TLS tweaking and freaking
This commit is contained in:
Duke Leto
@@ -15,7 +15,10 @@ $(package)_config_opts+=--enable-debug
|
|||||||
$(package)_config_opts+=--enable-sha3
|
$(package)_config_opts+=--enable-sha3
|
||||||
$(package)_config_opts+=--enable-sha512
|
$(package)_config_opts+=--enable-sha512
|
||||||
$(package)_config_opts+=--enable-tls13
|
$(package)_config_opts+=--enable-tls13
|
||||||
$(package)_config_opts+=--enable-xchacha # New in 4.6.0
|
|
||||||
|
# TODO: enable this in a future version
|
||||||
|
#$(package)_config_opts+=--enable-xchacha # New in 4.6.0
|
||||||
|
|
||||||
# TODO: these caused problems
|
# TODO: these caused problems
|
||||||
#$(package)_config_opts+=--disable-tlsv12
|
#$(package)_config_opts+=--disable-tlsv12
|
||||||
#$(package)_config_opts+=--disable-oldtls
|
#$(package)_config_opts+=--disable-oldtls
|
||||||
@@ -30,7 +33,7 @@ $(package)_config_opts+=--enable-enckeys
|
|||||||
# TODO: can we reduce down to only the normal openssl compat, without these options?
|
# TODO: can we reduce down to only the normal openssl compat, without these options?
|
||||||
$(package)_config_opts+=--enable-opensslall
|
$(package)_config_opts+=--enable-opensslall
|
||||||
$(package)_config_opts+=--enable-opensslextra
|
$(package)_config_opts+=--enable-opensslextra
|
||||||
#$(package)_config_opts+=C_EXTRA_FLAGS="-DSPEAK_AND_TRANSACT_FREELY"
|
$(package)_config_opts+=C_EXTRA_FLAGS="-DSPEAK_AND_TRANSACT_FREELY"
|
||||||
|
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
|||||||
@@ -118,6 +118,7 @@ int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL*
|
|||||||
case SSL_SHUTDOWN:
|
case SSL_SHUTDOWN:
|
||||||
{
|
{
|
||||||
if (hSocket != INVALID_SOCKET) {
|
if (hSocket != INVALID_SOCKET) {
|
||||||
|
disconnectedPeer = "no info";
|
||||||
struct sockaddr_in addr;
|
struct sockaddr_in addr;
|
||||||
socklen_t serv_len = sizeof(addr);
|
socklen_t serv_len = sizeof(addr);
|
||||||
int ret = getpeername(hSocket, (struct sockaddr *)&addr, &serv_len);
|
int ret = getpeername(hSocket, (struct sockaddr *)&addr, &serv_len);
|
||||||
@@ -144,8 +145,7 @@ int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL*
|
|||||||
LogPrint("tls", "TLS: %s: %s():%d - SSL_SHUTDOWN completed from peer %s\n", __FILE__, __func__, __LINE__, disconnectedPeer.c_str());
|
LogPrint("tls", "TLS: %s: %s():%d - SSL_SHUTDOWN completed from peer %s\n", __FILE__, __func__, __LINE__, disconnectedPeer.c_str());
|
||||||
break;
|
break;
|
||||||
} else {
|
} else {
|
||||||
LogPrint("tls", "TLS: %s: %s():%d - SSL_SHUTDOWN failed to %s\n", __FILE__, __func__, __LINE__, disconnectedPeer.c_str());
|
LogPrint("tls", "TLS: %s: %s():%d - SSL_SHUTDOWN failed to %s with ret=%d\n", __FILE__, __func__, __LINE__, disconnectedPeer.c_str(), retOp);
|
||||||
// the error will be read afterwards
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (retOp == 1) {
|
if (retOp == 1) {
|
||||||
@@ -166,13 +166,15 @@ int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL*
|
|||||||
|
|
||||||
if (sslErr != WOLFSSL_ERROR_WANT_READ && sslErr != WOLFSSL_ERROR_WANT_WRITE) {
|
if (sslErr != WOLFSSL_ERROR_WANT_READ && sslErr != WOLFSSL_ERROR_WANT_WRITE) {
|
||||||
err_code = wolfSSL_ERR_get_error();
|
err_code = wolfSSL_ERR_get_error();
|
||||||
const char* error_str;
|
const char* error_str = NULL;
|
||||||
if(err_code)
|
// calling this with err_code=0 generates more warnings, lulz
|
||||||
wolfSSL_ERR_error_string(err_code, err_buffer);
|
if(err_code) {
|
||||||
|
error_str = wolfSSL_ERR_error_string(err_code, err_buffer);
|
||||||
|
}
|
||||||
|
|
||||||
LogPrint("tls", "TLS: WARNING: %s: %s():%d - routine(%d), sslErr[0x%x], retOp[%d], errno[0x%x], lib[0x%x], func[0x%x], reas[0x%x]-> err: %s\n",
|
LogPrint("tls", "TLS: WARNING: %s: %s():%d - routine(%d), sslErr[0x%x], retOp[%d], errno[0x%x], lib[0x%x], func[0x%x], reas[0x%x]-> err: %s\n",
|
||||||
__FILE__, __func__, __LINE__,
|
__FILE__, __func__, __LINE__,
|
||||||
