On Thu, Jun 25, 2009 at 06:05:08PM +0200, Stephen Henson via RT wrote: > > [david.sm...@cern.ch - Tue Jun 23 11:06:26 2009]: > > The bug report over on the apache tracker: > > > > https://issues.apache.org/bugzilla/show_bug.cgi?id=46952 > > > > has been updated - there is a utility to generate a set of CA > > certificates, which should allow one to reproduce the problem and more > > information about when the failure has been seen. > > > > I also sent an analysis of the sequence of events leading up to the > > problem; and a "trial" fix - meaning that I see that it does fix the > > problem but I'd like the community's opinion on the approach. Could > > some of the openssl developers follow the link and consider the > > analysis and possibly the change? > > I agree with the analysis.
Do you also agree with David's proposal to change the calls to BIO_ctrl(, BIO_CTRL_INFO, ) into BIO_wpending() in ssl/*.c? It seems to make sense to me. > An alternative normally would be to try and flush any pending data in > the BIO state machine on subsequent I/O calls (i.e. including a > subsequent read) but since there can be separate read and write bios > in OpenSSL that's not guaranteed to work. This is a good point. We already do this conditionally, in fact. David, could you try this mod_ssl patch as an alternative solution, which doesn't necessitate fixes to OpenSSL? Index: ssl_engine_io.c =================================================================== --- ssl_engine_io.c (revision 787722) +++ ssl_engine_io.c (working copy) @@ -481,7 +481,7 @@ * OpenSSL calls BIO_flush() at the appropriate times for * the other protocols. */ - if ((SSL_version(inctx->ssl) == SSL2_VERSION) || sslconn->is_proxy) { + if (1 || (SSL_version(inctx->ssl) == SSL2_VERSION) || sslconn->is_proxy) { if (bio_filter_out_flush(inctx->bio_out) < 0) { bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(inctx->bio_out->ptr); ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org