[openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

https://github.com/openssl/openssl/pull/395 Closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4038 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

On Wed 2016-06-15 09:51:37 -0400, Salz, Rich wrote: > I think OpenSSL needs to decide if SSLv2 bugs will be getting fixed. > Matt and I disagree :) Isn't the existence of SSLv2 a bug? ;) --dkg -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

On 15/06/16 16:31, Daniel Kahn Gillmor wrote: > On Wed 2016-06-15 09:51:37 -0400, Salz, Rich wrote: >> I think OpenSSL needs to decide if SSLv2 bugs will be getting fixed. >> Matt and I disagree :) > > Isn't the existence of SSLv2 a bug? ;) Fixed in OpenSSL 1.1.0 :-) Matt -- openssl-dev

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

I think OpenSSL needs to decide if SSLv2 bugs will be getting fixed. Matt and I disagree :) -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

We are patched locally and don’t really need the patch integrated upstream; I mostly just wanted to note the issue in the bugtracker in case someone else ran into it. -Ben On 6/15/16, 08:09, "Salz, Rich via RT" wrote: >So are we still fixing SSLv2 bugs? Or are they too low

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

We are patched locally and don’t really need the patch integrated upstream; I mostly just wanted to note the issue in the bugtracker in case someone else ran into it. -Ben On 6/15/16, 08:09, "Salz, Rich via RT" wrote: >So are we still fixing SSLv2 bugs? Or are they too low

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

On 15/06/16 13:09, Salz, Rich via RT wrote: > So are we still fixing SSLv2 bugs? Or are they too low on the priority list? They're certainly low priority, but we are still fixing them. Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

So are we still fixing SSLv2 bugs? Or are they too low on the priority list? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4038 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

On Tue Jun 14 20:42:36 2016, rsalz wrote: > SSLv2 is not supported any more. Uyes it is on the 1.0.2 branch? It is off by default though. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4038 Please log in as guest with password guest if prompted -- openssl-dev

[openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

SSLv2 is not supported any more. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4038 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

SSLv2 support has been removed from master, but is still present in 1.0.2. Adding a range check in ssl_get_prev_session() broke the SSLv2 codepath because it supplied NULL as the 'limit' parameter that had not previously been used for SSLv2 (or v3), so the fix is just to supply a non-NULL limit.