48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From 1cf08f0a268eacc345b6cc48921ee25748ded175 Mon Sep 17 00:00:00 2001
|
|
From: Andre lorbach <alorbach@adiscon.com>
|
|
Date: Tue, 6 Oct 2020 14:24:51 +0200
|
|
Subject: [PATCH 68/73] gnutls: Added handshake error handling into doRetry
|
|
handler.
|
|
|
|
If the tls handshake does not immediatelly finish, gnutls_handShake is called in
|
|
doRetry handler again. However the error handling was not
|
|
complete in the doRetry handler. A failed gnutls_handShake call
|
|
did not abort the connection and properly caused unexpected
|
|
problems like in issues:
|
|
|
|
https://github.com/rsyslog/rsyslog/issues/4270
|
|
https://github.com/rsyslog/rsyslog/issues/4288
|
|
---
|
|
runtime/nsdsel_gtls.c | 12 +++++++++++-
|
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c
|
|
index 195431514..6ed7187e5 100644
|
|
--- a/runtime/nsdsel_gtls.c
|
|
+++ b/runtime/nsdsel_gtls.c
|
|
@@ -150,10 +150,20 @@ doRetry(nsd_gtls_t *pNsd)
|
|
switch(pNsd->rtryCall) {
|
|
case gtlsRtry_handshake:
|
|
gnuRet = gnutls_handshake(pNsd->sess);
|
|
- if(gnuRet == 0) {
|
|
+ if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) {
|
|
+ dbgprintf("GnuTLS handshake retry did not finish - "
|
|
+ "setting to retry (this is OK and can happen)\n");
|
|
+ FINALIZE;
|
|
+ } else if(gnuRet == 0) {
|
|
pNsd->rtryCall = gtlsRtry_None; /* we are done */
|
|
/* we got a handshake, now check authorization */
|
|
CHKiRet(gtlsChkPeerAuth(pNsd));
|
|
+ } else {
|
|
+ uchar *pGnuErr = gtlsStrerror(gnuRet);
|
|
+ LogError(0, RS_RET_TLS_HANDSHAKE_ERR,
|
|
+ "GnuTLS handshake retry returned error: %s\n", pGnuErr);
|
|
+ free(pGnuErr);
|
|
+ ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR);
|
|
}
|
|
break;
|
|
case gtlsRtry_recv:
|
|
--
|
|
2.23.0
|
|
|