Warning about OpenSSL 1.0.2
Jouni Malinen
jkmalinen at gmail.com
Sun Oct 11 21:38:43 CEST 2015
On Sun, Oct 11, 2015 at 7:03 PM, Alan DeKok <aland at deployingradius.com> wrote:
> I've tried wandering through the OpenSSL code to see when / why / where the change was made. The code is not just complicated, it's needlessly complicated. Endless layers of obfuscation. The FreeRADIUS code looks beautiful in comparison. :(
Don't ask me how to find this, but this commit is the most likely reason:
https://github.com/openssl/openssl/commit/bc200e691cd68870c2062d3c1e74280a59aaa5ab
('SSL/TLS record tracing code (backport from HEAD). ')
(or commit 36b5bb6f2f944d6fb9a458da76ffdfa9154c03c2 in the openssl
master branch)
The msg_callback() calls with hardcoded version 0 for SSL3_RT_HEADER
in ssl/s3_pkt.c is the extension that you are likely seeing here. The
other lovely ones that you have unlikely seen yet are the
msg_callback() calls with write_p == 2 (instead of the documented
0/1). Though, I'd assume and hope that these write_p == 2 cases do not
show up without a special OpenSSL build (OPENSSL_SSL_TRACE_CRYPTO
enabled with enable-ssl-trace). Anyway, you may want to be ready for
them just in case and return from the callback function is write_p ==
2 is seen (or maybe more robustly: if write_p is not 0 or 1).
- Jouni
More information about the Freeradius-Users
mailing list