[Privoxy-devel] Bug#1075870: privoxy: FTBFS with MbedTLS 3.6

Fabian Keil fk at fabiankeil.de
Fri Oct 11 06:12:47 CEST 2024 

Roland Rosenfeld via Privoxy-devel <privoxy-devel at lists.privoxy.org> wrote on 2024-10-10 at 18:02:11:

> On Thu, 10 Oct 2024, Privoxy Developers wrote:
> 
> > MbedTLS 3.6.x is available now and this patch seems to work for me:
> > <https://www.fabiankeil.de/sourcecode/privoxy/Add-support-for-mbedTLS-3.x-instead-of-mbedTLS-2.x-2024-10-10.diff>
> > 
> > Testers welcome.
> 
> Okay, let's see:

Thanks for testing.
 
> First I have to replace mbedtls_md5_ret in ssl.c by mbedtls_md5,
> otherwise I cannot compile the code.  mbedtls_md5_ret is only defined
> in mbedtls/compat-2.h, which is not included and deprecated, so
> resolving the #define sounds like a good idea.

I only tested the patch against the Privoxy code in git master
which no longer uses MD5 for the certificate and key file names ...

> Then we have the following deprecation warning, which I simply ignore,
> but which should be fixed:
> ssl.c: In function ‘generate_host_certificate’:
> ssl.c:1550:4: warning: ‘mbedtls_x509write_crt_set_serial’ is deprecated [-Wdeprecated-declarations]
>  1550 |    ret = mbedtls_x509write_crt_set_serial(&cert, &serial);
>       |    ^~~
> In file included from /usr/include/mbedtls/ssl.h:23,
>                  from /usr/include/mbedtls/net_sockets.h:32,
>                  from project.h:57,
>                  from ssl.c:45:
> (according to
> https://github.com/Mbed-TLS/mbedtls/blob/development/ChangeLog this
> is deprecated in favor of mbedtls_x509write_crt_set_serial_raw()).

Strangely I'm not getting this warning. I'll look into it.
 
> After ignoring this the package builds and works as long as
> https-inspection is disabled.  After enabling https-inspection, I get
> an error "Secure Connection Failed. An error occurred during a
> connection to <site>. PR_END_OF_FILE_ERROR Error code:
> PR_END_OF_FILE_ERROR" in firefox (works without problems if mbedtls 2
> is used.
> 
> In the privoxy log I see:
> 2024-10-10 17:55:57.992 7f47df7fe6c0 Error: medtls_ssl_handshake with client failed: SSL - Internal error (eg, unexpected failure in lower-level module)
> 2024-10-10 17:55:57.992 7f47df7fe6c0 Error: Failed to open a secure connection with the client

Does it work if you build Privoxy from the git master branch?
Is the problem reproducible with curl?

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20241011/e399c288/attachment.bin>

More information about the Privoxy-devel mailing list