search

droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.73k stars 327 forks source link

Test fails with openssl 1.1.1 #242

Closed hillu closed 5 years ago

hillu commented 5 years ago

Hi,

as reported in Debian bug #912052, tests now fail. I have been able to reproduce them with a current sid-amd64 chroot which includes openssl 1.1.1-2. Downgrading the openssl, libssl1.1, libssl-dev packages to 1.1.0g-2 makes the problem go away.

The problem is that s_client no longer creates session.pem via the -sess_out parameter. My wild guess is that it has something to do with the failing verification.

$ openssl version
OpenSSL 1.1.1  11 Sep 2018
$ make -C extra/pki session.pem
[...]
openssl s_server -accept 46143 -cert server.pem -quiet  & \
    pid=$! ; \
    sleep 1 ; \
    echo q | openssl s_client -connect localhost:46143 \
        -quiet -no_ign_eof -sess_out session.pem ; \
    kill $pid
depth=0 C = CH, O = SSLsplit Test Certificate, CN = daniel.roe.ch
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, O = SSLsplit Test Certificate, CN = daniel.roe.ch
verify return:1
DONE
test -r session.pem
make: *** [GNUmakefile:117: session.pem] Error 1
droe commented 5 years ago

In the current develop branch, we have added session.pem to the repo and distributed files. We are no longer generating session.pem for each test invocation. Instead, we are overriding the session timestamp when loading the session into the unit test case. We do not have an OpenSSL 1.1.1 TravisCI build yet and there has been no TLS 1.3 testing or code changes yet (see #220), but the specific failure you raised in this issue should be already resolved.

Can you check with latest develop and confirm that this is not an issue anymore?

droe commented 5 years ago

I've added a TravisCI target for OpenSSL 1.1.1, it builds and unit tests fine. I'm closing this issue as already fixed.

Note that this we have not done much testing with OpenSSL 1.1.1. In particular, there will still be significant work required to properly support TLS 1.3.

anatol commented 4 years ago

I see somewhat similar problem at Arch Linux with OpenSSL-1.1.1.c:

sending incremental file list
./
PKGBUILD
build.log

sent 859 bytes  received 57 bytes  610.67 bytes/sec
total size is 1,044  speedup is 1.14
:: Synchronizing package databases...
 staging                    0.0   B  0.00B/s 00:00 [----------------------]   0%
 staging                    5.2 KiB  0.00B/s 00:00 [######################] 100%
 testing is up to date
 core is up to date
 extra is up to date
 community-staging is up to date
 community-testing is up to date
 community is up to date
:: Starting full system upgrade...
 there is nothing to do
==> Building in chroot for [staging] (x86_64)...
==> Synchronizing chroot copy [/var/lib/archbuild/staging-x86_64/root] -> [foutrelis]...done
==> Making package: sslsplit 0.5.2-2 (Tue Aug  6 04:11:00 2019)
==> Retrieving sources...
  -> Downloading sslsplit-0.5.2.tar.bz2...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  443k  100  443k    0     0   739k      0 --:--:-- --:--:-- --:--:--  739k
  -> Downloading sslsplit-0.5.2.tar.bz2.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   195  100   195    0     0   2600      0 --:--:-- --:--:-- --:--:--  2600
==> Validating source files with sha512sums...
    sslsplit-0.5.2.tar.bz2 ... Passed
    sslsplit-0.5.2.tar.bz2.asc ... Skipped
==> Verifying source file signatures with gpg...
    sslsplit-0.5.2.tar.bz2 ... Passed
==> Making package: sslsplit 0.5.2-2 (Tue 06 Aug 2019 04:11:02 AM UTC)
==> Checking runtime dependencies...
==> Installing missing dependencies...
resolving dependencies...
looking for conflicting packages...

Packages (1) libevent-2.1.11-1

Total Installed Size:  1.20 MiB

:: Proceed with installation? [Y/n] 
(0/1) checking keys in keyring                     [----------------------]   0%
(1/1) checking keys in keyring                     [######################] 100%
(0/1) checking package integrity                   [----------------------]   0%
(1/1) checking package integrity                   [######################] 100%
(0/1) loading package files                        [----------------------]   0%
(1/1) loading package files                        [######################] 100%
(0/1) checking for file conflicts                  [----------------------]   0%
(1/1) checking for file conflicts                  [######################] 100%
:: Processing package changes...
(1/1) installing libevent                          [----------------------]   0%
(1/1) installing libevent                          [######################] 100%
Optional dependencies for libevent
    python2: to use event_rpcgen.py
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
==> Checking buildtime dependencies...
==> Installing missing dependencies...
resolving dependencies...
looking for conflicting packages...

