From 90270f0959d490d56db891809d83c91b3d4b9bf0 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Wed, 18 Dec 2024 19:37:40 +0100 Subject: hashes, methods: Add OpenSSL backends Introduce an OpenSSL::Crypto backend for the hashes library and an OpenSSL::SSL backend for the TLS support in our https method. Many thanks to curl for showing the way with how to handle a CRL file. There are some memory leaks here with the TlsFd itself as well as the proxy support; and we should reorganize the code to generate the ssl object as late as possible. A peculiar aspect of OpenSSL is that SSL_has_pending() returns 1 even if SSL_read() will fail to read anything and return the equivalent of EAGAIN. We work around this here by also peeking ahead 1 byte. I was running a very high RTT connection from Germany to Australia for testing, and with the peeking it's using negligible amounts of CPU; before that, it was busy looping at 100%. Bad OpenSSL! --- CMake/config.h.in | 3 +++ 1 file changed, 3 insertions(+) (limited to 'CMake') diff --git a/CMake/config.h.in b/CMake/config.h.in index 8346a5e9e..db22ac0a2 100644 --- a/CMake/config.h.in +++ b/CMake/config.h.in @@ -32,6 +32,9 @@ /* Define if we have the seccomp library */ #cmakedefine HAVE_SECCOMP +/* Define if we want to use the openssl libraries */ +#cmakedefine WITH_OPENSSL + /* These two are used by the statvfs shim for glibc2.0 and bsd */ /* Define if we have sys/vfs.h */ #cmakedefine HAVE_VFS_H -- cgit v1.2.3-70-g09d2 From 7b1fb90b93ced7c0772d726e512da01fad456852 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Sat, 21 Dec 2024 15:26:34 +0100 Subject: Remove GnuTLS and gcrypt support OpenSSL is mandatory now, it is no longer possible to build without https support either. --- CMake/FindGCRYPT.cmake | 25 ----- CMake/config.h.in | 6 -- CMakeLists.txt | 13 +-- apt-pkg/CMakeLists.txt | 8 +- apt-pkg/contrib/hashes.cc | 140 ------------------------- methods/CMakeLists.txt | 11 +- methods/connect.cc | 259 ---------------------------------------------- methods/http.cc | 15 --- 8 files changed, 6 insertions(+), 471 deletions(-) delete mode 100644 CMake/FindGCRYPT.cmake (limited to 'CMake') diff --git a/CMake/FindGCRYPT.cmake b/CMake/FindGCRYPT.cmake deleted file mode 100644 index 56bfc9fef..000000000 --- a/CMake/FindGCRYPT.cmake +++ /dev/null @@ -1,25 +0,0 @@ -# - Try to find GCRYPT -# Once done, this will define -# -# GCRYPT_FOUND - system has GCRYPT -# GCRYPT_INCLUDE_DIRS - the GCRYPT include directories -# GCRYPT_LIBRARIES - the GCRYPT library -find_package(PkgConfig) - -pkg_check_modules(GCRYPT_PKGCONF libgcrypt) - -find_path(GCRYPT_INCLUDE_DIRS - NAMES gcrypt.h - PATHS ${GCRYPT_PKGCONF_INCLUDE_DIRS} -) - - -find_library(GCRYPT_LIBRARIES - NAMES gcrypt - PATHS ${GCRYPT_PKGCONF_LIBRARY_DIRS} -) - -include(FindPackageHandleStandardArgs) -find_package_handle_standard_args(GCRYPT DEFAULT_MSG GCRYPT_INCLUDE_DIRS GCRYPT_LIBRARIES) - -mark_as_advanced(GCRYPT_INCLUDE_DIRS GCRYPT_LIBRARIES) diff --git a/CMake/config.h.in b/CMake/config.h.in index db22ac0a2..ced74d8d8 100644 --- a/CMake/config.h.in +++ b/CMake/config.h.in @@ -5,9 +5,6 @@ /* Define if we have the timegm() function */ #cmakedefine HAVE_TIMEGM -/* Define if we have the gnutls library for TLS */ -#cmakedefine HAVE_GNUTLS - /* Define if we have the zlib library for gzip */ #cmakedefine HAVE_ZLIB @@ -32,9 +29,6 @@ /* Define if we have the seccomp library */ #cmakedefine HAVE_SECCOMP -/* Define if we want to use the openssl libraries */ -#cmakedefine WITH_OPENSSL - /* These two are used by the statvfs shim for glibc2.0 and bsd */ /* Define if we have sys/vfs.h */ #cmakedefine HAVE_VFS_H diff --git a/CMakeLists.txt b/CMakeLists.txt index f2433c6c8..af2ec3a86 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -12,7 +12,6 @@ enable_testing() option(REQUIRE_MERGED_USR "Require merged-usr." ON) option(WITH_DOC "Build all documentation." ON) -option(WITH_OPENSSL "Build all documentation." ON) include(CMakeDependentOption) cmake_dependent_option(WITH_DOC_MANPAGES "Force building manpages." OFF "NOT WITH_DOC" OFF) cmake_dependent_option(WITH_DOC_GUIDES "Force building guides." OFF "NOT WITH_DOC" OFF) @@ -93,14 +92,7 @@ if (BERKELEY_FOUND) set(HAVE_BDB 1) endif() -if (WITH_OPENSSL) - find_package(OpenSSL REQUIRED) -else() - find_package(GnuTLS) - if (GNUTLS_FOUND) - set(HAVE_GNUTLS 1) - endif() -endif() +find_package(OpenSSL REQUIRED) # (De)Compressor libraries find_package(ZLIB REQUIRED) @@ -146,9 +138,6 @@ if (SECCOMP_FOUND) set(HAVE_SECCOMP 1) endif() -if (NOT HAVE_GNUTLS AND NOT WITH_OPENSSL) - find_package(GCRYPT REQUIRED) -endif() find_package(XXHASH REQUIRED) # Mount()ing and stat()ing and friends diff --git a/apt-pkg/CMakeLists.txt b/apt-pkg/CMakeLists.txt index 88f07fb79..4c036cc67 100644 --- a/apt-pkg/CMakeLists.txt +++ b/apt-pkg/CMakeLists.txt @@ -56,9 +56,7 @@ target_include_directories(apt-pkg $<$:${UDEV_INCLUDE_DIRS}> $<$:${SYSTEMD_INCLUDE_DIRS}> ${ICONV_INCLUDE_DIRS} - $<$:${OPENSSL_INCLUDE_DIRS}> - $<$:${GNUTLS_INCLUDE_DIRS}> - $<$:${GCRYPT_INCLUDE_DIRS}> + ${OPENSSL_INCLUDE_DIRS} $<$:${XXHASH_INCLUDE_DIRS}> ) @@ -73,9 +71,7 @@ target_link_libraries(apt-pkg $<$:${UDEV_LIBRARIES}> $<$:${SYSTEMD_LIBRARIES}> ${ICONV_LIBRARIES} - $<$:OpenSSL::Crypto> - $<$:${GNUTLS_LIBRARIES}> - $<$:${GCRYPT_LIBRARIES}> + OpenSSL::Crypto $<$:${XXHASH_LIBRARIES}> ) set_target_properties(apt-pkg PROPERTIES VERSION ${MAJOR}.${MINOR}) diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc index 664ad0ac7..c7a4ab0e7 100644 --- a/apt-pkg/contrib/hashes.cc +++ b/apt-pkg/contrib/hashes.cc @@ -30,13 +30,7 @@ #include #include -#if defined(WITH_OPENSSL) #include -#elif defined(HAVE_GNUTLS) -#include -#else -#include -#endif /*}}}*/ const char * HashString::_SupportedHashes[] = @@ -331,7 +325,6 @@ class PrivateHashes unsigned long long FileSize{0}; private: -#if defined(WITH_OPENSSL) std::array contexts{}; public: @@ -398,139 +391,6 @@ class PrivateHashes EVP_MD_CTX_free(ctx); } -#elif defined(HAVE_GNUTLS) - std::array, 4> digs{}; - - public: - struct HashAlgo - { - size_t index; - const char *name; - gnutls_digest_algorithm_t gnuTlsAlgo; - Hashes::SupportedHashes ourAlgo; - }; - - static constexpr std::array Algorithms{ - HashAlgo{0, "MD5Sum", GNUTLS_DIG_MD5, Hashes::MD5SUM}, - HashAlgo{1, "SHA1", GNUTLS_DIG_SHA1, Hashes::SHA1SUM}, - HashAlgo{2, "SHA256", GNUTLS_DIG_SHA256, Hashes::SHA256SUM}, - HashAlgo{3, "SHA512", GNUTLS_DIG_SHA512, Hashes::SHA512SUM}, - }; - - bool Write(unsigned char const *Data, size_t Size) - { - for (auto &dig : digs) - { - if (dig) - gnutls_hash(*dig, Data, Size); - } - return true; - } - - std::string HexDigest(HashAlgo const &algo) - { - auto Size = gnutls_hash_get_len(algo.gnuTlsAlgo); - unsigned char Sum[Size]; - if (auto copy = gnutls_hash_copy(*digs[algo.index])) - gnutls_hash_deinit(copy, &Sum); - return ::HexDigest(std::basic_string_view(Sum, Size)); - } - bool Enable(HashAlgo const &algo) - { - digs[algo.index].emplace(); - if (gnutls_hash_init(&*digs[algo.index], algo.gnuTlsAlgo) == 0) - return true; - digs[algo.index] = std::nullopt; - return false; - } - bool IsEnabled(HashAlgo const &algo) - { - return bool{digs[algo.index]}; - } - - explicit PrivateHashes() {} - ~PrivateHashes() - { - for (auto &dig : digs) - { - if (dig) - gnutls_hash_deinit(*dig, nullptr); - } - } -#else - gcry_md_hd_t hd; - - void maybeInit() - { - - // Yikes, we got to initialize libgcrypt, or we get warnings. But we - // abstract away libgcrypt in Hashes from our users - they are not - // supposed to know what the hashing backend is, so we can't force - // them to init themselves as libgcrypt folks want us to. So this - // only leaves us with this option... - if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) - { - if (!gcry_check_version(nullptr)) - { - fprintf(stderr, "libgcrypt is too old (need %s, have %s)\n", - "nullptr", gcry_check_version(NULL)); - exit(2); - } - - gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); - } - } - - public: - struct HashAlgo - { - const char *name; - int gcryAlgo; - Hashes::SupportedHashes ourAlgo; - }; - - static constexpr std::array Algorithms{ - HashAlgo{"MD5Sum", GCRY_MD_MD5, Hashes::MD5SUM}, - HashAlgo{"SHA1", GCRY_MD_SHA1, Hashes::SHA1SUM}, - HashAlgo{"SHA256", GCRY_MD_SHA256, Hashes::SHA256SUM}, - HashAlgo{"SHA512", GCRY_MD_SHA512, Hashes::SHA512SUM}, - }; - - bool Write(unsigned char const *Data, size_t Size) - { - gcry_md_write(hd, Data, Size); - return true; - } - - std::string HexDigest(HashAlgo const &algo) - { - auto Size = gcry_md_get_algo_dlen(algo.gcryAlgo); - auto Sum = gcry_md_read(hd, algo.gcryAlgo); - return ::HexDigest(std::basic_string_view(Sum, Size)); - } - - bool Enable(HashAlgo const &Algo) - { - gcry_md_enable(hd, Algo.gcryAlgo); - return true; - } - bool IsEnabled(HashAlgo const &algo) - { - return gcry_md_is_enabled(hd, algo.gcryAlgo); - } - - explicit PrivateHashes() - { - maybeInit(); - gcry_md_open(&hd, 0, 0); - } - - ~PrivateHashes() - { - gcry_md_close(hd); - } -#endif - explicit PrivateHashes(unsigned int const CalcHashes) : PrivateHashes() { for (auto & Algo : Algorithms) diff --git a/methods/CMakeLists.txt b/methods/CMakeLists.txt index c27b1438b..beb08a81d 100644 --- a/methods/CMakeLists.txt +++ b/methods/CMakeLists.txt @@ -13,17 +13,12 @@ add_executable(http http.cc basehttp.cc $) add_executable(mirror mirror.cc) add_executable(rred rred.cc) -if (WITH_OPENSSL) - target_compile_definitions(connectlib PRIVATE ${OPENSSL_DEFINITIONS}) - target_include_directories(connectlib PRIVATE ${OPENSSL_INCLUDE_DIR}) -elseif (HAVE_GNUTLS) - target_compile_definitions(connectlib PRIVATE ${GNUTLS_DEFINITIONS}) - target_include_directories(connectlib PRIVATE ${GNUTLS_INCLUDE_DIR}) -endif() +target_compile_definitions(connectlib PRIVATE ${OPENSSL_DEFINITIONS}) +target_include_directories(connectlib PRIVATE ${OPENSSL_INCLUDE_DIR}) target_include_directories(http PRIVATE $<$:${SYSTEMD_INCLUDE_DIRS}>) # Additional libraries to link against for networked stuff -target_link_libraries(http $<$:OpenSSL::SSL> $<$:${GNUTLS_LIBRARIES}> $<$:${SYSTEMD_LIBRARIES}>) +target_link_libraries(http OpenSSL::SSL $<$:${SYSTEMD_LIBRARIES}>) target_link_libraries(rred apt-private) diff --git a/methods/connect.cc b/methods/connect.cc