c++ - Open Pegasus 2.14.1 client connection issue -

i build new version of open pegasus client (2.14.1). unfortunately i'm facing build issues. know workaround these issues?

my environment is:

• os: windows 8.1 enterprise
• make version: gnu make 3.81
• pegasus sources version: 2.14.1
• openssl version: 1.0.2a

my scenario quite easy:

1. i have downloaded source code of open pegasus 2.14.1
2. i have downloaded openssl binaries (actual version v1.0.2a).

3. after extraction of pegasus source code set environment these settings:

   call "c:\program files (x86)\microsoft visual studio 12.0\vc\bin\vcvars32.bat" set pegasus_root=d:/dev/pegasus-2.14.1/pegasus set pegasus_home=%pegasus_root% set pegasus_platform=win32_ix86_msvc set path=%path%;%pegasus_home%\bin set openssl_home=d:/dev/openssl-win32 set pegasus_has_ssl=true 

4. next step building of mu.exe tool. so, have executed "make buildmu" => build , copied "/bin" folder. build pegasus so: "make build" => after time got error:

   message.cpp(433) : error c2065: 'magic' : undeclared identifier

5. i tried fix problem. found magic constant defined in \pegasus-2.14.1\pegasus\src\pegasus\common\linkable.h file had 2 options: a) switch build configuration debug (set pegasus_debug=true) b) remove debug condition lines 62 in linkable.h file then, tried build pegasus again, unfortunately got error:

   error lnk2005: _openssl_applink defined in sslcontext.obj

at point have no clue how fix problem. tried remove these lines:

# ifdef pegasus_os_type_windows  # include<openssl/applink.c> # endif 

from sslcontextrep.h file. after modification able pegasus clients binaries. these binaries work without ssl, when want use ssl communication got error: " pegasus exception: 'cannot connect 10.199.1.139:5989. connection failed.'.", assume because code modification in sslcontextrep.h.

outputs pegasus tracer:

ssl: not connected 1 error:140740bf:ssl routines:ssl23_client_hello:no protocols available ssl: deleted ssl socket

does know can wrong? own (better) environment configuration steps windows build openpegasus?

many in advance kind of help.

---

edit:

i need able work without certificates. because i'm using ssl communication various storage arrays , don't have certificates. therefore i'm using constructor of sslcontext:

sslcontext sslcontext(string::empty, null, string::empty); 

this approach works me fine in openpegasus 2.13 version.

outputs pegasus tracer:      ssl: not connected 1 error:140740bf:ssl routines:ssl23_client_hello:no protocols available ssl: deleted ssl socket 

here's message coming from:

$ grep -nr "deleted ssl socket" * src/pegasus/common/tls.cpp:172:    peg_trace_cstring(trc_ssl, tracer::level3, "---> ssl: deleted ssl socket"); 

and code around line 172:

sslsocket::~sslsocket() {     peg_method_enter(trc_ssl, "sslsocket::~sslsocket()");      close();     delete static_cast<sharedptr<x509_store, freex509storeptr>*>(_crlstore);     ssl_free(static_cast<ssl*>(_sslconnection));      peg_trace_cstring(trc_ssl, tracer::level3, "---> ssl: deleted ssl socket");      peg_method_exit(); } 

---

if in .../src/pegasus/common/sslcontext.cpp, see:

