Skip to content

Broken LibreSSL tls_conn_change_cert implementation #1135

New issue
New issue
Closed
#1377
Closed
Broken LibreSSL tls_conn_change_cert implementation#1135
#1377
@sreimers

Description

@sreimers
sreimers
opened on Jun 2, 2024

Looks like there are some broken LibreSSL implementations #1127.

Let's start with test_tls_cli_conn_change_cert and tls_conn_change_cert, this does not work within libressl since SSL_certs_clear is not supported (There is usually a good reason why LibreSSL drops some APIs, mostly for security maintenance reasons).

tlstest: TEST_STRCMP: /home/sreimers/projekte/baresip/baresip-linux/re/test/tls.c:539: failed
expected string: (21 bytes)
"Mr Retest Client Cert"
actual string: (9 bytes)
"127.0.0.1"

re/src/tls/openssl/tls_tcp.c

Lines 331 to 333 in b41f503

#if !defined(LIBRESSL_VERSION_NUMBER)
SSL_certs_clear(tc->ssl);
#endif

After studying the usage, I wonder why the ssl object is changed and not the ssl ctx before (or a new one used)? Since within tls_start_tcp a new ssl object is created from ctx. This way SSL_certs_clear can be avoided, I think.

re/src/sip/transp.c

Lines 827 to 843 in b41f503

err = tls_start_tcp(&conn->sc, transp->tls, conn->tc, 0);
if (err)
goto out;
hash = get_hash_of_fromhdr(mb);
ccert = list_ledata(
list_head(hash_list(transp->ht_ccert, hash)));
if (ccert) {
char *f;
err = pl_strdup(&f, &ccert->file);
if (err)
goto out;
err = tls_conn_change_cert(conn->sc, f);
mem_deref(f);
if (err)
goto out;

We should keep all SSL implementations very generic.

@cHuberCoffee

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions