Secure HTTP connection stopped working for certain servers, including sourceforge.io
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
DC++ |
Fix Released
|
High
|
Unassigned |
Bug Description
[2022-02-17 08:50] <eMTee> I am getting TLS error accessing sf.io/version.xml and geoip files hosted there with DC++'s httpconnection. Do any of you? Web browsers seem to work well.
[2022-02-17 09:33] <iceman50> i get a tls error as well
[2022-02-17 10:22] <eMTee> Well, most of the old DC++ versions don't work anymore due to https/TLS 1.2+ requirement of sf but this is unexpected. If it isn't a bug at sf's side then we're in trouble.
...
[2022-02-18 12:42] <eMTee> For
dcdebug("TLS error: call ret = %d, SSL_get_error = %d, ERR_get_error = %d\n, ERR_error_string = %s", ret, err, sys_err, _error.c_str());
I get
TLS error: call ret = -1, SSL_get_error = 1, ERR_get_error = 336151568, ERR_error_string = error:14094410:SSL routines:
when connecting to sf.io
[2022-02-18 12:42] <eMTee> This is actually SSL_R_SSLV3_
...
[2022-02-18 15:53] <eMTee> Well, SF is behind cloudflare so I thought it worth checking another cloudflare protected server. E.g. https:/
[2022-02-18 19:15:10] <iceman50> https:/
[2022-02-19 08:36] <eMTee> Yeah, I've seen that but wasn't sure how is it related to this problem. But yeah it can also be a certificate issue.
[2022-02-19 08:40] <eMTee> It must be some server configuration change, which happened along with a server sofware update or indeed new certs.
[2022-02-19 15:39] <eMTee> It doesn't seem to be cloudflare related, either. I tried ~50 random domains, mix of web pages I frequently visit and the most known big tech, social and global media, streaming and IT manufacturer companies' homepages even ovh.com itself. Found 6 more stes that give the same error with DC++ but nothing much common in between them...
[2022-02-19 15:41] <eMTee> Sites I found not working with DC++ are: dcbase.org, www.espn.com, www.shutterstoc
[2022-02-19 15:48] <eMTee> Whatever is this we possibly lost the upgrade nag feature of DC++ for all the recently released versions as well which will cause substantially less usage of any future releases for a longer period of time.
...
[2022-02-23 16:41:53] <eMTee> Checked AirDC++ with downloading sf.io/version.xml, it seems to work fine in it. So again, wtf.
...
[2022-03-01 16:15:32] <eMTee> https:/
...
[2022-03-17 15:14:56] <eMTee> Okay, so I started investigating myself the SSL issue. I started checking what AirDC++ has committed regarding crypto recently (https:/
- [2022-03-17 15:16:55] <eMTee> The openssl issue linked inside the committed code ( https:/
The committed fix https:/ /sourceforge. net/p/dcplusplu s/code/ ci/5ffb7d83126d 0ca6857c0f1e6fb 4845653b65009/ is made to be probably the least invasive; it still mimics the logic of how it's done in AirDC++ as it stricly sets tlsext_host_name only for httpconnection and client outgoing connection attempts by saving the hostname before it gets resolved to IP.
Other possibly cleaner ways to doing this are :connect( ) and save the hostname accordingly there
- sending the isURL parameter through the connect() members but that needs changes in the Socket class as well
- or maybe in place determine the address type in SSLSocket:
- or simply set tlsext_host_name to whatever comes in the address string and see whether it breaks other type of connections.