ssl_ctx* sslcontextrep::_makesslcontext() {     peg_method_enter(trc_ssl, "sslcontextrep::_makesslcontext()");      //     // create ssl context area     //     ssl_ctx *sslcontext = null;     if (!(sslcontext = ssl_ctx_new(sslv23_method())))     {         peg_method_exit();         messageloaderparms parms(             "common.sslcontext.could_not_get",             "could not ssl ctx");         throw sslexception(parms);     }      int options = ssl_op_all;      ssl_ctx_set_options(sslcontext, options);     if ( _sslcompatibility == false )     {  #ifdef tls1_2_version         // enable tlsv1.2 , disable other protocol (ssl v2, ssl v3,         // tls v1.0, tlsv1.1)          options = ssl_op_no_tlsv1 | ssl_op_no_tlsv1_1 | ssl_op_no_sslv3; #else         peg_method_exit();         messageloaderparms parms(             " common.sslcontext.tls_1_2_proto_not_supported",             "tlsv1.2 protocol support not detected on system. "             " run in less secured mode, set sslbackwardcompatibility=true"             " in planned config file , start cimserver.");         throw sslexception(parms); #endif     }      // sslv2 off permanently if sslcompatibility true     options |= ssl_op_no_sslv2;     ssl_ctx_set_options(sslcontext, options);  #ifdef pegasus_ssl_weakencryption     if (!(ssl_ctx_set_cipher_list(sslcontext, ssl_txt_exp40)))     {         ssl_ctx_free(sslcontext);         sslcontext = null;          messageloaderparms parms(             "common.sslcontext.could_not_set_cipher_list",             "could not set cipher list");         throw sslexception(parms);     } #endif      if (_ciphersuite.size() != 0)     {         if (!(ssl_ctx_set_cipher_list(sslcontext, _ciphersuite.getcstring())))         {             ssl_ctx_free(sslcontext);             sslcontext = null;              peg_trace_cstring(trc_ssl, tracer::level3,                 "---> ssl: cipher suite not specified");             messageloaderparms parms(                 "common.sslcontext.could_not_set_cipher_list",                 "could not set cipher list");             throw sslexception(parms);         }         else         {            peg_trace((trc_ssl, tracer::level3,                 "---> ssl: cipher suite set %s",                 (const char *)_ciphersuite.getcstring()));         }     }     ... } 

i ditch function 2 reasons, , add following instead.

first, 1 of amorphic routines written both client , server. have found experience openssl, have separate functions ssl_ctx* getclientcontext() , ssl_ctx* getservercontext().

second, security engineering perspective, don't allow folks bad state things pegasus_ssl_weakencryption or empty cipher list. take gun away can't shoot in foot.

