LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10457 Commits
1 Branch
46 MiB
Tree: 86e4b33a9d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '86e4b33a9d'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-al...

61 lines
2.0 KiB
Raw Normal View History

haproxy: Update HAProxy to v1.8.4 (+patches) - Update haproxy download URL and hash - Update the haproxy homepage - Add libatomic to the dependencies as 1.8 needs it - Make USE_REGPARM an x86-only option as this fixes many warnings and does not do much on non-x86 platforms - Add USE_GETADDRINFO=1 to use getaddrinfo() to resolve IPv6 host names - Add USE_TFO=1 to enable TCP fast open - Unbreak CFLAGS, LD and LDFLAGS by adding the missing backslash after $(ADDON) - Unbreak IGNOREGIT=1 option (typo) - Rework LDFLAGS and add libatomic - Add MEDIUM+ patches (see https://www.haproxy.org/bugs/bugs-1.8.4.html) Signed-off-by: Christian Lachner <gladiac@gmail.com>
6 years ago
 
  1. From 2fcd544272a5498ffa49544e9f06b51bc93e55d1 Mon Sep 17 00:00:00 2001
  2. From: Olivier Houchard <ohouchard@haproxy.com>
  3. Date: Tue, 13 Feb 2018 15:17:23 +0100
  4. Subject: [PATCH] BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as
  5.  unrecovarable.
  6. 

  7. Bart Geesink reported some random errors appearing under the form of
  8. termination flags SD in the logs for connections involving SSL traffic
  9. to reach the servers.
  10. 

  11. Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit
  12. c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens
  13. that the special case of SSL_ERROR_SYSCALL isn't handled anymore since
  14. this commit.
  15. 

  16. SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL,
  17. without meaning the connection is gone. Before flagging the connection
  18. as in error, check the errno value.
  19. 

  20. This should be backported to 1.8.
  21. 

  22. (cherry picked from commit 7e2e505006feb8f3b4a7f9e0ac5e89b5a8c4895e)
  23. Signed-off-by: Willy Tarreau <w@1wt.eu>
  24. ---

  25.  src/ssl_sock.c |    9 ++++++++-
  26.  1 file changed, 8 insertions(+), 1 deletion(-)
  27. 

  28. diff --git a/src/ssl_sock.c b/src/ssl_sock.c

  29. index aecf3dd..f118724 100644

  30. --- a/src/ssl_sock.c

  31. +++ b/src/ssl_sock.c

  32. @@ -5437,6 +5437,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun

  33.  				break;
  34.  			} else if (ret == SSL_ERROR_ZERO_RETURN)
  35.  				goto read0;
  36. +			/* For SSL_ERROR_SYSCALL, make sure the error is

  37. +			 * unrecoverable before flagging the connection as

  38. +			 * in error.

  39. +			 */

  40. +			if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))

  41. +				goto clear_ssl_error;

  42.  			/* otherwise it's a real error */
  43.  			goto out_error;
  44.  		}
  45. @@ -5451,11 +5457,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun

  46.  	conn_sock_read0(conn);
  47.  	goto leave;
  48.   out_error:
  49. +	conn->flags |= CO_FL_ERROR;

  50. +clear_ssl_error:

  51.  	/* Clear openssl global errors stack */
  52.  	ssl_sock_dump_errors(conn);
  53.  	ERR_clear_error();
  54.  
  55. -	conn->flags |= CO_FL_ERROR;

  56.  	goto leave;
  57.  }
  58.  
  59. -- 

  60. 1.7.10.4
  61.