Packages (1) check-0.12.0-1

Total Installed Size:  0.24 MiB

:: Proceed with installation? [Y/n] 
(0/1) checking keys in keyring                     [----------------------]   0%
(1/1) checking keys in keyring                     [######################] 100%
(0/1) checking package integrity                   [----------------------]   0%
(1/1) checking package integrity                   [######################] 100%
(0/1) loading package files                        [----------------------]   0%
(1/1) loading package files                        [######################] 100%
(0/1) checking for file conflicts                  [----------------------]   0%
(1/1) checking for file conflicts                  [######################] 100%
:: Processing package changes...
(1/1) installing check                             [----------------------]   0%
(1/1) installing check                             [######################] 100%
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Updating the info directory file...
==> Retrieving sources...
  -> Found sslsplit-0.5.2.tar.bz2
  -> Found sslsplit-0.5.2.tar.bz2.asc
==> WARNING: Skipping all source file integrity checks.
==> Extracting sources...
  -> Extracting sslsplit-0.5.2.tar.bz2 with bsdtar
==> Starting build()...
------------------------------------------------------------------------------
SSLsplit 0.5.2
------------------------------------------------------------------------------
Report bugs at https://github.com/droe/sslsplit/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/droe/sslsplit.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads check
Build options:  -DHAVE_NETFILTER
uname -a:       Linux foutrelis 5.2.5-arch1-1-ARCH #1 SMP PREEMPT Wed Jul 31 08:30:34 UTC 2019 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o cachemgr.o cachemgr.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o logbuf.o logbuf.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o url.o url.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o cert.o cert.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o cachefkcrt.o cachefkcrt.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o pxysslshut.o pxysslshut.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o opts.o opts.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o sys.o sys.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o thrqueue.o thrqueue.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o proc.o proc.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o cachetgcrt.o cachetgcrt.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o log.o log.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o privsep.o privsep.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o nat.o nat.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o base64.o base64.c
opts.c: In function ‘opts_proto_force’:
opts.c:184:3: warning: ‘TLSv1_method’ is deprecated [-Wdeprecated-declarations]
  184 |   opts->sslmethod = TLSv1_method;
      |   ^~~~
In file included from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:15,
                 from ssl.h:35,
                 from opts.h:34,
                 from opts.c:29:
/usr/include/openssl/ssl.h:1877:1: note: declared here
 1877 | DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_method(void)) /* TLSv1.0 */
      | ^~~~~~~~~~~~~~~~~~
opts.c:189:3: warning: ‘TLSv1_1_method’ is deprecated [-Wdeprecated-declarations]
  189 |   opts->sslmethod = TLSv1_1_method;
      |   ^~~~
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o version.o version.c
In file included from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:15,
                 from ssl.h:35,
                 from opts.h:34,
                 from opts.c:29:
/usr/include/openssl/ssl.h:1883:1: note: declared here
 1883 | DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_method(void)) /* TLSv1.1 */
      | ^~~~~~~~~~~~~~~~~~
opts.c:194:3: warning: ‘TLSv1_2_method’ is deprecated [-Wdeprecated-declarations]
  194 |   opts->sslmethod = TLSv1_2_method;
      |   ^~~~
In file included from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:15,
                 from ssl.h:35,
                 from opts.h:34,
                 from opts.c:29:
/usr/include/openssl/ssl.h:1889:1: note: declared here
 1889 | DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
      | ^~~~~~~~~~~~~~~~~~
opts.c: In function ‘opts_proto_dbg_dump’:
opts.c:257:17: warning: ‘TLSv1_method’ is deprecated [-Wdeprecated-declarations]
  257 |                 (opts->sslmethod == TLSv1_method) ? "tls10" :
