[Privoxy-devel] Bug#1075870: privoxy: FTBFS with MbedTLS 3.6

Roland Rosenfeld roland at spinnaker.de
Thu Oct 10 18:02:11 CEST 2024 

Hi Fabian!

On Thu, 10 Oct 2024, Privoxy Developers wrote:

> MbedTLS 3.6.x is available now and this patch seems to work for me:
> <https://www.fabiankeil.de/sourcecode/privoxy/Add-support-for-mbedTLS-3.x-instead-of-mbedTLS-2.x-2024-10-10.diff>
> 
> Testers welcome.

Okay, let's see:

First I have to replace mbedtls_md5_ret in ssl.c by mbedtls_md5,
otherwise I cannot compile the code.  mbedtls_md5_ret is only defined
in mbedtls/compat-2.h, which is not included and deprecated, so
resolving the #define sounds like a good idea.

Then we have the following deprecation warning, which I simply ignore,
but which should be fixed:
ssl.c: In function ‘generate_host_certificate’:
ssl.c:1550:4: warning: ‘mbedtls_x509write_crt_set_serial’ is deprecated [-Wdeprecated-declarations]
 1550 |    ret = mbedtls_x509write_crt_set_serial(&cert, &serial);
      |    ^~~
In file included from /usr/include/mbedtls/ssl.h:23,
                 from /usr/include/mbedtls/net_sockets.h:32,
                 from project.h:57,
                 from ssl.c:45:
(according to
https://github.com/Mbed-TLS/mbedtls/blob/development/ChangeLog this
is deprecated in favor of mbedtls_x509write_crt_set_serial_raw()).


After ignoring this the package builds and works as long as
https-inspection is disabled.  After enabling https-inspection, I get
an error "Secure Connection Failed. An error occurred during a
connection to <site>. PR_END_OF_FILE_ERROR Error code:
PR_END_OF_FILE_ERROR" in firefox (works without problems if mbedtls 2
is used.

In the privoxy log I see:
2024-10-10 17:55:57.992 7f47df7fe6c0 Error: medtls_ssl_handshake with client failed: SSL - Internal error (eg, unexpected failure in lower-level module)
2024-10-10 17:55:57.992 7f47df7fe6c0 Error: Failed to open a secure connection with the client

Increasing the debug level to 65535 gives:

2024-10-10 17:58:05.887 7f16f57fa6c0 Connect: Accepted connection from 127.0.0.1 on socket 12
2024-10-10 17:58:05.887 7f16fd502b80 Connect: Waiting for the next client connection. Currently active threads: 8
2024-10-10 17:58:05.887 7f16f57fa6c0 Received: from socket 12: CONNECT www.spinnaker.de:443 HTTP/1.1\x0d\x0aUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0\x0d\x0aProxy-Connection: keep-alive\x0d\x0aConnection: keep-alive\x0d\x0aHost: www.spinnaker.de:443\x0d\x0a\x0d\x0a
2024-10-10 17:58:05.888 7f16f57fa6c0 Tagging: Enlisting tag 'https-inspection' for client 127.0.0.1.
2024-10-10 17:58:05.888 7f16f57fa6c0 Tagging: Client tag 'https-inspection' matches.
2024-10-10 17:58:05.888 7f16f57fa6c0 Header: scan: CONNECT www.spinnaker.de:443 HTTP/1.1
2024-10-10 17:58:05.888 7f16f57fa6c0 Header: scan: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
2024-10-10 17:58:05.888 7f16f57fa6c0 Header: scan: Proxy-Connection: keep-alive
2024-10-10 17:58:05.888 7f16f57fa6c0 Header: scan: Connection: keep-alive
2024-10-10 17:58:05.888 7f16f57fa6c0 Header: scan: Host: www.spinnaker.de:443
2024-10-10 17:58:05.888 7f16f57fa6c0 Header: crumble crunched: Proxy-Connection: keep-alive!
2024-10-10 17:58:05.888 7f16f57fa6c0 Header: Keeping the client header 'Connection: keep-alive' around. The server connection will be kept alive if possible.
2024-10-10 17:58:05.888 7f16f57fa6c0 Writing: to socket 12: HTTP/1.1 200 Connection established\x0d\x0a\x0d\x0a
2024-10-10 17:58:05.889 7f16f57fa6c0 Connect: Performing the TLS/SSL handshake with client. Hash of host: 36035fc95bcb799a238f772328d63749
2024-10-10 17:58:05.890 7f16f57fa6c0 Error: medtls_ssl_handshake with client failed: SSL - Internal error (eg, unexpected failure in lower-level module)
2024-10-10 17:58:05.890 7f16f57fa6c0 Error: Failed to open a secure connection with the client
2024-10-10 17:58:05.890 7f16f57fa6c0 Connect: Closing client socket 12. Keep-alive: 1. Socket alive: 1. Data available: 0. Configuration file change detected: 0. Requests received: 1.


So currently this does not work as expected for me...

Greetings
Roland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20241010/81bb1fb2/attachment.bin>

More information about the Privoxy-devel mailing list