index fc1bd132c..b00e73eb7 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -21,13 +21,8 @@ #include #include -#ifdef WITH_OPENSSL #include #include -#elif defined(HAVE_GNUTLS) -#include -#include -#endif #include #include @@ -807,7 +802,6 @@ ResultState UnwrapSocks(std::string Host, int Port, URI Proxy, std::unique_ptr &Fd, return ResultState::SUCCESSFUL; } -#elif defined(HAVE_GNUTLS /*}}}*/ -// UnwrapTLS - Handle TLS connections /*{{{*/ -// --------------------------------------------------------------------- -/* Performs a TLS handshake on the socket */ -struct TlsFd final : public MethodFd -{ - std::unique_ptr UnderlyingFd; - gnutls_session_t session; - gnutls_certificate_credentials_t credentials; - std::string hostname; - unsigned long Timeout; - - int Fd() APT_OVERRIDE { return UnderlyingFd->Fd(); } - - ssize_t Read(void *buf, size_t count) APT_OVERRIDE - { - return HandleError(gnutls_record_recv(session, buf, count)); - } - ssize_t Write(void *buf, size_t count) APT_OVERRIDE - { - return HandleError(gnutls_record_send(session, buf, count)); - } - - ssize_t DoTLSHandshake() - { - int err; - // Do the handshake. Our socket is non-blocking, so we need to call WaitFd() - // accordingly. - do - { - err = gnutls_handshake(session); - if ((err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN) && - WaitFd(this->Fd(), gnutls_record_get_direction(session) == 1, Timeout) == false) - { - _error->Errno("select", "Could not wait for server fd"); - return err; - } - } while (err < 0 && gnutls_error_is_fatal(err) == 0); - - if (err < 0) - { - // Print reason why validation failed. - if (err == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) - { - gnutls_datum_t txt; - auto type = gnutls_certificate_type_get(session); - auto status = gnutls_session_get_verify_cert_status(session); - if (gnutls_certificate_verification_status_print(status, type, &txt, 0) == 0) - { - _error->Error("Certificate verification failed: %s", txt.data); - } - gnutls_free(txt.data); - } - _error->Error("Could not handshake: %s", gnutls_strerror(err)); - } - return err; - } - - template - T HandleError(T err) - { - // Server may request re-handshake if client certificates need to be provided - // based on resource requested - if (err == GNUTLS_E_REHANDSHAKE) - { - int rc = DoTLSHandshake(); - // Only reset err if DoTLSHandshake() fails. - // Otherwise, we want to follow the original error path and set errno to EAGAIN - // so that the request is retried. - if (rc < 0) - err = rc; - } - - if (err < 0 && gnutls_error_is_fatal(err)) - errno = EIO; - else if (err < 0) - errno = EAGAIN; - else - errno = 0; - return err; - } - - int Close() APT_OVERRIDE - { - auto err = HandleError(gnutls_bye(session, GNUTLS_SHUT_RDWR)); - auto lower = UnderlyingFd->Close(); - return err < 0 ? HandleError(err) : lower; - } - - bool HasPending() APT_OVERRIDE - { - return gnutls_record_check_pending(session) > 0; - } -}; - -ResultState UnwrapTLS(std::string const &Host, std::unique_ptr &Fd, - unsigned long const Timeout, aptMethod * const Owner, - aptConfigWrapperForMethods const * const OwnerConf) -{ - if (_config->FindB("Acquire::AllowTLS", true) == false) - { - _error->Error("TLS support has been disabled: Acquire::AllowTLS is false."); - return ResultState::FATAL_ERROR; - } - - int err; - TlsFd *tlsFd = new TlsFd(); - - tlsFd->hostname = Host; - tlsFd->UnderlyingFd = MethodFd::FromFd(-1); // For