[jira] [Commented] (SERF-198) OpenSSL BIO control method incorrectly handles unknown requests

Mon, 08 Feb 2021 07:23:16 -0800 


    [ 
https://issues.apache.org/jira/browse/SERF-198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281137#comment-17281137
 ] 

Justin Erenkrantz commented on SERF-198:
----------------------------------------

Thanks for the report and patch!
We have another patch being discussed on dev@serf for test suite failures with 
newer OpenSSL libraries as well.

My current thinking is that we'd cut a 1.4.x release with these OpenSSL fixes 
rather than a 1.3.x patch - that seemed somewhat reasonable for Debian's 
release cycle; how does adopting a new serf 1.4.x release fit with FreeBSD's 
release cycle?
Obviously, FreeBSD can continue to carry this 1.3.x patch in their own tree.

> OpenSSL BIO control method incorrectly handles unknown requests
> ---------------------------------------------------------------
>
>                 Key: SERF-198
>                 URL: https://issues.apache.org/jira/browse/SERF-198
>             Project: serf
>          Issue Type: Bug
>    Affects Versions: serf-1.3.9, serf-trunk
>         Environment: FreeBSD 14 with KTLS enabled-OpenSSL and the base system 
> svnlite using a bundled serf.  Has also been observed with subversion + serf 
> built from FreeBSD ports.
>            Reporter: John Baldwin
>            Priority: Major
>         Attachments: serf.patch
>
>
> According to the BIO_ctrl(3) manpage from OpenSSL, control methods in custom 
> BIO classes should return 0 for unknown control requests:
> {quote}Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl() 
> operation.
> {quote}
> ssl_buckets.c includes two custom BIO classes both of which are sink BIOs, 
> but the custom control method returns 1 instead of 0 for unknown operations.  
> This causes breakage with newer version of OpenSSL.  In particular, in 
> OpenSSL versions supporting KTLS, this causes OpenSSL to believe that the 
> custom BIOs support KTLS and thus handle TLS header insertion and 
> encryption/decryption in the BIO layer breaking the use of HTTPS.  This was 
> observed in FreeBSD when FreeBSD integrated KTLS support into OpenSSL:
> [253135|https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135]
> The patch below changes the default value of the control methods to 0 which 
> fixes the KTLS case.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to