[Privoxy-devel] WolfSSL support ready for testing

Fabian Keil fk at fabiankeil.de
Mon Apr 1 13:55:51 CEST 2024 

Roland Rosenfeld <roland at spinnaker.de> wrote on 2024-03-31 at 16:42:24:

> > In the meantime I'd be interested to know how WolfSSL
> > works on other platforms.
> 
> Expecting that I only have to switch from --with-mbedtls to
> --with-wolfssl and install libwolfssl-dev (which is 5.5.4 on my
> system), I just tried this out on my Debian (stable) system.

Great.

> This doesn't seem to work as expected, since I got some errors in
> wolfssl.c:
> - In line 69 "RNG" is unknown (maybe this requires renaming to
>   "WC_RNG"?)
> - In line 739 "Md5" is unknown  (maybe this requires renaming to
>   "wc_Md5"?)

I made those changes.

> - The Debian WolfSSL package is not compiled with
>   --enable-renegotiation-indication, so the check on
>   HAVE_RENEGOTIATION_INDICATION in line 1187 fails.
> - In line 1204 the compilation fails because WOLFSSL_X509_V_OK does
>   not exist, maybe this has to be changed to X509_V_OK?

I pushed a change to use X509_V_OK if it's available.

> With the above 3 modifications the package builds on my system with
> the following two warnings:
> 
> wolfssl.c: In function ‘create_server_ssl_connection’:
> wolfssl.c:1187:2: warning: #warning Looks like wolfssl has been compiled without HAVE_RENEGOTIATION_INDICATION [-Wcpp]
>  1187 | #warning Looks like wolfssl has been compiled without HAVE_RENEGOTIATION_INDICATION
>       |  ^~~~~~~

Renegotiation indication isn't mandatory but nice to have
so I think we should keep the warning.

> wolfssl.c: In function ‘generate_host_certificate’:
> wolfssl.c:1866:4: warning: ‘__builtin_strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
>  1866 |    strncpy(certificate.subject.commonName, csp->http->host, CTC_NAME_SIZE);
>       |    ^

I'll look into this.
 
> I did a first (short) test with this build and it seems to work as
> expected, but in contrast to 3.0.34 with mbedtls I now see many log
> entries like
>  Error: Failed to shutdown server connection on socket 148 after 2
>  attempts. ret: 0, error: 0, ok
> (the socket number varies, everything else seems to happen on nearly
> every request).

I should probably downgrade the message to LOG_LEVEL_CONNECT before
the release as there's nothing the user can do about it.

On my system trying twice seems to be sufficient most of the time:

fk at t520 ~ $grep -c 'Connect: Failed to shutdown server connection on socket' /usr/jails/privoxy-jail/var/log/privoxy/privoxy.log.0 
493
fk at t520 ~ $grep -c 'Error: Failed to shutdown server connection on socket' /usr/jails/privoxy-jail/var/log/privoxy/privoxy.log.0 
13
fk at t520 ~ $grep -c 'Error: Failed to shutdown client connection on socket' /usr/jails/privoxy-jail/var/log/privoxy/privoxy.log.0 
33
fk at t520 ~ $grep -c 'Connect: Failed to shutdown client connection on socket' /usr/jails/privoxy-jail/var/log/privoxy/privoxy.log.0 
669
fk at t520 ~ $privoxy-log-parser.pl --statistics /usr/jails/privoxy-jail/var/log/privoxy/privoxy.log.0
Inconsistent request counts: 1817/1798
Client requests total: 1798
[...]

Anyway, I also just bumped the MAX_SHUTDOWN_ATTEMPTS to 5
as an experiment.

> Just a first draft with wolfssl (without
> --enable-renegotiation-indication).

Did you check https://www.howsmyssl.com/ already?

Does https://www.privoxy.org/ work?

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20240401/156ff03a/attachment.bin>

More information about the Privoxy-devel mailing list