Warning about OpenSSL 1.0.2

Alan DeKok aland at deployingradius.com
Sun Oct 11 23:21:24 CEST 2015


On Oct 11, 2015, at 3:38 PM, Jouni Malinen <jkmalinen at gmail.com> wrote:
> Don't ask me how to find this, but this commit is the most likely reason:
> https://github.com/openssl/openssl/commit/bc200e691cd68870c2062d3c1e74280a59aaa5ab
> ('SSL/TLS record tracing code (backport from HEAD). ')

  Yeah... that's probably it.

> The msg_callback() calls with hardcoded version 0 for SSL3_RT_HEADER
> in ssl/s3_pkt.c is the extension that you are likely seeing here. The
> other lovely ones that you have unlikely seen yet are the
> msg_callback() calls with write_p == 2 (instead of the documented
> 0/1).

  <sigh>  They added tracing mechanisms... by changing their public API.  That's *terrible*.  It's like they have no comprehension that anyone *uses* their software.

> Though, I'd assume and hope that these write_p == 2 cases do not
> show up without a special OpenSSL build (OPENSSL_SSL_TRACE_CRYPTO
> enabled with enable-ssl-trace). Anyway, you may want to be ready for
> them just in case and return from the callback function is write_p ==
> 2 is seen (or maybe more robustly: if write_p is not 0 or 1).

  Yes, I'll push a fix for that, too.

  Ugh.

  Alan DeKok.




More information about the Freeradius-Users mailing list