[Privoxy-devel] Bug#1075870: privoxy: FTBFS with MbedTLS 3.6

Roland Rosenfeld roland at spinnaker.de
Fri Oct 11 10:01:06 CEST 2024 

Hi Fabian!

On Fri, 11 Oct 2024, Fabian Keil wrote:

> > First I have to replace mbedtls_md5_ret in ssl.c by mbedtls_md5,
> > otherwise I cannot compile the code.  mbedtls_md5_ret is only defined
> > in mbedtls/compat-2.h, which is not included and deprecated, so
> > resolving the #define sounds like a good idea.
> 
> I only tested the patch against the Privoxy code in git master
> which no longer uses MD5 for the certificate and key file names ...

You're right, this is already fixed in current GIT master.

> > Then we have the following deprecation warning, which I simply ignore,
> > but which should be fixed:
> > ssl.c: In function ‘generate_host_certificate’:
> > ssl.c:1550:4: warning: ‘mbedtls_x509write_crt_set_serial’ is deprecated [-Wdeprecated-declarations]
> >  1550 |    ret = mbedtls_x509write_crt_set_serial(&cert, &serial);
> >       |    ^~~
> > In file included from /usr/include/mbedtls/ssl.h:23,
> >                  from /usr/include/mbedtls/net_sockets.h:32,
> >                  from project.h:57,
> >                  from ssl.c:45:
> > (according to
> > https://github.com/Mbed-TLS/mbedtls/blob/development/ChangeLog this
> > is deprecated in favor of mbedtls_x509write_crt_set_serial_raw()).
> 
> Strangely I'm not getting this warning. I'll look into it.

This problem persists with current GIT master.  Maybe it's depending
on the mbedtls version?  I use 3.6.0 from Debian experimental, in the
meantime 3.6.1 is released upstream.

> > After ignoring this the package builds and works as long as
> > https-inspection is disabled.  After enabling https-inspection, I get
> > an error "Secure Connection Failed. An error occurred during a
> > connection to <site>. PR_END_OF_FILE_ERROR Error code:
> > PR_END_OF_FILE_ERROR" in firefox (works without problems if mbedtls 2
> > is used.
> > 
> > In the privoxy log I see:
> > 2024-10-10 17:55:57.992 7f47df7fe6c0 Error: medtls_ssl_handshake with client failed: SSL - Internal error (eg, unexpected failure in lower-level module)
> > 2024-10-10 17:55:57.992 7f47df7fe6c0 Error: Failed to open a secure connection with the client
> 
> Does it work if you build Privoxy from the git master branch?
> Is the problem reproducible with curl?

Just tried this out, but the problem persists.
curl returns the following output:

$ curl -v -x http://localhost:8118/ --cacert /etc/privoxy/CA/privoxy.crt https://www.spinnaker.de
*   Trying 127.0.0.1:8118...
* Connected to localhost (127.0.0.1) port 8118 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to www.spinnaker.de:443
> CONNECT www.spinnaker.de:443 HTTP/1.1
> Host: www.spinnaker.de:443
> User-Agent: curl/7.88.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/privoxy/CA/privoxy.crt
*  CApath: /etc/ssl/certs
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.spinnaker.de:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.spinnaker.de:443 



For comparison here's the output with mbedtls 2.28:

*   Trying 127.0.0.1:8118...
* Connected to localhost (127.0.0.1) port 8118 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to www.spinnaker.de:443
> CONNECT www.spinnaker.de:443 HTTP/1.1
> Host: www.spinnaker.de:443
> User-Agent: curl/7.88.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
< 

* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/privoxy/CA/privoxy.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=www.spinnaker.de; O=www.spinnaker.de; OU=www.spinnaker.de; C=CZ
*  start date: Sep 10 15:55:57 2024 GMT
*  expire date: Jan  8 15:55:57 2025 GMT
*  subjectAltName: host "www.spinnaker.de" matched cert's "www.spinnaker.de"
*  issuer: C=DE; ST=NRW; L=Bornheim; O=private; CN=privoxy.sail.spinnaker.de
*  SSL certificate verify ok.
* using HTTP/1.x
> HEAD / HTTP/1.1
> Host: www.spinnaker.de
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 11 Oct 2024 07:55:43 GMT
Date: Fri, 11 Oct 2024 07:55:43 GMT
< Server: Apache
[...]


Greetings
Roland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20241011/5ee0bf7d/attachment.bin>

More information about the Privoxy-devel mailing list