Open burthen opened 8 years ago
Consider we have Phantom config file which contains such a section (with GOST cipher string from man ciphers):
man ciphers
transport_t ssl_transport = transport_ssl_t { auth = NULL ciphers = "GOST2001-GOST89-GOST89" timeout = 1s }
We assume also, that cipher string mentioned above is known by openssl library:
$ openssl ciphers | grep -oP "GOST.+?:" GOST2001-GOST89-GOST89: GOST94-GOST89-GOST89:
Then, if we have build Phantom from current state of the public repo, and then check this config, we will recieve such an error:
$ ./phantom check openssl_min.conf 2016-07-05 11:37:27.070 +0300 [error] [] SSL error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match 2016-07-05 11:37:27.070 +0300 [error] [] SSL_CTX_set_cipher_list
But, if we add including OpenSSL config <openssl/conf.h> and initializing it in pd/ssl/ssl.C, for instance, like this:
pd/ssl/ssl.C
$ git diff pd/ssl/ssl.C diff --git a/pd/ssl/ssl.C b/pd/ssl/ssl.C index a0c9774..77c8c47 100644 --- a/pd/ssl/ssl.C +++ b/pd/ssl/ssl.C @@ -17,6 +17,7 @@ #include <openssl/crypto.h> #include <openssl/ssl.h> #include <openssl/engine.h> +#include <openssl/conf.h> namespace pd { @@ -48,6 +49,7 @@ struct mgr_t { } inline mgr_t() throw() { + OPENSSL_config(NULL); SSL_library_init(); SSL_load_error_strings(); ENGINE_load_builtin_engines();
(or it could be more precisely done with CONF_modules_load_file) then the check would be successful:
CONF_modules_load_file
$ ./phantom check openssl_min.conf setup_t module_setup = setup_module_t { dir = "../lib/phantom" list = { io_monitor io_benchmark io_benchmark_method_stream io_benchmark_method_stream_ipv4 io_benchmark_method_stream_ipv6 io_benchmark_method_stream_source_log io_benchmark_method_stream_proto_none io_benchmark_method_stream_proto_http ssl io_benchmark_method_stream_transport_ssl } } setup_t stat_setup = setup_stat_t { list = { default } } scheduler_t main_scheduler = scheduler_simple_t { threads = 13 limit = unlimited event_buf_size = 20 timeout_prec = 001 tname = "" policy = other priority = 0 } logger_t phantom_logger = logger_file_t { level = info filename = "../logs/phantom_S61foA.log" check_interval = 1s scheduler = main_scheduler } logger = phantom_logger io_t benchmark_io = io_benchmark_t { instances = 50 method_t stream_method = method_stream_ipv4_t { address = 10.242.232.161 port = 443 bind = { 10.242.232.161 } cork = true timeout = 4s ibuf_size = 4K obuf_size = 1K source_t source_log = source_log_t { filename = "ammo_min.stpd" ibuf_size = 1M } source = source_log transport_t ssl_transport = transport_ssl_t { auth = NULL ciphers = "GOST2001-GOST89-GOST89" timeout = 1s } transport = ssl_transport proto_t http_proto0 = proto_http_t { reply_limits = { line = 1K field_num = 128 field = 8K entity = 8M } } proto_t none_proto = proto_none_t { } proto = http_proto0 logger_t benchmark_logger = logger_default_t { filename = "../logs/answ_g9SMcT.log" check_interval = 1s scheduler = main_scheduler level = all } logger_t brief_logger = logger_brief_t { time_format = unix filename = "../logs/phout_M1oBul.log" check_interval = 1s scheduler = main_scheduler level = all } loggers = { brief_logger benchmark_logger } } method = stream_method times_t simple_times = times_simple_t { max = 4s min = 001 steps = 20 } times = simple_times scheduler = main_scheduler } io_t monitor_io = io_monitor_t { clear = true period = 1m40s list = { main_scheduler benchmark_io } stat_id = default filename = "../logs/phantom_stat_0WNG5O.log" check_interval = 1s scheduler = main_scheduler }
and we can run it. :-)
config file and small ammo .zip
https://github.com/yandex-load/phantom/pull/4
nnugumanov
commented
8 years ago nnugumanov
commented
8 years ago
Consider we have Phantom config file which contains such a section (with GOST cipher string from
man ciphers):We assume also, that cipher string mentioned above is known by openssl library:
Then, if we have build Phantom from current state of the public repo, and then check this config, we will recieve such an error:
But, if we add including OpenSSL config <openssl/conf.h> and initializing it in
pd/ssl/ssl.C, for instance, like this:(or it could be more precisely done with
CONF_modules_load_file) then the check would be successful:and we can run it. :-)
config file and small ammo .zip