[Privoxy-devel] WolfSSL support ready for testing

[Roland Rosenfeld]

On Wed, 03 Apr 2024, Fabian Keil wrote:

> > $ env all_proxy=http://localhost:8118/ CURL_CA_BUNDLE=/etc/privoxy/CA/privoxy.crt privoxy-regression-test --check-bad-ssl
> > 2024-04-01 19:18:10: Requesting pages from badssl.com with various certificate problems. This will only work if Privoxy has been configured properly and can reach the Internet.
> > 2024-04-01 19:18:10: Requesting https://expired.badssl.com/
> [...]
> > 2024-04-01 19:18:13: Requesting https://incomplete-chain.badssl.com/
> > 2024-04-01 19:18:14: Ooops. We expected status code 403, but received: 200.
> > 2024-04-01 19:18:14: There were 7 requests that did not result in status code 403!
> 
> This is surprising.
> 
> Can you please double check that https-inspection was active
> and ignore-certificate-errors wasn't?

I double checked it: With mbedtls I get the error on
https://expired.badssl.com/, while with WolfSSL I see the red page
(without changing the configuration).

Just checked via
http://config.privoxy.org/show-url-info?url=https%3A//expired.badssl.com/
which gives me:
Final results:

+change-x-forwarded-for{block}
+client-header-tagger{css-requests}
+client-header-tagger{image-requests}
+client-header-tagger{range-requests}
+deanimate-gifs{last}
+filter{refresh-tags}
+filter{img-reorder}
+filter{banners-by-size}
+filter{webbugs}
+filter{jumping-windows}
+filter{ie-exploits}
+hide-from-header{block}
+hide-referrer{conditional-block}
+https-inspection
+session-cookies-only
+set-image-blocker{pattern}

-add-header
-block
-client-body-filter
-client-body-tagger
-client-header-filter
-content-type-overwrite
-crunch-client-header
-crunch-if-none-match
-crunch-incoming-cookies
-crunch-outgoing-cookies
-crunch-server-header
-delay-response
-downgrade-http-version
-external-filter
-fast-redirects
-force-text-mode
-forward-override
-handle-as-empty-document
-handle-as-image
-hide-accept-language
-hide-content-disposition
-hide-if-modified-since
-hide-user-agent
-ignore-certificate-errors
-limit-connect
-limit-cookie-lifetime
-overwrite-last-modified
-prevent-compression
-redirect
-server-header-filter
-server-header-tagger
-suppress-tag

This time I used wolfssl 5.6.6-1.2 backported from Debian testing to
Debian stable, but still compiled with the default Debian configure
options:
                --enable-distro \
                --enable-oldtls \
                --enable-pkcs11 \
                --disable-examples \
                --disable-silent-rules

I also tried out your configure options, but this fails because that
changes the symbols that are expected in the library (changing these
would imply changing the so-version and lib-package name, which is
more than just a little test run).

> I never had this problem with any wolfSSL version I tested.

Very strange.

> > BTW: Is there a chance that you optimize the 301 "moved permanently"
> > of config.privoxy.org/*?

> I changed the status code to 302 which seems to prevent the problem.
> Can you please confirm this?

I can confirm this :-)

Greetings
Roland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20240403/b41afe5c/attachment.bin>