(openssl tls backend) Fix a hand in OpenSSL when using TLS v1.3 ... by disabling TLS v1.3

2020-03-12 16:27:25 -07:00 · 2020-03-12 16:27:25 -07:00 · 90df3d1805
commit 90df3d1805
parent bda1bb6ab4
5 changed files with 16 additions and 6 deletions
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@ -1,6 +1,10 @@
 # Changelog
 All changes to this project will be documented in this file.

+## [8.2.2] - 2020-03-12
+
+(openssl tls backend) Fix a hand in OpenSSL when using TLS v1.3 ... by disabling TLS v1.3
+
 ## [8.2.1] - 2020-03-11

 (cobra) IXCobraConfig struct has tlsOptions and per message deflate options
--- a/ixwebsocket/IXSocketOpenSSL.cpp
+++ b/ixwebsocket/IXSocketOpenSSL.cpp
@ -131,8 +131,14 @@ namespace ix
            SSL_CTX_set_mode(ctx,
                             SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

-            SSL_CTX_set_options(
-                ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE);
+            int options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+#ifdef SSL_OP_NO_TLSv1_3
+            // (partially?) work around hang in openssl 1.1.1b, by disabling TLS V1.3
+            // https://github.com/openssl/openssl/issues/7967
+            options |= SSL_OP_NO_TLSv1_3;
+#endif
+            SSL_CTX_set_options(ctx, options);
        }
        return ctx;
    }
--- a/ixwebsocket/IXWebSocketVersion.h
+++ b/ixwebsocket/IXWebSocketVersion.h
@ -6,4 +6,4 @@

 #pragma once

-#define IX_WEBSOCKET_VERSION "8.2.1"
+#define IX_WEBSOCKET_VERSION "8.2.2"
--- a/test/IXCobraToSentryBotTest.cpp
+++ b/test/IXCobraToSentryBotTest.cpp
@ -12,11 +12,11 @@
 #include <ixcobra/IXCobraConnection.h>
 #include <ixcobra/IXCobraMetricsPublisher.h>
 #include <ixcrypto/IXUuid.h>
+#include <ixsentry/IXSentryClient.h>
 #include <ixsnake/IXRedisServer.h>
 #include <ixsnake/IXSnakeServer.h>
 #include <ixwebsocket/IXHttpServer.h>
 #include <ixwebsocket/IXUserAgent.h>
-#include <ixsentry/IXSentryClient.h>

 using namespace ix;

@ -159,7 +159,7 @@ TEST_CASE("Cobra_to_sentry_bot", "[foo]")
        bool enableHeartbeat = false;

        // FIXME: try to get this working with https instead of http
-        //        to regress the TLS 1.3 OpenSSL bug 
+        //        to regress the TLS 1.3 OpenSSL bug
        //        -> https://github.com/openssl/openssl/issues/7967
        // https://xxxxx:yyyyyy@sentry.io/1234567
        std::stringstream oss;
--- a/ws/ws.cpp
+++ b/ws/ws.cpp
@ -14,10 +14,10 @@
 #include <ixbots/IXCobraToSentryBot.h>
 #include <ixbots/IXCobraToStatsdBot.h>
 #include <ixcore/utils/IXCoreLogger.h>
+#include <ixsentry/IXSentryClient.h>
 #include <ixwebsocket/IXNetSystem.h>
 #include <ixwebsocket/IXSocket.h>
 #include <ixwebsocket/IXUserAgent.h>
-#include <ixsentry/IXSentryClient.h>
 #include <spdlog/spdlog.h>
 #include <sstream>
 #include <string>