[pfx] Re: PATCH: TLSRPT not applicable in server code path (was: TLSRPT issue)

[Viktor Dukhovni via Postfix-users]

Given:

On Tue, Nov 12, 2024 at 08:48:38PM +0100, Florian Piekert via Postfix-users 
wrote:

> Nov 12 11:29:09 sonne postfix/tlsproxy[3242552]: warning: TLS library 
> problem: error:0A000102:SSL routines::unsupported 
> protocol:../ssl/statem/statem_srvr.c:1657:
> Nov 12 11:29:09 sonne postfix/master[3192017]: warning: process 
> /usr/lib/postfix/tlsproxy pid 3242552 killed by signal 11
> 
> ==> mail/mail.log <==
> Nov 12 11:29:09 sonne postfix/tlsproxy[3242552]: CONNECT from 
> [80.72.225.30]:45667

A connection to tlsproxy as a TLS *server* from a remote client.

On Tue, Nov 12, 2024 at 10:29:55PM +0100, Florian Piekert via Postfix-users 
wrote:

> > > ==> mail/mail.warn <==
> > > Nov 12 11:29:09 sonne postfix/tlsproxy[3242552]: warning: TLS library 
> > > problem: error:0A000102:SSL routines::unsupported 
> > > protocol:../ssl/statem/statem_srvr.c:1657:
> > > Nov 12 11:29:09 sonne postfix/master[3192017]: warning: process 
> > > /usr/lib/postfix/tlsproxy pid 3242552 killed by signal 11

Logging that shows an SSL handshake failure in the OpenSSL server state
machine code.

On Wed, Nov 13, 2024 at 09:08:33AM +0100, Florian Piekert via Postfix-users 
wrote:

> Program received signal SIGSEGV, Segmentation fault.
> 0x000057c3e4e44c6a in tlsp_eval_tls_error (state=state@entry=0x57c3e60647d0,
>     err=6) at tlsproxy.c:741
> 741             if (state->client_start_props->tlsrpt
> (gdb) #0  0x000057c3e4e44c6a in tlsp_eval_tls_error (
>     state=state@entry=0x57c3e60647d0, err=6) at tlsproxy.c:741

A crash in code that attempts to dereference the *client* start props.
The problem sure looks like failure to take the server context into
account, hence the trivial patch below:

--- src/tlsproxy/tlsproxy.c
+++ src/tlsproxy/tlsproxy.c
@@ -738,9 +738,9 @@ static int tlsp_eval_tls_error(TLSP_STATE *state, int err)
         * already reported.
         */
 #ifdef USE_TLSRPT
-       if (state->client_start_props->tlsrpt
+       if (state->is_server_role == 0
            && (state->flags & TLSP_FLAG_DO_HANDSHAKE)
-           && state->is_server_role == 0)
+           && state->client_start_props->tlsrpt)
            trw_report_failure(state->client_start_props->tlsrpt,
                               TLSRPT_VALIDATION_FAILURE,
                                /* additional_info= */ (char *) 0,

-- 
    Viktor. 🇺🇦 Слава Україні
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org