eRoutine, sslErr, retOp, errno, wolfSSL_ERR_GET_LIB(err_code), ERR_GET_FUNC(err_code), wolfSSL_ERR_GET_REASON(err_code), err_buffer);
|
eRoutine, sslErr, retOp, errno, wolfSSL_ERR_GET_LIB(err_code), ERR_GET_FUNC(err_code), wolfSSL_ERR_GET_REASON(err_code), error_str);
|
||||||
retOp = -1;
|
retOp = -1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -245,6 +247,8 @@ WOLFSSL* TLSManager::connect(SOCKET hSocket, const CAddress& addrConnect, unsign
|
|||||||
err_code = wolfSSL_ERR_get_error();
|
err_code = wolfSSL_ERR_get_error();
|
||||||
LogPrint("tls", "%s: timed out waiting for %s\n", __func__, addrConnect.ToString());
|
LogPrint("tls", "%s: timed out waiting for %s\n", __func__, addrConnect.ToString());
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
LogPrint("tls", "TLS: %s: failed to set file descriptor for socket!\n", __func__, addrConnect.ToString());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
err_code = wolfSSL_ERR_get_error();
|
err_code = wolfSSL_ERR_get_error();
|
||||||
@@ -443,9 +447,9 @@ WOLFSSL* TLSManager::accept(SOCKET hSocket, const CAddress& addr, unsigned long&
|
|||||||
{
|
{
|
||||||
LogPrint("tls", "TLS: accepting connection from %s (tid = %X)\n", addr.ToString(), pthread_self());
|
LogPrint("tls", "TLS: accepting connection from %s (tid = %X)\n", addr.ToString(), pthread_self());
|
||||||
|
|
||||||
err_code = 0;
|
|
||||||
char err_buffer[1024];
|
char err_buffer[1024];
|
||||||
WOLFSSL* ssl = NULL;
|
err_code = 0;
|
||||||
|
WOLFSSL* ssl = NULL;
|
||||||
bool bAcceptedTLS = false;
|
bool bAcceptedTLS = false;
|
||||||
|
|
||||||
if ((ssl = wolfSSL_new(tls_ctx_server))) {
|
if ((ssl = wolfSSL_new(tls_ctx_server))) {
|
||||||
@@ -456,6 +460,8 @@ WOLFSSL* TLSManager::accept(SOCKET hSocket, const CAddress& addr, unsigned long&
|
|||||||
} else {
|
} else {
|
||||||
err_code = wolfSSL_ERR_get_error();
|
err_code = wolfSSL_ERR_get_error();
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
LogPrint("tls", "TLS: %s: failed to set file descriptor for socket!\n", __func__, addr.ToString());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
err_code = wolfSSL_ERR_get_error();
|
err_code = wolfSSL_ERR_get_error();
|
||||||
|
|||||||
@@ -1106,7 +1106,7 @@ static void AcceptConnection(const ListenSocket& hListenSocket) {
|
|||||||
ssl = tlsmanager.accept( hSocket, addr, err_code);
|
ssl = tlsmanager.accept( hSocket, addr, err_code);
|
||||||
if(!ssl)
|
if(!ssl)
|
||||||
{
|
{
|
||||||
LogPrint("tls", "%s():%d - err_code %x, failure accepting connection from %s\n", __func__, __LINE__, err_code, addr.ToStringIP());
|
LogPrint("tls", "TLS: %s():%d - err_code %x, failure accepting connection from %s\n", __func__, __LINE__, err_code, addr.ToStringIP());
|
||||||
CloseSocket(hSocket);
|
CloseSocket(hSocket);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,7 +2,6 @@
|
|||||||
// Copyright (c) 2009-2014 The Bitcoin Core developers
|
// Copyright (c) 2009-2014 The Bitcoin Core developers
|
||||||
// Distributed under the GPLv3 software license, see the accompanying
|
// Distributed under the GPLv3 software license, see the accompanying
|
||||||
// file COPYING or https://www.gnu.org/licenses/gpl-3.0.en.html
|
// file COPYING or https://www.gnu.org/licenses/gpl-3.0.en.html
|
||||||
|
|
||||||
/******************************************************************************
|
/******************************************************************************
|
||||||
* Copyright © 2014-2019 The SuperNET Developers. *
|
* Copyright © 2014-2019 The SuperNET Developers. *
|
||||||
* *
|
* *
|
||||||
@@ -21,9 +20,7 @@
|
|||||||
#ifdef HAVE_CONFIG_H
|
#ifdef HAVE_CONFIG_H
|
||||||
#include "config/bitcoin-config.h"
|
#include "config/bitcoin-config.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "netbase.h"
|
#include "netbase.h"
|
||||||
|
|
||||||
#include "hash.h"
|
#include "hash.h"
|
||||||
#include "sync.h"
|
#include "sync.h"
|
||||||
#include "uint256.h"
|
#include "uint256.h"
|
||||||
|
|||||||
Reference in New Issue
Block a user