#1 Transfer via socat fails with openssl enabled rhbz#1870279
Opened 3 months ago by svp. Modified 3 months ago
https://git.centos.org/forks/svp/rpms/socat.git c8s  into  c8s

import socat-1.7.3.3-3.el8
Pavel Safronov • 3 months ago  
SOURCES/socat-1.7.3.3-ssl-auto-retry.patch
file added
+35

@@ -0,0 +1,35 @@

+ diff -Naur socat-1.7.3.3-orig/CHANGES socat-1.7.3.3/CHANGES

+ --- socat-1.7.3.3-orig/CHANGES	2019-04-05 13:10:24.000000000 -0700

+ +++ socat-1.7.3.3/CHANGES	2020-08-21 09:59:35.233714747 -0700

+ @@ -79,9 +79,6 @@

+  	RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with

+  	configure option --enable-res-deprecated.

+  

+ -	New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.

+ -	Solution: clear SSL_MODE_AUTO_RETRY when it is set.

+ -

+  	Renamed configure.in to configure.ac and set an appropriate symlink for

+  	older environments.

+  	Related Gentoo bug 426262: Warning on configure.in

+ diff -Naur socat-1.7.3.3-orig/xio-openssl.c socat-1.7.3.3/xio-openssl.c

+ --- socat-1.7.3.3-orig/xio-openssl.c	2019-04-04 01:59:55.000000000 -0700

+ +++ socat-1.7.3.3/xio-openssl.c	2020-08-21 09:58:27.445138134 -0700

+ @@ -1023,18 +1023,6 @@

+     }

+  #endif

+  

+ -   /* It seems that OpenSSL-1.1.1 presets the mode differently.

+ -      Without correction socat might hang in SSL_read() */

+ -   {

+ -      long mode = 0;

+ -      mode = SSL_CTX_get_mode(*ctx);

+ -      if (mode & SSL_MODE_AUTO_RETRY) {

+ -	 Info("SSL_CTX mode has SSL_MODE_AUTO_RETRY set. Correcting..");

+ -	 Debug1("SSL_CTX_clean_mode(%p, SSL_MODE_AUTO_RETRY)", *ctx);

+ -	 SSL_CTX_clear_mode(*ctx, SSL_MODE_AUTO_RETRY);

+ -      }

+ -   }

+ -

+     if (opt_cafile != NULL || opt_capath != NULL) {

+        if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {

+  	 int result;

SPECS/socat.spec
file modified
+5 -1

@@ -3,13 +3,14 @@

  Summary: Bidirectional data relay between two data channels ('netcat++')

  Name: socat

  Version: 1.7.3.3

- Release: 2%{?dist}

+ Release: 3%{?dist}

  License: GPLv2

  Url:  http://www.dest-unreach.org/socat/

  Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz

  Group: Applications/Internet

  

  Patch1: socat-1.7.3.3-warn.patch

+ Patch2: socat-1.7.3.3-ssl-auto-retry.patch

  

  BuildRequires: openssl-devel readline-devel ncurses-devel

  BuildRequires: autoconf kernel-headers > 2.6.18

@@ -68,6 +69,9 @@

  %doc %{_mandir}/man1/*

  

  %changelog

+ * Fri Aug 21 2020 Pavel Safronov <svp@fb.com> - 1.7.3.3-3

+ - Resolves: rhbz#1870279 Transfer via socat fails with openssl enabled

+ 

  * Sun Dec 01 2019 Paul Wouters <pwouters@redhat.com> - 1.7.3.3-2

  - Resolves: rhbz#1682464 socat changes blocked until gating tests are added

  

no initial comment

Redhat bugzilla link with the description: https://bugzilla.redhat.com/show_bug.cgi?id=1870279

This patch is fixing the problem by rolling back the change. So basically we don't disable SSL_MODE_AUTO_RETRY anymore.

Tests run results:

For both tests I run the following command multiple times and check the server output

yes | head -n 1000000 | socat  -u - openssl-connect:[::1]:12345,cn=host:/example.com,cert=server.pem,cafile=ca.pem

With patch:

# while true; do socat openssl-listen:12345,reuseaddr,pf=ip6,cert=server.pem - > /dev/null; date; done
Fri Aug 21 10:53:11 PDT 2020
Fri Aug 21 10:53:13 PDT 2020
Fri Aug 21 10:53:15 PDT 2020
Fri Aug 21 10:53:17 PDT 2020
Fri Aug 21 10:53:19 PDT 2020
Fri Aug 21 10:53:22 PDT 2020
Fri Aug 21 10:53:24 PDT 2020

Without patch:

# while true; do ./socat openssl-listen:12345,reuseaddr,pf=ip6,cert=server.pem - > /dev/null; date; done
Fri Aug 21 10:50:01 PDT 2020
2020/08/21 10:50:02 socat[976825] E SSL_read(): Connection reset by peer
Fri Aug 21 10:50:02 PDT 2020
2020/08/21 10:50:05 socat[977067] E SSL_read(): Connection reset by peer
Fri Aug 21 10:50:05 PDT 2020
2020/08/21 10:50:07 socat[977300] E SSL_read(): Connection reset by peer
Fri Aug 21 10:50:07 PDT 2020
2020/08/21 10:50:09 socat[977442] E SSL_read(): Connection reset by peer
Fri Aug 21 10:50:09 PDT 2020
2020/08/21 10:50:10 socat[977660] E SSL_read(): Connection reset by peer
Fri Aug 21 10:50:10 PDT 2020
2020/08/21 10:50:12 socat[977718] E SSL_read(): Connection reset by peer
Fri Aug 21 10:50:12 PDT 2020
Fri Aug 21 10:50:14 PDT 2020

Thanks for the pull request Pavel. I've attached your patch to the bugzilla for workflow purposes.