On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca <[email protected]> wrote:
> Sure. And I do have interest in getting it fixed. I've done most of the work here: https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport However, I got stuck with this issue, about MitM attack when the client-side resumption cache is full: https://www.cybersecurity-help.cz/vulnerabilities/59103/ The patch for it is over 1,500 lines, and I would not be so confident that backporting changes in many places will not create a new problem. https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a libcurl and hostapd use client-side session resumption, so openwrt is possibly impacted. I don't know if the session cache can get filled by hostapd or not, but with libcurl, anything is possible. They both use the wolfSSL_get_session call, not the wolfSSL_get1_session that would avoid/work around the problem. Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change. Cheers _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