      |                 ^
In file included from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:15,
                 from ssl.h:35,
                 from opts.h:34,
                 from opts.c:29:
/usr/include/openssl/ssl.h:1877:1: note: declared here
 1877 | DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_method(void)) /* TLSv1.0 */
      | ^~~~~~~~~~~~~~~~~~
opts.c:260:17: warning: ‘TLSv1_1_method’ is deprecated [-Wdeprecated-declarations]
  260 |                 (opts->sslmethod == TLSv1_1_method) ? "tls11" :
      |                 ^
In file included from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:15,
                 from ssl.h:35,
                 from opts.h:34,
                 from opts.c:29:
/usr/include/openssl/ssl.h:1883:1: note: declared here
 1883 | DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_method(void)) /* TLSv1.1 */
      | ^~~~~~~~~~~~~~~~~~
opts.c:263:17: warning: ‘TLSv1_2_method’ is deprecated [-Wdeprecated-declarations]
  263 |                 (opts->sslmethod == TLSv1_2_method) ? "tls12" :
      |                 ^
In file included from /usr/include/openssl/e_os2.h:13,
                 from /usr/include/openssl/ssl.h:15,
                 from ssl.h:35,
                 from opts.h:34,
                 from opts.c:29:
/usr/include/openssl/ssl.h:1889:1: note: declared here
 1889 | DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
      | ^~~~~~~~~~~~~~~~~~
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o cachedsess.o cachedsess.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o main.o main.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o util.o util.c
privsep.c: In function ‘privsep_server_handle_req’:
privsep.c:314:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
  314 |   mkpath = 1;
      |   ~~~~~~~^~~
privsep.c:315:2: note: here
  315 |  case PRIVSEP_REQ_OPENFILE: {
      |  ^~~~
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o cache.o cache.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o pxyconn.o pxyconn.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o proxy.o proxy.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o logger.o logger.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o dynbuf.o dynbuf.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o ssl.o ssl.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o pxythrmgr.o pxythrmgr.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o cachessess.o cachessess.c
cc -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now  -pthread -o sslsplit cachemgr.o logbuf.o url.o cert.o cachefkcrt.o pxysslshut.o opts.o sys.o thrqueue.o proc.o cachetgcrt.o log.o privsep.o nat.o base64.o version.o cachedsess.o main.o util.o cache.o pxyconn.o proxy.o logger.o dynbuf.o ssl.o pxythrmgr.o cachessess.o -lssl -lcrypto -levent_openssl -levent_pthreads -levent 
==> Starting check()...
------------------------------------------------------------------------------
SSLsplit 0.5.2
------------------------------------------------------------------------------
Report bugs at https://github.com/droe/sslsplit/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/droe/sslsplit.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads check
Build options:  -DHAVE_NETFILTER
uname -a:       Linux foutrelis 5.2.5-arch1-1-ARCH #1 SMP PREEMPT Wed Jul 31 08:30:34 UTC 2019 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o base64.t.o \
    -x c base64.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o sys.t.o \
    -x c sys.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o cachessess.t.o \
    -x c cachessess.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o dynbuf.t.o \
    -x c dynbuf.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o ssl.t.o \
    -x c ssl.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o cert.t.o \
    -x c cert.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o cachefkcrt.t.o \
    -x c cachefkcrt.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o opts.t.o \
    -x c opts.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o cachetgcrt.t.o \
    -x c cachetgcrt.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o cachemgr.t.o \
    -x c cachemgr.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o pxythrmgr.t.o \
    -x c pxythrmgr.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o cachedsess.t.o \
    -x c cachedsess.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o main.t.o \
    -x c main.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o url.t.o \
