From 7dba237f7f277182b1fa59888de268406c260957 Mon Sep 17 00:00:00 2001 From: Adrien Destugues Date: Sat, 5 May 2018 08:48:22 +0200 Subject: [PATCH] BSecureSocket: re-enable RSA cipher suite my.justenergy.com allows only RSA, so we can't connect there without this. Other websites may have a similar problem. Also improve the handling of the error, as it was giving a generic "general system error" to the user. Fixes #13975. --- src/kits/network/libnetapi/SecureSocket.cpp | 31 +++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/src/kits/network/libnetapi/SecureSocket.cpp b/src/kits/network/libnetapi/SecureSocket.cpp index 489b5a4343..ab2b8064a0 100644 --- a/src/kits/network/libnetapi/SecureSocket.cpp +++ b/src/kits/network/libnetapi/SecureSocket.cpp @@ -207,12 +207,39 @@ BSecureSocket::Private::ErrorCode(int returnValue) // Probably no certificate return B_NOT_ALLOWED; + case SSL_ERROR_SYSCALL: + { + unsigned long error2; + // Check for extra errors in the error stack... + for(;;) { + error2 = ERR_get_error(); + if (error2 == 0) + break; + fprintf(stderr, "SSL ERR %s\n", ERR_error_string(error2, NULL)); + } + + if (returnValue == 0) + { + // unexpected EOF, the remote host closed the socket without + // telling us why. + return ECONNREFUSED; + } + + if (returnValue == -1) + { + fprintf(stderr, "SSL %s\n", ERR_error_string(error, NULL)); + return errno; + } + + fprintf(stderr, "SSL %s\n", ERR_error_string(error, NULL)); + return B_ERROR; + } + case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_X509_LOOKUP: - case SSL_ERROR_SYSCALL: default: // TODO: translate SSL error codes! fprintf(stderr, "SSL %s\n", ERR_error_string(error, NULL)); @@ -334,7 +361,7 @@ BSecureSocket::Private::_CreateContext() // Setup cipher suites. // Only accept reasonably secure ones ("HIGH") and disable some known // broken stuff (https://wiki.openssl.org/index.php/SSL/TLS_Client) - SSL_CTX_set_cipher_list(sContext, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"); + SSL_CTX_set_cipher_list(sContext, "HIGH:!aNULL:!PSK:!SRP:!MD5:!RC4"); SSL_CTX_set_ecdh_auto(sContext, 1);