> On 18 Jun 2018, at 15:38, Emmanuel Hocdet <[email protected]> wrote:
>
>
>> Le 18 juin 2018 à 15:30, Thierry Fournier <[email protected]> a
>> écrit :
>>
>>
>>
>>> On 18 Jun 2018, at 14:37, Emmanuel Hocdet <[email protected]> wrote:
>>>
>>>>
>>>> Le 18 juin 2018 à 10:43, Thierry Fournier <[email protected]>
>>>> a écrit :
>>>>
>>>>
>>>>> On 18 Jun 2018, at 10:33, Willy Tarreau <[email protected]> wrote:
>>>>>
>>>>> On Sun, Jun 17, 2018 at 09:44:50PM +0200, [email protected]
>>>>> wrote:
>>>>>> Finally, I got it ! It works with luck because we have 1 bug in Haproxy
>>>>>> and 1 error (I suppose) in a OpenSSL compatibility layer.
>>>>> (...)
>>>>>> I join two patch. The first which fix the cipher capture must be
>>>>>> backported to 1.8, for the second patch wich fix the app data
>>>>>> compatibility, I dont known (at least 1.8).
>>>>>
>>>>> Good job! I imagine you didn't have a funny week-end playing with this
>>>>> one :-/
>>>>
>>>>
>>>> Yes, including the Friday :-) But I hope this path improve stability. If
>>>> someone
>>>> have time and is interested by the subject, it may be interesting to see
>>>> in the
>>>> OpenSSL code if the slot 0 used without reservation works fine, or works
>>>> because
>>>> we have luck.
>>>>
>>>
>>> It work find because slot 0 is natively reserved for old *_{set,
>>> get}_app_data API compatibility.
>>
>>
>> Ok, thanks. So the classifcation BUG/MAJOR can be changed for BUG/MEDIUM
>> because it impacts only the usage of SSL join with the cipherlist hash.
>> Too late :-)
>>
>
> I think it should not be a bug at all (second patch), and set of ex_data
> without reservation
> (first patch and my patch) should be the only sources of bugs.
>
I don’t known. In fact it works, so it is not a bug. But, when I use the
reservation for an ex_data slot, it returns the slot 0, and this slot is
used for the compatibility layer and can be crush some data. I conclude
that is a bug in Openssl. The reservation function must give a slot
starting to 1.
Maybe, the recommendation is to not mix the compatibility functions
like set_app_data() with *ex_data*() functions. But, I don’t see
anything about this.
thierry
