On Tuesday 13 October 2015 09:22:53 Matt Caswell via RT wrote: > On 12/10/15 17:19, Matt Caswell via RT wrote: > > On 12/10/15 16:39, Matt Caswell via RT wrote: > >> The value of "in_read_app_data" not being true when it is supposed > >> to > >> appears to be running into a slightly different bug. It's also > >> present in 1.0.2 but you have to switch off version negotiation. > >> So running s_server like this in 1.0.2 and rerunning Hubert's test > >> will hit it: > >> > >> openssl s_server -www -tls1_2 > >> > >> The 1.0.2 version negotiation is hiding the issue. In master > >> version neg has been completely rewritten and simplified - but in > >> doing so no longer hides the problem. :-( > > > > Having done some more digging it seems the problem only occurs if > > you > > get the initial handshake, following by a second reneg handshake > > *and* interleaved app data all within the scope of a *single* > > SSL_read call. AFAICT if SSL_read returns between the first > > handshake and the second, you don't get the problem. > > Ok, updated version of the patch attached. This is for 1.0.2 but > should pass Hubert's tests even when you run s_server with "-tls1_2".
yup, looks good with -tls1_2 now too for some reason my side can't negotiate TLS 1.1 or TLS 1.0 correctly so can't test -tls1_1 or -tls1 (I'm likely generating malformed CKE there, but need to check to be sure) -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: PGP signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev