> Le 4 juil. 2019 à 18:55, Илья Шипицин <chipits...@gmail.com> a écrit : > > can you provide some comment around code ? > > I think almost nobody can read such code > > чт, 4 июл. 2019 г. в 21:17, Emmanuel Hocdet <m...@gandi.net > <mailto:m...@gandi.net>>: > Hi, > > This thread reminds me that with BoringSSL empty (and abort) handshake is not > set. > After tests BoringSSL seems to have simpler case. > I sent a patch to fix that. > > For OpenSSL <= 1.0.2, revert is the thing to do. > For LibreSSL, include it with BoringSSL case could be ok (with my patch). > With time (no HB and better error report in libSSL), it seems code could > simply look like: > if (!errno) > conn->err_code = CO_ER_SSL_EMPTY; > else > conn->err_code = CO_ER_SSL_ABORT; >
Only CO_ER_SSL_EMPTY and CO_ER_SSL_ABORT can be set for conn->err_code (it’s the case for BoringSSL) > ++ > Manu > >> Le 4 juil. 2019 à 12:14, Lukas Tribus <lu...@ltri.eu <mailto:lu...@ltri.eu>> >> a écrit : >> >> Hello Ilya, >> >> >> On Mon, 1 Jul 2019 at 23:08, Илья Шипицин <chipits...@gmail.com >> <mailto:chipits...@gmail.com>> wrote: >>> >>> >>> >>> вт, 2 июл. 2019 г. в 01:34, Willy Tarreau <w...@1wt.eu >>> <mailto:w...@1wt.eu>>: >>>> >>>> On Mon, Jul 01, 2019 at 10:32:29PM +0200, Lukas Tribus wrote: >>>>> Commit 54832b97 ("BUILD: enable several LibreSSL hacks, including") >>>>> changed empty handshake detection in OpenSSL <= 1.0.2 and LibreSSL, >>>>> from accessing packet_length directly (not available in LibreSSL) to >>>>> calling SSL_state() instead. >>>> (...) >>>> >>>> Thanks a lot Lukas. Just out of curiosity, do you have any idea of a >>>> concrete user-visible issue this bug can cause ? It would help bisecting >>>> issues later. I don't know in what case an empty handshake may happen. >>> >>> >>> nmap scan ? >> >> Ilya, just to avoid misunderstandings, I would like to have your >> feedback on this patch so we can decide whether to commit it or work >> on counter-proposals. >> >> >> Thanks, >> Lukas >