test server: take care of siginterrupt() deprecation #6529
Conversation
monnerat
force-pushed
the
deprecations
branch
from
825b6d8
to
580e5f8
Compare
|
|
monnerat
force-pushed
the
deprecations
branch
from
3a5496b
to
d2b1bc4
Compare
|
Those FreeBSD test failures look like they're not just regular flakiness... |
Yes, I agree and have looked at them carefully. However I don't see how they can be related to this PR: the failing tests deal with direct ftps and we have a proxy input and an http2 server logs. Unless I misunderstand something, it's like the test environment sets the target port for client where the wrong server listens. The failing tests are all tests using ftps server and performing a data transfer. In any case, I will change a commit a little bit, so consider this PR on hold. Thanks. |
monnerat
force-pushed
the
deprecations
branch
2 times, most recently
from
6f7272d
to
7b4833d
Compare
lib/vtls/openssl.c
Outdated
| @@ -2672,6 +2691,11 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, | |||
| ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; | |||
| #endif | |||
|
|
|||
| /* As OpenSSL may disable protocol versions by default, clear these | |||
| options first. | |||
There was a problem hiding this comment.
Are you sure about this? I don't see it documented that way, I checked https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_clear_options.html
There was a problem hiding this comment.
Also, it seems like an unrelated change. It is not here to "suppress deprecation warnings" surely?
What's the reason for adding this function call? Everything that changes the setup of OpenSSL creates a risk and we need to be careful.
There was a problem hiding this comment.
Are you sure about this?
@jay : On the page you linked:
SSL_CTX_set_options() adds the options set via bitmask in options to ctx. Options already set before are not cleared!
and
SSL_OP_NO_SSLv2
Do not use the SSLv2 protocol. As of OpenSSL 1.0.2g the SSL_OP_NO_SSLv2 option is set by default.
@bagder :
Also, it seems like an unrelated change. It is not here to "suppress deprecation warnings" surely?
It is related because when conditionals enable TLS_client_method(), there's a risk that the target protocol version is disabled by default. The documentation does not specify if setting the min/max version in the context overrides the options or not.
OpenSSL changed the handling of protocol selection many times in the several last versions: they deprecated *_client_method(), set SSL_OP_NO_SSLv2 by default, then defined the later as 0. I think clearing the protocol options that are under our control is the simplest way of dealing with the problem for all versions up to now.
There was a problem hiding this comment.
BTW: there's nothing in our test environment that allows to verify the proper TLS protocol and cipher selection. I checked the code to see if this can be implemented easily: this answer is no :-( Server side uses stunnel and no backend-independent API allows it on the client side.
|
The freebsd test failures have disappeared miraculously. |
monnerat
force-pushed
the
deprecations
branch
2 times, most recently
from
7aa5e13
to
2f8a947
Compare
monnerat
force-pushed
the
deprecations
branch
2 times, most recently
from
01edbce
to
d8120c5
Compare
monnerat
force-pushed
the
deprecations
branch
from
d8120c5
to
684a29b
Compare
|
Drpped openssl commit as target code has disappeared. |
bagder
changed the title
|
thanks! |
openssl >= 1.1.0 deprecates
*_client_method()functions other thanTLS_client_method(). Take care of it with conditionals.Test server uses deprecated
siginterrupt()aftersignal(). Depending on availability, merge both usingsigaction().