now - tlsFd->Timeout = Timeout; - - if ((err = gnutls_init(&tlsFd->session, GNUTLS_CLIENT | GNUTLS_NONBLOCK)) < 0) - { - _error->Error("Internal error: could not allocate credentials: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - FdFd *fdfd = dynamic_cast(Fd.get()); - if (fdfd != nullptr) - { - gnutls_transport_set_int(tlsFd->session, fdfd->fd); - } - else - { - gnutls_transport_set_ptr(tlsFd->session, Fd.get()); - gnutls_transport_set_pull_function(tlsFd->session, - [](gnutls_transport_ptr_t p, void *buf, size_t size) -> ssize_t { - return reinterpret_cast(p)->Read(buf, size); - }); - gnutls_transport_set_push_function(tlsFd->session, - [](gnutls_transport_ptr_t p, const void *buf, size_t size) -> ssize_t { - return reinterpret_cast(p)->Write((void *)buf, size); - }); - } - - if ((err = gnutls_certificate_allocate_credentials(&tlsFd->credentials)) < 0) - { - _error->Error("Internal error: could not allocate credentials: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - // Credential setup - std::string fileinfo = OwnerConf->ConfigFind("CaInfo", ""); - if (fileinfo.empty()) - { - // No CaInfo specified, use system trust store. - err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials); - if (err == 0) - Owner->Warning("No system certificates available. Try installing ca-certificates."); - else if (err < 0) - { - _error->Error("Could not load system TLS certificates: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - else - { - // CA location has been set, use the specified one instead - gnutls_certificate_set_verify_flags(tlsFd->credentials, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); - err = gnutls_certificate_set_x509_trust_file(tlsFd->credentials, fileinfo.c_str(), GNUTLS_X509_FMT_PEM); - if (err < 0) - { - _error->Error("Could not load certificates from %s (CaInfo option): %s", fileinfo.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - if (not OwnerConf->ConfigFind("IssuerCert", "").empty()) - { - _error->Error("The option '%s' is not supported anymore", "IssuerCert"); - return ResultState::FATAL_ERROR; - } - if (not OwnerConf->ConfigFind("SslForceVersion", "").empty()) - { - _error->Error("The option '%s' is not supported anymore", "SslForceVersion"); - return ResultState::FATAL_ERROR; - } - - // For client authentication, certificate file ... - std::string const cert = OwnerConf->ConfigFind("SslCert", ""); - std::string const key = OwnerConf->ConfigFind("SslKey", ""); - if (cert.empty() == false) - { - if ((err = gnutls_certificate_set_x509_key_file( - tlsFd->credentials, - cert.c_str(), - key.empty() ? cert.c_str() : key.c_str(), - GNUTLS_X509_FMT_PEM)) < 0) - { - _error->Error("Could not load client certificate (%s, SslCert option) or key (%s, SslKey option): %s", cert.c_str(), key.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - // CRL file - std::string const crlfile = OwnerConf->ConfigFind("CrlFile", ""); - if (crlfile.empty() == false) - { - if ((err = gnutls_certificate_set_x509_crl_file(tlsFd->credentials, - crlfile.c_str(), - GNUTLS_X509_FMT_PEM)) < 0) - { - _error->Error("Could not load custom certificate revocation list %s (CrlFile option): %s", crlfile.