Warning about OpenSSL 1.0.2

Jouni Malinen jkmalinen at gmail.com
Sun Oct 11 21:38:43 CEST 2015

On Sun, Oct 11, 2015 at 7:03 PM, Alan DeKok <aland at deployingradius.com> wrote:
>   I've tried wandering through the OpenSSL code to see when / why / where the change was made.  The code is not just complicated, it's needlessly complicated.  Endless layers of obfuscation.  The FreeRADIUS code looks beautiful in comparison.  :(

Don't ask me how to find this, but this commit is the most likely reason:
('SSL/TLS record tracing code (backport from HEAD). ')

(or commit 36b5bb6f2f944d6fb9a458da76ffdfa9154c03c2 in the openssl
master branch)

The msg_callback() calls with hardcoded version 0 for SSL3_RT_HEADER
in ssl/s3_pkt.c is the extension that you are likely seeing here. The
other lovely ones that you have unlikely seen yet are the
msg_callback() calls with write_p == 2 (instead of the documented
0/1). Though, I'd assume and hope that these write_p == 2 cases do not
show up without a special OpenSSL build (OPENSSL_SSL_TRACE_CRYPTO
enabled with enable-ssl-trace). Anyway, you may want to be ready for
them just in case and return from the callback function is write_p ==
2 is seen (or maybe more robustly: if write_p is not 0 or 1).

- Jouni

More information about the Freeradius-Users mailing list