John Baldwin created SERF-198:
---------------------------------
Summary: OpenSSL BIO control method incorrectly handles unknown
requests
Key: SERF-198
URL: https://issues.apache.org/jira/browse/SERF-198
Project: serf
Issue Type: Bug
Affects Versions: serf-1.3.9, serf-trunk
Environment: FreeBSD 14 with KTLS enabled-OpenSSL and the base system
svnlite using a bundled serf. Has also been observed with subversion + serf
built from FreeBSD ports.
Reporter: John Baldwin
Attachments: serf.patch
According to the BIO_ctrl(3) manpage from OpenSSL, control methods in custom
BIO classes should return 0 for unknown control requests:
{quote}Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl()
operation.
{quote}
ssl_buckets.c includes two custom BIO classes both of which are sink BIOs, but
the custom control method returns 1 instead of 0 for unknown operations. This
causes breakage with newer version of OpenSSL. In particular, in OpenSSL
versions supporting KTLS, this causes OpenSSL to believe that the custom BIOs
support KTLS and thus handle TLS header insertion and encryption/decryption in
the BIO layer breaking the use of HTTPS. This was observed in FreeBSD when
FreeBSD integrated KTLS support into OpenSSL:
[253135|https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135]
The patch below changes the default value of the control methods to 0 which
fixes the KTLS case.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
