proxy: use own openssl

YongBinnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn · Apr 11, 2024 · f327efb · f327efb · YongBinnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn · Apr 10, 2024
1 parent 21fbb4c
commit f327efb
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 11 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -47,9 +47,14 @@
         {
             "type": "gdb",
             "request": "launch",
-            "name": "Debug Program",
-            "target": "${workspaceFolder}/proxy/build/debug/hood_proxy",
+            "name": "Debug proxy amd64",
+            "target": "${workspaceFolder}/proxy/build/debug/amd64/hood_proxy",
             "cwd": "${workspaceFolder}/proxy/",
+            "env": {
+                "OPENSSL_CONF": "/etc/ssl/openssl.cnf",
+                "SSL_CERT_DIR": "/etc/ssl/certs/",
+                "SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt"
+            },
             "valuesFormatting": "parseText"
         }
     ]

diff --git a/.vscode/tasks.json b/.vscode/tasks.json
@@ -6,7 +6,7 @@
         {
             "label": "build",
             "type": "shell",
-            "command": "${workspaceFolder}/proxy/build_debug.sh",
+            "command": "${workspaceFolder}/proxy/build.sh type=debug",
         }
     ]
 }
diff --git a/proxy/CMakeLists.txt b/proxy/CMakeLists.txt
@@ -7,7 +7,7 @@ set(Boost_USE_STATIC_LIBS ON)
 find_package( Boost 1.84 COMPONENTS program_options system log REQUIRED )
 set(OPENSSL_USE_STATIC_LIBS ON)
 find_package( OpenSSL REQUIRED )
-include_directories (SYSTEM ${Boost_INCLUDE_DIR})
+include_directories (${Boost_INCLUDE_DIR} ${OPENSSL_INCLUDE_DIR} SYSTEM)
 
 set(CMAKE_CXX_STANDARD 20)
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)

diff --git a/proxy/build.sh b/proxy/build.sh
@@ -4,7 +4,7 @@ script_dir=$(readlink -f $(dirname "$0"))
 #export CC=clang
 #export CXX=clang++
 
-type=Release
+type=release
 arch=$(uname -r|cut -d - -f 3)
 system=$(uname -s)
 

diff --git a/proxy/install_dependencies_debian.sh b/proxy/install_dependencies_debian.sh
@@ -18,7 +18,7 @@ for arg in "$@"; do
   esac
 done
 
-sudo apt install -y cmake build-essential clang clang-tidy clang-format libssl-dev
+sudo apt install -y cmake build-essential clang clang-tidy clang-format
 
 if [ "$host_arch" != "$arch" ]; then
   if [ "$arch" = "armhf" ]; then
@@ -46,7 +46,7 @@ else
   install_dir=../$(uname -s)/$arch/openssl
   mkdir -p $install_dir
   install_dir=$(realpath $install_dir)
-  ./Configure no-ssl2 no-ssl3 no-shared no-weak-ssl-ciphers no-rc2 no-rc4 no-md2 no-md4 no-des no-unit-test no-apps --prefix=$install_dir
+  ./Configure no-ssl2 no-ssl3 no-shared no-module no-weak-ssl-ciphers no-unit-test no-apps --prefix=$install_dir
   make -j ${HOOD_PROXY_BUILD_CONCURRENCY}
   make install_sw
   cd ..
@@ -79,7 +79,7 @@ else
     ./bootstrap.sh --prefix="../$(uname -s)/$arch/boost"
   fi
 
-  BOOST_CXXFLAGS="-std=c++20"
+  BOOST_CXXFLAGS="-std=c++20 -I /$(uname -s)/$arch/openssl/include"
 
   ./b2 toolset=$toolset link=static cxxflags="${BOOST_CXXFLAGS}" -j ${HOOD_PROXY_BUILD_CONCURRENCY} stage release install
 

diff --git a/proxy/src/tls_check_certificate_worker.cpp b/proxy/src/tls_check_certificate_worker.cpp
@@ -1,3 +1,6 @@
+#include <boost/predef/os.h>
+#include <openssl/err.h>
+
 #include <boost/endian/conversion.hpp>
 #include <chrono>
 
@@ -125,8 +128,21 @@ void CertificateCheckWorker::CheckEndpoint(
             return;
           }
           if (error) {
-            LOG_ERROR(<< host_name_
-                      << " handshake failed: " << error.message());
+            if (error.category() == boost::asio::error::get_ssl_category()) {
+              char detail[256];
+              ERR_error_string_n(ERR_get_error(), detail, sizeof(detail));
+              const char *file, *function, *data;
+              int line, flags;
+              ERR_get_error_all(&file, &line, &function, &data, &flags);
+              LOG_ERROR(<< host_name_ << " handshake failed: "
+                        << "openssl " << detail << ":" << file << ":"
+                        << ":" << line << ":" << function << ":" << data << ":"
+                        << flags);
+            } else {
+              LOG_ERROR(<< host_name_
+                        << " handshake failed: " << error.message());
+            }
+
             CallHandler(endpoint, Flags::error);
             return;
           }

diff --git a/scripts/hood-network-services-runner.sh b/scripts/hood-network-services-runner.sh
@@ -9,7 +9,7 @@ if [ "$1" = "lo" ]||[ "$1" = "" ]; then
   echo "nameserver 127.0.0.1" > /etc/resolv.conf
   sudo -u nobody -g nogroup /bin/sh -c "ulimit -S -n 1000000;ulimit -S -s 819200;/usr/local/lib/hood/hood-http-handler.py --address 0.0.0.0" >> /var/log/hood-http-handler.log 2>&1 &
   sudo -u nobody -g nogroup /bin/sh -c "ulimit -S -n 1000000;ulimit -S -s 819200;/usr/local/lib/hood/hood-name-service.py" >> /var/log/hood-name-service.log 2>&1 &
-  sudo -u nobody -g nogroup /bin/sh -c "ulimit -S -n 1000000;ulimit -S -s 819200;/usr/local/lib/hood/hood-tls-proxy --config=/etc/hood_proxy.conf" >> /var/log/hood-tls-proxy.log 2>&1 &
+  sudo -u nobody -g nogroup /bin/sh -c "ulimit -S -n 1000000;ulimit -S -s 819200;OPENSSL_CONF=/etc/ssl/openssl.cnf SSL_CERT_DIR=/etc/ssl/certs/ SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt /usr/local/lib/hood/hood-tls-proxy --config=/etc/hood_proxy.conf" >> /var/log/hood-tls-proxy.log 2>&1 &
 
   while read line || [ -n "$line" ]; do
     case $line in \#*)

diff --git a/scripts/hood_proxy_x64 b/scripts/hood_proxy_x64