Warning about OpenSSL 1.0.2
Alan DeKok
aland at deployingradius.com
Sun Oct 11 23:21:24 CEST 2015
On Oct 11, 2015, at 3:38 PM, Jouni Malinen <jkmalinen at gmail.com> wrote:
> Don't ask me how to find this, but this commit is the most likely reason:
> https://github.com/openssl/openssl/commit/bc200e691cd68870c2062d3c1e74280a59aaa5ab
> ('SSL/TLS record tracing code (backport from HEAD). ')
Yeah... that's probably it.
> The msg_callback() calls with hardcoded version 0 for SSL3_RT_HEADER
> in ssl/s3_pkt.c is the extension that you are likely seeing here. The
> other lovely ones that you have unlikely seen yet are the
> msg_callback() calls with write_p == 2 (instead of the documented
> 0/1).
<sigh> They added tracing mechanisms... by changing their public API. That's *terrible*. It's like they have no comprehension that anyone *uses* their software.
> Though, I'd assume and hope that these write_p == 2 cases do not
> show up without a special OpenSSL build (OPENSSL_SSL_TRACE_CRYPTO
> enabled with enable-ssl-trace). Anyway, you may want to be ready for
> them just in case and return from the callback function is write_p ==
> 2 is seen (or maybe more robustly: if write_p is not 0 or 1).
Yes, I'll push a fix for that, too.
Ugh.
Alan DeKok.
More information about the Freeradius-Users
mailing list