From ticket 2720, it seems the official position is that no-tlsext is NOT
supported. However, for those who still try to use it, the recent fixes for
CVE-2015-1791 seem to have introduced more problems for the 0.9.8 code base
(and maybe others - not sure).
This report can be added to RT#2720.
SSL_CTX_set_msg_callback.pod lists the first parameter to the
SSL_set_msg_callback[_arg] functions as type SSL_CTX * when they are, in
fact, SSL *.
Geoff
-
Geoff Lowe
Principal Engineer
McAfee, Inc.
__
OpenSSL Project
These patches primarily move around a few #ifdefs so that 1.0.1e will compile
when the no-tlsext option is specified.
Note that when no-tlsext is specified, no-srtp is forced now too in
addition to no-srp and no-heartbeats.
I'm not 100% confident in these changes, so I'd appreciate some level
Don't send SCSV if TLS extensions are disabled. Applies to 1.0.1e also.
Also see Ticket #2788. (I did not investigate item #2 in that Ticket though.)
system:lowe/FIXED/openssl-0.9.8y/ssl 28% diff -p
~/working/openssl-0.9.8y/ssl/ssl_lib.c ./ssl_lib.c
***
On 0.9.8 branch:
ssl/t1_enc.c
tls1_mac() approximately line 771:
#ifdef OPENSSL_FIPS
if (!send FIPS_mode())
tls_fips_digest_extra(
ssl-enc_read_ctx,
hash,