ngIRCd 20.1 can't make SSL server connections with GnuTLS
Hi everyone, I deployed ngIRCd 20.1 on our server yesterday and ran into a hiccup. I built ngIRCd with these flags: ./configure --enable-ipv6 --with-gnutls --with-pam We're running two servers, and the second makes a server connection to the first with SSLConnect=yes. This all worked fine in 19.2, but in 20.1 the connection doesn't take. It looks like ngIRCd fails to initialize GnuTLS correctly in this case. Here's the logs on the second server, the one making the connection—this all happens in one second: ngircd[27581]: Preparing to establish a new server link for "hostname" ... ngircd[27581]: Establishing connection for "hostname" to "192.168.1.1:6697" (192.168.1.1), socket 14 ... ngircd[27581]: Libgcrypt warning: missing initialization - please fix the application ngircd[27581]: gnutls_handshake: Insufficient credentials for that request. ngircd[27581]: SSL connection on socket 14 failed! ngircd[27581]: Shutting down connection 14 (Can't connect!) with 192.168.1.1:6697 ... ngircd[27581]: Client unregistered (connection 14): Can't connect! ngircd[27581]: Connection 14 with 192.168.1.1:6697 closed (in: 0.0k, out: 0.0k). And in case it helps, on the server receiving the connection: ngircd[27517]: Accepted connection 27 from 192.168.1.2:54547 on socket 9. ngircd[27517]: gnutls_handshake: A TLS packet with unexpected length was received. ngircd[27517]: Shutting down connection 27 (SSL accept error, closing socket) with 192.168.1.2:54547 ... ngircd[27517]: Client unregistered (connection 27): SSL accept error, closing socket ngircd[27517]: Connection 27 with 192.168.1.2:54547 closed (in: 0.0k, out: 0.0k). Best regards, -- Brett Smith
Brett Smith <brett@w3.org> wrote:
Hi everyone,
I deployed ngIRCd 20.1 on our server yesterday and ran into a hiccup. I built ngIRCd with these flags:
./configure --enable-ipv6 --with-gnutls --with-pam
We're running two servers, and the second makes a server connection to the first with SSLConnect=yes. This all worked fine in 19.2, but in 20.1 the connection doesn't take. It looks like ngIRCd fails to initialize GnuTLS correctly in this case. Here's the logs on the second server, the one making the connection—this all happens in one second:
There is a post 19.2 change that skips ssl initialization if no ssl listen ports are configured. If you don't have any ssl listen ports defined, could you do so to see if that makes things work? Thanks.
On Mon, Jan 07, 2013 at 03:43:44PM +0100, Florian Westphal wrote:
Brett Smith <brett@w3.org> wrote:
Hi everyone,
I deployed ngIRCd 20.1 on our server yesterday and ran into a hiccup. I built ngIRCd with these flags:
./configure --enable-ipv6 --with-gnutls --with-pam
We're running two servers, and the second makes a server connection to the first with SSLConnect=yes. This all worked fine in 19.2, but in 20.1 the connection doesn't take. It looks like ngIRCd fails to initialize GnuTLS correctly in this case. Here's the logs on the second server, the one making the connection—this all happens in one second:
There is a post 19.2 change that skips ssl initialization if no ssl listen ports are configured.
This is commit bb20aeb9bcb ...
If you don't have any ssl listen ports defined, could you do so to see if that makes things work?
Aaargl. You are right: if there are no SSL listen ports defined, SSL won't become initialized at all, and therefore no outgoing(!) SSL connections could work as well ... hmpf. Silly me! :-( I'll have a look at this ... @Brett: does definig a "Ports" variable in [SSL] solve the problem for you? Thanks! Alex
This patch introduces the new function Conf_SSLInUse() to check when the current server configuration requires the SSL subsystem to be initialized and accounts incoming as well as outgoing connections -- so this fixes commit bb20aeb9 ("Initialize SSL when needed only, and disable SSL on errors") which only handled the inbound case ... --- src/ngircd/conf.c | 22 ++++++++++++++++++++++ src/ngircd/conf.h | 4 ++++ src/ngircd/conn-ssl.c | 4 +++- 3 files changed, 29 insertions(+), 1 deletion(-) Hi Brett! Could you test this patch? It should fix your first problem. Thanks! Alex diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c index d5a28bd..929ab05 100644 --- a/src/ngircd/conf.c +++ b/src/ngircd/conf.c @@ -110,6 +110,28 @@ ConfSSL_Init(void) } /** + * Check if the current configuration uses/requires SSL. + * + * @returns true if SSL is used and should be initialized. + */ +GLOBAL bool +Conf_SSLInUse(void) +{ + int i; + + /* SSL listen ports configured? */ + if (array_bytes(&Conf_SSLOptions.ListenPorts)) + return true; + + for (i = 0; i < MAX_SERVERS; i++) { + if (Conf_Server[i].port > 0 + && Conf_Server[i].SSLConnect) + return true; + } + return false; +} + +/** * Make sure that a configured file is readable. * * Currently, this function is only used for SSL-related options ... diff --git a/src/ngircd/conf.h b/src/ngircd/conf.h index ac42746..c203b57 100644 --- a/src/ngircd/conf.h +++ b/src/ngircd/conf.h @@ -256,6 +256,10 @@ GLOBAL bool Conf_AddServer PARAMS(( const char *Name, UINT16 Port, const char *H GLOBAL bool Conf_NickIsService PARAMS((int ConfServer, const char *Nick)); GLOBAL bool Conf_NickIsBlocked PARAMS((const char *Nick)); +#ifdef SSL_SUPPORT +GLOBAL bool Conf_SSLInUse PARAMS((void)); +#endif + /* Password required by WEBIRC command */ GLOBAL char Conf_WebircPwd[CLIENT_PASS_LEN]; diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index 59729e0..45e6458 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -241,8 +241,10 @@ void ConnSSL_Free(CONNECTION *c) bool ConnSSL_InitLibrary( void ) { - if (!array_bytes(&Conf_SSLOptions.ListenPorts)) + if (!Conf_SSLInUse()) { + LogDebug("SSL not in use, skipping initialization."); return true; + } #ifdef HAVE_LIBSSL SSL_CTX *newctx; -- 1.7.10.4
On Mon, Jan 07, 2013 at 01:33:10PM -0500, Brett Smith wrote:
On 01/07/2013 01:08 PM, Alexander Barton wrote:
Hi Brett!
Could you test this patch? It should fix your first problem.
Yes, it works great. Thanks for such quick turnaround.
Committed to our master branch with ID ab009976. Thanks for testing! Alex
Teilnehmer (3)
-
Alexander Barton -
Brett Smith -
Florian Westphal