diff options
| author | Andy Polyakov <appro@openssl.org> | 2018-04-11 23:16:52 +0200 |
|---|---|---|
| committer | Andy Polyakov <appro@openssl.org> | 2018-04-14 19:59:02 +0200 |
| commit | de5b3a8645a3b2dd22fa8866e64488eb2b69777d (patch) | |
| tree | 647572831adef66e775d1dc4b2d03480c99b3b5c /util | |
| parent | d47eb76cd5fef2495c23705733d7034370063556 (diff) | |
TLSProxy/Proxy.pm: bind s_server to loopback interface.
Bind even test/ssltest_old.c to loopback interface. This allows to avoid
unnecessary alerts from Windows and Mac OS X firewalls.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
Diffstat (limited to 'util')
| -rw-r--r-- | util/perl/TLSProxy/Proxy.pm | 114 |
1 files changed, 60 insertions, 54 deletions
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm index 752b572b8c..ea2c7a689e 100644 --- a/util/perl/TLSProxy/Proxy.pm +++ b/util/perl/TLSProxy/Proxy.pm @@ -23,9 +23,50 @@ use TLSProxy::CertificateVerify; use TLSProxy::ServerKeyExchange; use TLSProxy::NewSessionTicket; -my $have_IPv6 = 0; +my $have_IPv6; my $IP_factory; +BEGIN +{ + # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't. + # However, IO::Socket::INET6 is older and is said to be more widely + # deployed for the moment, and may have less bugs, so we try the latter + # first, then fall back on the core modules. Worst case scenario, we + # fall back to IO::Socket::INET, only supports IPv4. + eval { + require IO::Socket::INET6; + my $s = IO::Socket::INET6->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + $IP_factory = sub { IO::Socket::INET6->new(@_); }; + $have_IPv6 = 1; + } else { + eval { + require IO::Socket::IP; + my $s = IO::Socket::IP->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + $IP_factory = sub { IO::Socket::IP->new(@_); }; + $have_IPv6 = 1; + } else { + $IP_factory = sub { IO::Socket::INET->new(@_); }; + $have_IPv6 = 0; + } + } +} + my $is_tls13 = 0; my $ciphersuite = undef; @@ -39,8 +80,7 @@ sub new my $self = { #Public read/write - proxy_addr => "localhost", - server_addr => "localhost", + proxy_addr => $have_IPv6 ? "[::1]" : "127.0.0.1", filter => $filter, serverflags => "", clientflags => "", @@ -67,43 +107,6 @@ sub new message_list => [], }; - # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't. - # However, IO::Socket::INET6 is older and is said to be more widely - # deployed for the moment, and may have less bugs, so we try the latter - # first, then fall back on the code modules. Worst case scenario, we - # fall back to IO::Socket::INET, only supports IPv4. - eval { - require IO::Socket::INET6; - my $s = IO::Socket::INET6->new( - LocalAddr => "::1", - LocalPort => 0, - Listen=>1, - ); - $s or die "\n"; - $s->close(); - }; - if ($@ eq "") { - $IP_factory = sub { IO::Socket::INET6->new(@_); }; - $have_IPv6 = 1; - } else { - eval { - require IO::Socket::IP; - my $s = IO::Socket::IP->new( - LocalAddr => "::1", - LocalPort => 0, - Listen=>1, - ); - $s or die "\n"; - $s->close(); - }; - if ($@ eq "") { - $IP_factory = sub { IO::Socket::IP->new(@_); }; - $have_IPv6 = 1; - } else { - $IP_factory = sub { IO::Socket::INET->new(@_); }; - } - } - # Create the Proxy socket my $proxaddr = $self->{proxy_addr}; $proxaddr =~ s/[\[\]]//g; # Remove [ and ] @@ -113,11 +116,16 @@ sub new Proto => "tcp", Listen => SOMAXCONN, ); - $self->{proxy_sock} = $IP_factory->(@proxyargs); - if ($self->{proxy_sock}) { - $self->{proxy_port} = $self->{proxy_sock}->sockport(); - print "Proxy started on port ".$self->{proxy_port}."\n"; + if (my $sock = $IP_factory->(@proxyargs)) { + $self->{proxy_sock} = $sock; + $self->{proxy_port} = $sock->sockport(); + $self->{proxy_addr} = $sock->sockhost(); + $self->{proxy_addr} =~ s/(.*:.*)/[$1]/; + print "Proxy started on port ", + "$self->{proxy_addr}:$self->{proxy_port}\n"; + # use same address for s_server + $self->{server_addr} = $self->{proxy_addr}; } else { warn "Failed creating proxy socket (".$proxaddr.",0): $!\n"; } @@ -212,11 +220,9 @@ sub start my $execcmd = $self->execute ." s_server -max_protocol TLSv1.3 -no_comp -rev -engine ossltest" - ." -accept 0 -cert ".$self->cert." -cert2 ".$self->cert + ." -accept $self->{server_addr}:0" + ." -cert ".$self->cert." -cert2 ".$self->cert ." -naccept ".$self->serverconnects; - unless ($self->supports_IPv6) { - $execcmd .= " -4"; - } if ($self->ciphers ne "") { $execcmd .= " -cipher ".$self->ciphers; } @@ -286,7 +292,7 @@ sub start $self->{serverpid} = $pid; print STDERR "Server responds on ", - $self->{server_addr}, ":", $self->{server_port}, "\n"; + "$self->{server_addr}:$self->{server_port}\n"; # Connect right away... $self->connect_to_server(); @@ -301,11 +307,8 @@ sub clientstart if ($self->execute) { my $pid; my $execcmd = $self->execute - ." s_client -max_protocol TLSv1.3 -engine ossltest -connect " - .($self->proxy_addr).":".($self->proxy_port); - unless ($self->supports_IPv6) { - $execcmd .= " -4"; - } + ." s_client -max_protocol TLSv1.3 -engine ossltest" + ." -connect $self->{proxy_addr}:$self->{proxy_port}"; if ($self->cipherc ne "") { $execcmd .= " -cipher ".$self->cipherc; } @@ -315,6 +318,9 @@ sub clientstart if ($self->clientflags ne "") { $execcmd .= " ".$self->clientflags; } + if ($self->clientflags !~ m/-(no)?servername/) { + $execcmd .= " -servername localhost"; + } if (defined $self->sessionfile) { $execcmd .= " -ign_eof"; } |