_OP_NO_SSLv2
Do not use the SSLv2 protocol. As of OpenSSL 1.0.2g the SSL_OP_NO_SSLv2 option is set by default.

@bagder :

Also, it seems like an unrelated change. It is not here to "suppress deprecation warnings" surely?

It is related because when conditionals enable TLS_client_method(), there's a risk that the target protocol version is disabled by default. The documentation does not specify if setting the min/max version in the context overrides the options or not.

OpenSSL changed the handling of protocol selection many times in the several last versions: they deprecated *_client_method(), set SSL_OP_NO_SSLv2 by default, then defined the later as 0. I think clearing the protocol options that are under our control is the simplest way of dealing with the problem for all versions up to now.

This comment has been minimized.

@monnerat

monnerat Jan 28, 2021
Author Contributor

BTW: there's nothing in our test environment that allows to verify the proper TLS protocol and cipher selection. I checked the code to see if this can be implemented easily: this answer is no :-( Server side uses stunnel and no backend-independent API allows it on the client side.

@monnerat
Copy link
Contributor Author

@monnerat monnerat commented Jan 28, 2021

The freebsd test failures have disappeared miraculously.
Current Travis CI job has not yet started. Stuck?
Else I do not plan any other modification to this PR, therefore I release the "hold".

@monnerat monnerat force-pushed the monnerat:deprecations branch 2 times, most recently from 7aa5e13 to 2f8a947 Jan 30, 2021
@monnerat monnerat force-pushed the monnerat:deprecations branch 2 times, most recently from 01edbce to d8120c5 Feb 12, 2021
@monnerat monnerat force-pushed the monnerat:deprecations branch from d8120c5 to 684a29b Feb 23, 2021
@monnerat monnerat force-pushed the monnerat:deprecations branch from 684a29b to 49f1bd0 Apr 15, 2021
@monnerat monnerat force-pushed the monnerat:deprecations branch from 49f1bd0 to 97613db Apr 19, 2021
@monnerat
Copy link
Contributor Author

@monnerat monnerat commented Apr 19, 2021

Drpped openssl commit as target code has disappeared.

@bagder bagder changed the title Resolve deprecations test server: take care of siginterrupt() deprecation Apr 22, 2021
@bagder
Copy link
Member

@bagder bagder commented Apr 22, 2021

thanks!

@bagder bagder closed this in 3fb6e5a Apr 22, 2021
@monnerat monnerat deleted the monnerat:deprecations branch Apr 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants