The list is getting shorter. The test suite currently only shows a few
failures due to the missing "talking http on https" support.
Am 09.02.2016 um 11:20 schrieb Rainer Jung:
Open problems:
1) HTTP on HTTPS
OpenSSL 1.1.0 currently doesn't support the "HTTP spoken on HTTPS port"
error. The code to detect HTTP was removed due to a major rewrite of the
state engine. The OpenSSL project is willing to review patches for
reintroducing the feature there but currently doesn't plan to work on it
themselves.
I'll try tackling this next. Nut sure how well it will go.
2) Renegotiation
It needs to be implemented differently. The OpenSSL project suggest to
try reading application data until the renegotiation has finished. I
committed some rather ugly code that does loop waiting for reneg, but it
has a couple of problems:
Still using poll, but better state tracking now.
a) it will not work for EC or DH ciphers. Some opaque structure element
in the ssl struct is already set and confuses the state machine. I hope
to get some helpful feedback from the OpenSSL project for this.
Still open.
5) ssl_engine_kernel.c
In ssl_callback_Info() the explicit state constants
SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A are used which no
longer exist. I can't find obvious replacements in the list of new state
constants:
2100 int state = SSL_get_state((SSL *)ssl);
2101
2102 if (state == SSL3_ST_SR_CLNT_HELLO_A
2103 || state == SSL23_ST_SR_CLNT_HELLO_A) {
2104 scr->reneg_state = RENEG_ABORT;
2105 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
2106 "rejecting client initiated renegotiation");
2107 }
That shouldn't be too hard. Will look into it.
Regards,
Rainer
