[2022-02-17 08:50] <eMTee> I am getting TLS error accessing sf.io/version.xml and geoip files hosted there with DC++'s httpconnection. Do any of you? Web browsers seem to work well.
[2022-02-17 09:33] <iceman50> i get a tls error as well
[2022-02-17 10:22] <eMTee> Well, most of the old DC++ versions don't work anymore due to https/TLS 1.2+ requirement of sf but this is unexpected. If it isn't a bug at sf's side then we're in trouble.
...
[2022-02-18 12:42] <eMTee> For
dcdebug("TLS error: call ret = %d, SSL_get_error = %d, ERR_get_error = %d\n, ERR_error_string = %s", ret, err, sys_err, _error.c_str());
I get
TLS error: call ret = -1, SSL_get_error = 1, ERR_get_error = 336151568, ERR_error_string = error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
when connecting to sf.io
[2022-02-18 12:42] <eMTee> This is actually SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE in the OpenSSL defines list.
...
[2022-02-18 15:53] <eMTee> Well, SF is behind cloudflare so I thought it worth checking another cloudflare protected server. E.g. https://dcbase.org/ gives the same error. Wtf?
[2022-02-18 19:15:10] <iceman50> https://stackoverflow.com/questions/36370656/solving-sslv3-alert-handshake-failure-when-trying-to-use-a-client-certificate
[2022-02-19 08:36] <eMTee> Yeah, I've seen that but wasn't sure how is it related to this problem. But yeah it can also be a certificate issue.
[2022-02-19 08:40] <eMTee> It must be some server configuration change, which happened along with a server sofware update or indeed new certs.
[2022-02-19 15:39] <eMTee> It doesn't seem to be cloudflare related, either. I tried ~50 random domains, mix of web pages I frequently visit and the most known big tech, social and global media, streaming and IT manufacturer companies' homepages even ovh.com itself. Found 6 more stes that give the same error with DC++ but nothing much common in between them...
[2022-02-19 15:41] <eMTee> Sites I found not working with DC++ are: dcbase.org, www.espn.com, www.shutterstock.com, forums.mydigitallife.net, www.wsj.com, formula1.com and acer.com .
[2022-02-19 15:48] <eMTee> Whatever is this we possibly lost the upgrade nag feature of DC++ for all the recently released versions as well which will cause substantially less usage of any future releases for a longer period of time.
...
[2022-02-23 16:41:53] <eMTee> Checked AirDC++ with downloading sf.io/version.xml, it seems to work fine in it. So again, wtf.
...
[2022-03-01 16:15:32] <eMTee> https://sourceforge.net/p/forge/site-support/23234/ shows a similar problem/error message to our issue. At least some more bits of information/log like how 'sslv3 alert handshake failure' can happen and also "What changed is now we are forwarding the sourceforge.io traffic through cloudflare."
...
[2022-03-17 15:14:56] <eMTee> Okay, so I started investigating myself the SSL issue. I started checking what AirDC++ has committed regarding crypto recently (https://github.com/airdcpp/airdcpp-windows/commits/master/airdcpp/airdcpp/CryptoManager.cpp ) and I think I found our problem. It is actually a standout in the commit list : https://github.com/airdcpp/airdcpp-windows/commit/5e4a58982efa3b1d0086a04601cff5fe027f6c26
- [2022-03-17 15:16:55] <eMTee> The openssl issue linked inside the committed code ( https://github.com/openssl/openssl/issues/7147 ) is perfectly fitting to the phenomenon what we see in DC++.
The committed fix https:/
Other possibly cleaner ways to doing this are
- sending the isURL parameter through the connect() members but that needs changes in the Socket class as well
- or maybe in place determine the address type in SSLSocket:
- or simply set tlsext_host_name to whatever comes in the address string and see whether it breaks other type of connections.