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - if ((err = gnutls_credentials_set(tlsFd->session, GNUTLS_CRD_CERTIFICATE, tlsFd->credentials)) < 0) - { - _error->Error("Internal error: Could not add certificates to session: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - if ((err = gnutls_set_default_priority(tlsFd->session)) < 0) - { - _error->Error("Internal error: Could not set algorithm preferences: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - if (OwnerConf->ConfigFindB("Verify-Peer", true)) - { - gnutls_session_set_verify_cert(tlsFd->session, OwnerConf->ConfigFindB("Verify-Host", true) ? tlsFd->hostname.c_str() : nullptr, 0); - } - - // set SNI only if the hostname is really a name and not an address - { - struct in_addr addr4; - struct in6_addr addr6; - - if (inet_pton(AF_INET, tlsFd->hostname.c_str(), &addr4) == 1 || - inet_pton(AF_INET6, tlsFd->hostname.c_str(), &addr6) == 1) - /* not a host name */; - else if ((err = gnutls_server_name_set(tlsFd->session, GNUTLS_NAME_DNS, tlsFd->hostname.c_str(), tlsFd->hostname.length())) < 0) - { - _error->Error("Could not set host name %s to indicate to server: %s", tlsFd->hostname.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - // Set the FD now, so closing it works reliably. - tlsFd->UnderlyingFd = std::move(Fd); - Fd.reset(tlsFd); - - // Do the handshake. - err = tlsFd->DoTLSHandshake(); - - if (err < 0) - return ResultState::TRANSIENT_ERROR; - - return ResultState::SUCCESSFUL; -} -#endif /*}}}*/ diff --git a/methods/http.cc b/methods/http.cc index 48c3d540d..678ce3952 100644 --- a/methods/http.cc +++ b/methods/http.cc @@ -428,9 +428,7 @@ ResultState HttpServerState::Open() Out.Reset(); Persistent = true; -#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL) bool tls = (ServerName.Access == "https" || APT::String::Endswith(ServerName.Access, "+https")); -#endif // Determine the proxy setting // Used to run AutoDetectProxy(ServerName) here, but we now send a Proxy @@ -455,7 +453,6 @@ ResultState HttpServerState::Open() { char *result = getenv("http_proxy"); Proxy = result ? result : ""; -#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL) if (tls == true) { char *result = getenv("https_proxy"); @@ -464,7 +461,6 @@ ResultState HttpServerState::Open() Proxy = result; } } -#endif } } @@ -478,13 +474,8 @@ ResultState HttpServerState::Open() if (Proxy.empty() == false) Owner->AddProxyAuth(Proxy, ServerName); -#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL) auto const DefaultService = tls ? "https" : "http"; auto const DefaultPort = tls ? 443 : 80; -#else - auto const DefaultService = "http"; - auto const DefaultPort = 80; -#endif if (Proxy.Access == "socks5h") { auto result = Connect(Proxy.Host, Proxy.Port, "socks", 1080, ServerFd, TimeOut, Owner); @@ -518,15 +509,12 @@ ResultState HttpServerState::Open() Port = Proxy.Port; Host = Proxy.Host; -#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL) if (Proxy.Access == "https" && Port == 0) Port = 443; -#endif } auto result = Connect(Host, Port, DefaultService, DefaultPort, ServerFd, TimeOut, Owner); if (result != ResultState::SUCCESSFUL) return result; -#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL) if (Host == Proxy.Host && Proxy.Access == "https") { aptConfigWrapperForMethods ProxyConf{std::vector{"http", "https"}}; @@ -541,13 +529,10 @@ ResultState HttpServerState::Open() if (result != ResultState::SUCCESSFUL) return result; } -#endif } -#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL) if (tls) return UnwrapTLS(ServerName.Host, ServerFd, TimeOut, Owner, Owner); -#endif return ResultState::SUCCESSFUL; } -- cgit v1.2.3-70-g09d2