ssl_ctx* sslcontextrep::_makesslcontext() {     peg_method_enter(trc_ssl, "sslcontextrep::_makesslcontext()");      ssl_ctx *sslcontext = null;     if (!(sslcontext = ssl_ctx_new(sslv23_method())))     {         peg_method_exit();         messageloaderparms parms(             "common.sslcontext.could_not_get",             "could not ssl ctx");         throw sslexception(parms);     }             // tls 1.0 , above. no compression because leaks information.     static const long options = ssl_op_no_sslv2 | ssl_op_no_sslv3 | ssl_op_no_compression;     ssl_ctx_set_options(sslcontext, options);      const char* const preferred_ciphers = "high:!anull:!krsa:!psk:!srp:!md5:!rc4";     int res = ssl_set_cipher_list(sslcontext, preferred_ciphers);     if(res != 1)     {         peg_trace_cstring(trc_ssl, tracer::level3,             "---> ssl: cipher suite not specified");         messageloaderparms parms(             "common.sslcontext.could_not_set_cipher_list",             "could not set cipher list");         throw sslexception(parms);     }      // keep stuff     ssl_ctx_set_quiet_shutdown(sslcontext, 1);     ssl_ctx_set_mode(sslcontext, ssl_mode_auto_retry);     ssl_ctx_set_mode(sslcontext, ssl_mode_enable_partial_write);     ssl_ctx_set_session_cache_mode(sslcontext, ssl_sess_cache_off);             ssl_ctx_set_mode(sslcontext, ssl_mode_release_buffers);      // gutting. don't allow verify_peer_none.     {         peg_trace_cstring(trc_ssl, tracer::level4,             "---> ssl: certificate verification callback specified");         ssl_ctx_set_verify(sslcontext,             ssl_verify_peer, prepareforcallback);     }      // more gutting. certificates have verified.     if(_truststore.size() == 0)     {         peg_trace((trc_ssl, tracer::level1,                 "---> ssl: not load certificates "                 "trust store: %s",                 (const char*)_truststore.getcstring()));         messageloaderparms parms(                 "common.sslcontext.could_not_load_certificates",                 "could not load certificates in trust store.");         ssl_ctx_free(sslcontext);         sslcontext = null;          peg_method_exit();         throw sslexception(parms);     }      if ( !ssl_ctx_load_verify_locations(         sslcontext, _truststore.getcstring(), null) )         {             peg_trace((trc_ssl, tracer::level1,                 "---> ssl: not load certificates "                 "trust store: %s",                 (const char*)_truststore.getcstring()));             messageloaderparms parms(                 "common.sslcontext.could_not_load_certificates",                 "could not load certificates in trust store.");             ssl_ctx_free(sslcontext);             sslcontext = null;              peg_method_exit();             throw sslexception(parms);         }       // i'm not sure crls. dos waiting happen....      if (_crlpath.size() != 0)      {         // need save -- can make static since there's         // 1 crl cimserver?         x509_lookup* plookup;          _crlstore.reset(x509_store_new());         if (_crlstore.get() == null)         {             ssl_ctx_free(sslcontext);             sslcontext = null;             peg_method_exit();             throw pegasus_std(bad_alloc)();         }          // validity of crlstore checked in configmanager         // during server startup         if (filesystem::isdirectory(_crlpath))         {             peg_trace((trc_ssl, tracer::level4,                 "---> ssl: crl store directory in %s",                 (const char*)_crlpath.getcstring()));              if ((plookup = x509_store_add_lookup(                      _crlstore.get(), x509_lookup_hash_dir())) == null)             {                 messageloaderparms parms(                     "common.sslcontext.could_not_load_crls",                     "could not load certificate revocation list.");                 _crlstore.reset();                 ssl_ctx_free(sslcontext);                 sslcontext = null;                 peg_method_exit();                 throw sslexception(parms);             }              x509_lookup_add_dir(                 plookup, (const char*)_crlpath.getcstring(), x509_filetype_pem);              peg_trace_cstring(trc_ssl, tracer::level3,                 "---> ssl: configured crl directory");         }         else         {             peg_trace((trc_ssl, tracer::level4,                 "---> ssl: crl store file %s",                 (const char*)_crlpath.getcstring()));              if ((plookup = x509_store_add_lookup(                    _crlstore.get(), x509_lookup_file())) == null)             {                 messageloaderparms parms(                     "common.sslcontext.could_not_load_crls",                     "could not load certificate revocation list.");                 _crlstore.reset();                 ssl_ctx_free(sslcontext);                 sslcontext = null;                 peg_method_exit();                 throw sslexception(parms);             }              x509_lookup_load_file(                 plookup, (const char*)_crlpath.getcstring(), x509_filetype_pem);              peg_trace_cstring(trc_ssl, tracer::level4,                 "---> ssl: configured crl file");         }     }      boolean keyloaded = false;      // gut server specific certificate , key routines since client.      peg_method_exit();     return sslcontext; } 

tls 1.2 , aead cipher suites very choice. however, intents , purposes, tls 1.0 , above fine.

---

i think might cause of 0x140740bf in client. line sslcontext.cpp, 824:

ssl_ctx_set_verify(sslcontext,     ssl_verify_peer | ssl_verify_client_once, prepareforcallback); 

it looks server requires certificate.

... different tls alert.

---

and sources not call ssl_set_tlsext_host_name, sni appears broken. should file bug report one...

$ grep -nr ssl_set_tlsext_host_name * $ 

you have figure out client makes connection, , set ssl* option:

ssl_set_tlsext_host_name(ssl, hostname); 

somewhere around sslsocket::sslsocket might choice because constructor takes string , sslconnection available in ctor.

sslsocket::sslsocket(     sockethandle socket,     sslcontext * sslcontext,     readwritesem * sslcontextobjectlock,     const string& ipaddress) 

but i'm pretty sure need dns name , not ip address because multiplexing of different servers on same ip caused need sni in first place.

but wrong. const string& ipaddress dns name.