Phantom doesn't run with some OpenSSL cipher suites #15
Description
Consider we have Phantom config file which contains such a section (with GOST cipher string from man ciphers):
transport_t ssl_transport = transport_ssl_t {
auth = NULL
ciphers = "GOST2001-GOST89-GOST89"
timeout = 1s
}
We assume also, that cipher string mentioned above is known by openssl library:
$ openssl ciphers | grep -oP "GOST.+?:"
GOST2001-GOST89-GOST89:
GOST94-GOST89-GOST89:
Then, if we have build Phantom from current state of the public repo, and then check this config, we will recieve such an error:
$ ./phantom check openssl_min.conf
2016-07-05 11:37:27.070 +0300 [error] [] SSL error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
2016-07-05 11:37:27.070 +0300 [error] [] SSL_CTX_set_cipher_list
But, if we add including OpenSSL config <openssl/conf.h> and initializing it in pd/ssl/ssl.C, for instance, like this:
$ git diff pd/ssl/ssl.C
diff --git a/pd/ssl/ssl.C b/pd/ssl/ssl.C
index a0c9774..77c8c47 100644
--- a/pd/ssl/ssl.C
+++ b/pd/ssl/ssl.C
@@ -17,6 +17,7 @@
#include <openssl/crypto.h>
#include <openssl/ssl.h>
#include <openssl/engine.h>
+#include <openssl/conf.h>
namespace pd {
@@ -48,6 +49,7 @@ struct mgr_t {
}
inline mgr_t() throw() {
+ OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
ENGINE_load_builtin_engines();
(or it could be more precisely done with CONF_modules_load_file)
then the check would be successful:
$ ./phantom check openssl_min.conf
setup_t module_setup = setup_module_t {
dir = "../lib/phantom"
list = {
io_monitor
io_benchmark
io_benchmark_method_stream
io_benchmark_method_stream_ipv4
io_benchmark_method_stream_ipv6
io_benchmark_method_stream_source_log
io_benchmark_method_stream_proto_none
io_benchmark_method_stream_proto_http
ssl
io_benchmark_method_stream_transport_ssl
}
}
setup_t stat_setup = setup_stat_t {
list = {
default
}
}
scheduler_t main_scheduler = scheduler_simple_t {
threads = 13
limit = unlimited
event_buf_size = 20
timeout_prec = 001
tname = ""
policy = other
priority = 0
}
logger_t phantom_logger = logger_file_t {
level = info
filename = "../logs/phantom_S61foA.log"
check_interval = 1s
scheduler = main_scheduler
}
logger = phantom_logger
io_t benchmark_io = io_benchmark_t {
instances = 50
method_t stream_method = method_stream_ipv4_t {
address = 10.242.232.161
port = 443
bind = {
10.242.232.161
}
cork = true
timeout = 4s
ibuf_size = 4K
obuf_size = 1K
source_t source_log = source_log_t {
filename = "ammo_min.stpd"
ibuf_size = 1M
}
source = source_log
transport_t ssl_transport = transport_ssl_t {
auth = NULL
ciphers = "GOST2001-GOST89-GOST89"
timeout = 1s
}
transport = ssl_transport
proto_t http_proto0 = proto_http_t {
reply_limits = {
line = 1K
field_num = 128
field = 8K
entity = 8M
}
}
proto_t none_proto = proto_none_t {
}
proto = http_proto0
logger_t benchmark_logger = logger_default_t {
filename = "../logs/answ_g9SMcT.log"
check_interval = 1s
scheduler = main_scheduler
level = all
}
logger_t brief_logger = logger_brief_t {
time_format = unix
filename = "../logs/phout_M1oBul.log"
check_interval = 1s
scheduler = main_scheduler
level = all
}
loggers = {
brief_logger
benchmark_logger
}
}
method = stream_method
times_t simple_times = times_simple_t {
max = 4s
min = 001
steps = 20
}
times = simple_times
scheduler = main_scheduler
}
io_t monitor_io = io_monitor_t {
clear = true
period = 1m40s
list = {
main_scheduler
benchmark_io
}
stat_id = default
filename = "../logs/phantom_stat_0WNG5O.log"
check_interval = 1s
scheduler = main_scheduler
}
and we can run it. :-)