quassel-web: Work around SSL bug on Ubuntu 20.04+

Work around SSL/TLS bug on Ubuntu 20.04+ by disabling the "securecore" setting. As the core connection is via 'localhost', the potential impact is reduced. See magne4000/quassel-webserver#285 Also work around a Quassel Webserver bug where the "securecore" setting does not get applied by default if set to false. This can be dropped once the upstream pull request is merged. See magne4000/quassel-webserver#290
digitalcircuit · Jan 26, 2021 · c433a54 · c433a54
1 parent 90223bd
commit c433a54
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 0 deletions.
diff --git a/salt/files/server/chat/quassel/web/quassel-webserver-pull-290-fix-defaults-securecore.patch b/salt/files/server/chat/quassel/web/quassel-webserver-pull-290-fix-defaults-securecore.patch
@@ -0,0 +1,26 @@
+From bb608b4115c6d1f0741c8863616b36d50cb6e1ec Mon Sep 17 00:00:00 2001
+From: Shane Synan <[email protected]>
+Date: Mon, 25 Jan 2021 19:07:13 -0500
+Subject: [PATCH] settings: Fix ignoring 'securecore: false' default
+
+Don't use || to set default value for "securecore", instead check
+the type of the variable.  Otherwise, false evaluates to, well, false,
+and "securecore" can never be defaulted to false.  This fixes ignoring
+the custom default setting "securecore: false" in settings-user.json
+---
+ public/javascripts/angular-init.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/public/javascripts/angular-init.js b/public/javascripts/angular-init.js
+index 1c8fb2d..ee2df6c 100644
+--- a/public/javascripts/angular-init.js
++++ b/public/javascripts/angular-init.js
+@@ -157,7 +157,7 @@ angular.module('quassel', ['ngQuassel', 'ngAria', 'ngSanitize', 'ui.bootstrap',
+             set('port', data.settings.port);
+             set('initialBacklogLimit', data.settings.initialBacklogLimit);
+             set('backlogLimit', data.settings.backlogLimit);
+-            set('securecore', data.settings.securecore || true);
++            set('securecore', (typeof data.settings.securecore === 'boolean' ? data.settings.securecore : true));
+             set('theme', data.settings.theme);
+             set('perchathistory', data.settings.perchathistory);
+             set('displayfullhostmask', data.settings.displayfullhostmask);
diff --git a/salt/files/server/chat/quassel/web/settings-user.js b/salt/files/server/chat/quassel/web/settings-user.js
@@ -4,7 +4,17 @@ module.exports = {
         port: {{ salt['pillar.get']('server:chat:quassel:core:port', '4242') }},  // quasselcore port
         initialBacklogLimit: 20,  // Amount of backlogs to fetch per buffer on connection
         backlogLimit: 100,  // Amount of backlogs to fetch per buffer after first retrieval
+        {%- set brokenver_openssl = '1.1.1f' -%}
+        {%- set localver_openssl = salt['pkg.list_repo_pkgs']('openssl')['openssl'] |first() -%}
+        {% if grains.os_family == 'Debian' and salt['pkg.version_cmp'](localver_openssl, brokenver_openssl) >= 0 %}
+        {# See https://stackoverflow.com/questions/41479482/how-do-i-allow-a-salt-stack-formula-to-run-on-only-certain-operating-system-vers -#}
+        securecore: false,  // Connect to the core using SSL
+        // Disable this by default for Debian with openssl >= {{ brokenver_openssl }} until SSL issue is resolved
+        // See https://github.com/magne4000/quassel-webserver/issues/285
+        // As the core connection is via 'localhost', the potential impact is reduced
+        {% else %}
         securecore: true,  // Connect to the core using SSL
+        {% endif -%}
         theme: 'default',  // Default UI theme
         perchathistory: true,  // Separate history per buffer
         displayfullhostmask: false,  // Display full hostmask instead of just nicks in messages

diff --git a/salt/server/chat/quassel/web.sls b/salt/server/chat/quassel/web.sls
@@ -103,6 +103,39 @@ server.chat.quassel.web.repo:
       # Need git
       - pkg: server.chat.quassel.web.dependencies
 
+{% set brokenver_openssl = '1.1.1f' %}
+{% set localver_openssl = salt['pkg.list_repo_pkgs']('openssl')['openssl'] |first() %}
+{% if grains.os_family == 'Debian' and salt['pkg.version_cmp'](localver_openssl, brokenver_openssl) >= 0 %}
+{# See https://stackoverflow.com/questions/41479482/how-do-i-allow-a-salt-stack-formula-to-run-on-only-certain-operating-system-vers #}
+# Need to disable "securecore" by default for Debian with
+# openssl >= {{ brokenver_openssl }} until SSL issue is resolved
+# See https://github.com/magne4000/quassel-webserver/issues/285
+# As the core connection is via 'localhost', the potential impact is reduced
+#
+# Don't apply this hack unless necessary to avoid needless patching on older
+# systems.
+#
+# HACK: Work around "securecore" default setting not being applied.
+# Remove this once merged upstream.
+# See https://github.com/magne4000/quassel-webserver/pull/290
+#
+# FIXME: This results in restarting Quassel Webserver every time due to git
+# resetting the patch.  If this does not get merged soon, find a better
+# approach to hotfixing this.
+server.chat.quassel.web.repo.patch.securecore:
+  file.patch:
+    - name: {{ qweb_home_dir }}/quassel_web_root/qweb/quassel-webserver/public/javascripts/angular-init.js
+    - source: salt://files/server/chat/quassel/web/quassel-webserver-pull-290-fix-defaults-securecore.patch
+    - user: {{ qweb_user }}
+    - group: {{ qweb_user }}
+    # Set up after repo
+    - require:
+      - git: server.chat.quassel.web.repo
+    # Require in the service
+    - require_in:
+      - service: server.chat.quassel.web.service
+{% endif %}
+
 server.chat.quassel.web.repo.build.npm:
   cmd.run:
     # Run install, not updating the package-lock.json file, then prune afterwards