    -x c url.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -D"TEST_ZEROUSR=\"root\"" -D"TEST_ZEROGRP=\"root\"" -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -pthread  -o util.t.o \
    -x c util.t.c
cc -c -D_FORTIFY_SOURCE=2  -D_GNU_SOURCE -D"BNAME=\"sslsplit\"" -D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.5.2\"" -D"BUILD_DATE=\"2019-08-06\"" -D"FEATURES=\"-DHAVE_NETFILTER\"" -D"BUILD_INFO=\"V:FILE\"" -DHAVE_NETFILTER -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -pthread  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -o version.o version.c
cc -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now  -pthread  -o sslsplit.test base64.t.o sys.t.o cachessess.t.o dynbuf.t.o ssl.t.o cert.t.o cachefkcrt.t.o opts.t.o cachetgcrt.t.o cachemgr.t.o pxythrmgr.t.o cachedsess.t.o main.t.o url.t.o util.t.o cachemgr.o logbuf.o url.o cert.o cachefkcrt.o pxysslshut.o opts.o sys.o thrqueue.o proc.o cachetgcrt.o log.o privsep.o nat.o base64.o version.o cachedsess.o util.o cache.o pxyconn.o proxy.o logger.o dynbuf.o ssl.o pxythrmgr.o cachessess.o -lssl -lcrypto -levent_openssl -levent_pthreads -levent  -lcheck 
rm -f extra/pki/session.pem
make -C extra/pki testreqs session
make[1]: Entering directory '/build/sslsplit/src/sslsplit-0.5.2/extra/pki'
openssl genrsa -out rsa.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
........................................+++++
e is 65537 (0x010001)
openssl req -new -nodes -x509 -sha256 -out rsa.crt -key rsa.key \
    -config x509v3ca.cnf -extensions v3_ca \
    -subj '/C=CH/O=SSLsplit Root CA/CN=SSLsplit Root CA/' \
    -set_serial 1 -days 3650
cat rsa.crt rsa.key >rsa.pem
mkdir -p targets
openssl genrsa -out targets/daniel.roe.ch.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
.............................................+++++
e is 65537 (0x010001)
openssl req -new -sha256 -subj '/C=CH/CN=daniel.roe.ch/' \
    -key targets/daniel.roe.ch.key \
    -out targets/daniel.roe.ch.csr
openssl x509 -req -sha256 -CAcreateserial -days 365 \
    -CA rsa.crt -CAkey rsa.key \
    -in targets/daniel.roe.ch.csr \
    -out targets/daniel.roe.ch.crt
Signature ok
subject=C = CH, CN = daniel.roe.ch
Getting CA Private Key
cat targets/daniel.roe.ch.crt targets/daniel.roe.ch.key rsa.crt \
    >targets/daniel.roe.ch.pem
rm -f targets/daniel.roe.ch.key targets/daniel.roe.ch.csr \
    targets/daniel.roe.ch.crt
mkdir -p targets
openssl genrsa -out targets/wildcard.roe.ch.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................................+++++
......................................................................................................................+++++
e is 65537 (0x010001)
openssl req -new -sha256 -subj '/C=CH/CN=*.roe.ch/' \
    -key targets/wildcard.roe.ch.key \
    -out targets/wildcard.roe.ch.csr
openssl x509 -req -sha256 -CAcreateserial -days 365 \
    -CA rsa.crt -CAkey rsa.key \
    -in targets/wildcard.roe.ch.csr \
    -out targets/wildcard.roe.ch.crt
Signature ok
subject=C = CH, CN = *.roe.ch
Getting CA Private Key
cat targets/wildcard.roe.ch.crt targets/wildcard.roe.ch.key rsa.crt \
    >targets/wildcard.roe.ch.pem
rm -f targets/wildcard.roe.ch.key targets/wildcard.roe.ch.csr \
    targets/wildcard.roe.ch.crt
rm -f rsa.srl
openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................+++++
....................................................+++++
e is 65537 (0x010001)
openssl req -new -nodes -x509 -sha256 -out server.crt -key server.key \
    -config x509v3ca.cnf -extensions v3_crt \
    -subj '/C=CH/O=SSLsplit Test Certificate/CN=daniel.roe.ch/' \
    -set_serial 42 -days 365
cat server.crt server.key >server.pem
openssl s_server -accept 46143 -cert server.pem -quiet  & \
    pid=$! ; \
    sleep 1 ; \
    echo q | openssl s_client -connect localhost:46143 \
        -quiet -no_ign_eof -sess_out session.pem ; \
    kill $pid
Can't use SSL_get_servername
depth=0 C = CH, O = SSLsplit Test Certificate, CN = daniel.roe.ch
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, O = SSLsplit Test Certificate, CN = daniel.roe.ch
verify return:1
DONE
test -r session.pem
make[1]: *** [GNUmakefile:117: session.pem] Error 1
make[1]: Leaving directory '/build/sslsplit/src/sslsplit-0.5.2/extra/pki'
make: *** [GNUmakefile:429: test] Error 2
==> ERROR: A failure occurred in check().
    Aborting...
==> ERROR: Build failed, check /var/lib/archbuild/staging-x86_64/foutrelis/build
droe commented 4 years ago

This was fixed in 0.5.4, please ask your distribution to upgrade their port/package files to the latest release containing the fix, or build manually from source.