openssl: Replaced depreceated method SSLv23_method with TLS_method

In OpenSSL 1.1.0 and higher, SSLv23_method causes some errors in TLS handshake from time to time. As this method is depreceated since 1.1.0, I have replaced it with the follow up method TLS_method which is the most generic one. It fixes the random test failures in tests like - sndrcv_tls_ossl_anon_rebind.sh Also added some debug output in OpenSSL error handling, which is useful when analysing debug files. closes: ./sndrcv_tls_ossl_anon_rebind.sh
rsyslog · Jul 28, 2023 · 8d8fe80 · 8d8fe80
1 parent 9538f8a
commit 8d8fe80
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 4 deletions.
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
@@ -194,10 +194,19 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
 	int iSSLErr = 0;
 	if (ssl == NULL) {
 		/* Output Error Info*/
-		dbgprintf("osslLastSSLErrorMsg: Error in '%s' with ret=%d\n", pszCallSource, ret);
+		DBGPRINTF("osslLastSSLErrorMsg: Error in '%s' with ret=%d\n", pszCallSource, ret);
 	} else {
 		/* if object is set, get error code */
 		iSSLErr = SSL_get_error(ssl, ret);
+		/* Output Debug as well */
+		DBGPRINTF("osslLastSSLErrorMsg: %s Error in '%s': '%s(%d)' with ret=%d, errno=%d, sslapi='%s'\n",
+			(iSSLErr == SSL_ERROR_SSL ? "SSL_ERROR_SSL" :
+			(iSSLErr == SSL_ERROR_SYSCALL ? "SSL_ERROR_SYSCALL" : "SSL_ERROR_UNKNOWN")),
+			pszCallSource, ERR_error_string(iSSLErr, NULL),
+			iSSLErr,
+			ret,
+			errno,
+			pszOsslApi);
 
 		/* Output error message */
 		LogMsg(0, RS_RET_NO_ERRCODE, severity,
@@ -1317,7 +1326,6 @@ osslInit_ctx(nsd_ossl_t *const pThis)
 	}
 	crlFile = (char*) ((pThis->pszCRLFile == NULL) ? glbl.GetDfltNetstrmDrvrCRLF(runConf) : pThis->pszCRLFile);
 	if(crlFile == NULL) {
-		dbgprintf("Certificate revocation list (CRL) file not set.");
 		bHaveCRL = 0;
 	} else {
 		dbgprintf("OSSL CRL file: '%s'\n", crlFile);
@@ -1351,8 +1359,12 @@ osslInit_ctx(nsd_ossl_t *const pThis)
 	        bHaveExtraCAFiles = 1;
 	}
 
-	/* Create main CTX Object */
+	/* Create main CTX Object. Use SSLv23_method for < Openssl 1.1.0 and TLS_method for all newer versions! */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	pThis->ctx = SSL_CTX_new(SSLv23_method());
+#else
+	pThis->ctx = SSL_CTX_new(TLS_method());
+#endif
 	if(bHaveExtraCAFiles == 1) {
 		while((extraCaFile = strsep(&extraCaFiles, ","))) {
 			if(SSL_CTX_load_verify_locations(pThis->ctx, extraCaFile, NULL) != 1) {
@@ -1674,6 +1686,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
 					"SSL_do_handshake");
 				ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
 			} else {
+				dbgprintf("osslHandshakeCheck: OpenSSL Client handshake failed with %d "
+					"- Aborting handshake.\n", resErr);
 				osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client",
 					"SSL_do_handshake");
 				LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,

diff --git a/runtime/nsdsel_ptcp.c b/runtime/nsdsel_ptcp.c
@@ -158,6 +158,9 @@ IsReady(nsdsel_t *const pNsdsel, nsd_t *const pNsd, const nsdsel_waitOp_t waitOp
 	}
 
 	const short revent = pThis->fds[idx].revents;
+	if (revent & POLLNVAL) {
+		DBGPRINTF("ndssel_ptcp: revent & POLLNVAL is TRUE, something is wrong, revent = %d", revent);
+	}
 	assert(!(revent & POLLNVAL));
 	switch(waitOp) {
 		case NSDSEL_RD:

diff --git a/tests/tcpflood.c b/tests/tcpflood.c
@@ -1224,8 +1224,12 @@ initTLS(void)
 	ERR_load_BIO_strings();
 	ERR_load_crypto_strings();
 
-	/* Create main CTX Object */
+	/* Create main CTX Object. Use SSLv23_method for < Openssl 1.1.0 and TLS_method for all newer versions! */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	ctx = SSL_CTX_new(SSLv23_method());
+#else
+	ctx = SSL_CTX_new(TLS_method());
+#endif
 
 	if(tlsCAFile != NULL && SSL_CTX_load_verify_locations(ctx, tlsCAFile, NULL) != 1) {
 		printf("tcpflood: Error, Failed loading CA certificate"