BSecureSocket: re-enable RSA cipher suite

my.justenergy.com allows only RSA, so we can't connect there without
this. Other websites may have a similar problem.

Also improve the handling of the error, as it was giving a generic
"general system error" to the user.

Fixes #13975.
This commit is contained in:
Adrien Destugues 2018-05-05 08:48:22 +02:00
parent f599721237
commit 7dba237f7f

View File

@ -207,12 +207,39 @@ BSecureSocket::Private::ErrorCode(int returnValue)
// Probably no certificate // Probably no certificate
return B_NOT_ALLOWED; return B_NOT_ALLOWED;
case SSL_ERROR_SYSCALL:
{
unsigned long error2;
// Check for extra errors in the error stack...
for(;;) {
error2 = ERR_get_error();
if (error2 == 0)
break;
fprintf(stderr, "SSL ERR %s\n", ERR_error_string(error2, NULL));
}
if (returnValue == 0)
{
// unexpected EOF, the remote host closed the socket without
// telling us why.
return ECONNREFUSED;
}
if (returnValue == -1)
{
fprintf(stderr, "SSL %s\n", ERR_error_string(error, NULL));
return errno;
}
fprintf(stderr, "SSL %s\n", ERR_error_string(error, NULL));
return B_ERROR;
}
case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_WANT_CONNECT:
case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_ACCEPT:
case SSL_ERROR_WANT_X509_LOOKUP: case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_SYSCALL:
default: default:
// TODO: translate SSL error codes! // TODO: translate SSL error codes!
fprintf(stderr, "SSL %s\n", ERR_error_string(error, NULL)); fprintf(stderr, "SSL %s\n", ERR_error_string(error, NULL));
@ -334,7 +361,7 @@ BSecureSocket::Private::_CreateContext()
// Setup cipher suites. // Setup cipher suites.
// Only accept reasonably secure ones ("HIGH") and disable some known // Only accept reasonably secure ones ("HIGH") and disable some known
// broken stuff (https://wiki.openssl.org/index.php/SSL/TLS_Client) // broken stuff (https://wiki.openssl.org/index.php/SSL/TLS_Client)
SSL_CTX_set_cipher_list(sContext, "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"); SSL_CTX_set_cipher_list(sContext, "HIGH:!aNULL:!PSK:!SRP:!MD5:!RC4");
SSL_CTX_set_ecdh_auto(sContext, 1); SSL_CTX_set_ecdh_auto(sContext, 1);