Hi,
This thread reminds me that with BoringSSL empty (and abort) handshake is not
set.
After tests BoringSSL seems to have simpler case.
I sent a patch to fix that.
For OpenSSL <= 1.0.2, revert is the thing to do.
For LibreSSL, include it with BoringSSL case could be ok (with my patch).
With time (no HB and better error report in libSSL), it seems code could simply
look like:
if (!errno)
conn->err_code = CO_ER_SSL_EMPTY;
else
conn->err_code = CO_ER_SSL_ABORT;
++
Manu
> Le 4 juil. 2019 à 12:14, Lukas Tribus <[email protected]> a écrit :
>
> Hello Ilya,
>
>
> On Mon, 1 Jul 2019 at 23:08, Илья Шипицин <[email protected]
> <mailto:[email protected]>> wrote:
>>
>>
>>
>> вт, 2 июл. 2019 г. в 01:34, Willy Tarreau <[email protected]>:
>>>
>>> On Mon, Jul 01, 2019 at 10:32:29PM +0200, Lukas Tribus wrote:
>>>> Commit 54832b97 ("BUILD: enable several LibreSSL hacks, including")
>>>> changed empty handshake detection in OpenSSL <= 1.0.2 and LibreSSL,
>>>> from accessing packet_length directly (not available in LibreSSL) to
>>>> calling SSL_state() instead.
>>> (...)
>>>
>>> Thanks a lot Lukas. Just out of curiosity, do you have any idea of a
>>> concrete user-visible issue this bug can cause ? It would help bisecting
>>> issues later. I don't know in what case an empty handshake may happen.
>>
>>
>> nmap scan ?
>
> Ilya, just to avoid misunderstandings, I would like to have your
> feedback on this patch so we can decide whether to commit it or work
> on counter-proposals.
>
>
> Thanks,
> Lukas
