Re: OpenSSL 1.0.0b testssl fails
On 11/18/2010 12:05 PM, Victor Duchovni wrote: > > None that are publically visible. You can check for yourself: > > No commits to the 0.9.8 branch after the release of 0.9.8p. > > http://cvs.openssl.org/chngview?cn=19996 I was aware of this. It's why I raised the question, if any of these were slated for backport, but simply not applied yet. The answer is no, so that resolves my questions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Thu, Nov 18, 2010 at 11:12:11AM -0600, William A. Rowe Jr. wrote: > On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote: > > > > A 1.0.0c release is planned in the next few days. We're just seeing if any > > other issues arise before the release: a couple have been fixed already. > > Have any observed issues affected 0.9.8p? If so, is there a planned .8q? None that are publically visible. You can check for yourself: http://cvs.openssl.org/timeline No commits to the 0.9.8 branch after the release of 0.9.8p. http://cvs.openssl.org/chngview?cn=19996 The 1.0.0b issues are just the one reported in this thread: http://cvs.openssl.org/chngview?cn=20001 and a couple of platform variants where elimination of dead variables left non-working code referencing the eliminated variables. http://cvs.openssl.org/chngview?cn=20008 http://cvs.openssl.org/chngview?cn=20005 So far, it looks like the "20001" patch is sufficient for most platforms. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Thu, Nov 18, 2010, William A. Rowe Jr. wrote: > On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote: > > > > A 1.0.0c release is planned in the next few days. We're just seeing if any > > other issues arise before the release: a couple have been fixed already. > > Have any observed issues affected 0.9.8p? If so, is there a planned .8q? No, both the original SNAFU (the self test failure) and the other issues (all platform compilation problems so far) affect OpenSSL 1.0.0b only. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote: > > A 1.0.0c release is planned in the next few days. We're just seeing if any > other issues arise before the release: a couple have been fixed already. Have any observed issues affected 0.9.8p? If so, is there a planned .8q? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Thu, Nov 18, 2010, Brodie Thiesfield wrote: > On Wed, Nov 17, 2010 at 9:38 AM, Victor Duchovni > wrote: > > On Tue, Nov 16, 2010 at 11:36:50PM +0100, Mounir IDRASSI wrote: > > > >> Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under > >> Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error. > >> > >> I don't see anything OS specific in the changes introduced in t1_lib.c or > >> s3_srvr.c. Could it be a gcc bug? > > > > No, rather the tests on Windows are not as comprehensive as those > > on Unix. There is no tls1 test. > > So does anyone know if this test failure and quick checkin fix mean > that we should shelve the 1.0.0b release and we wait for a more fully > tested 1.0.0c? > A 1.0.0c release is planned in the next few days. We're just seeing if any other issues arise before the release: a couple have been fixed already. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Wed, Nov 17, 2010 at 9:38 AM, Victor Duchovni wrote: > On Tue, Nov 16, 2010 at 11:36:50PM +0100, Mounir IDRASSI wrote: > >> Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under >> Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error. >> >> I don't see anything OS specific in the changes introduced in t1_lib.c or >> s3_srvr.c. Could it be a gcc bug? > > No, rather the tests on Windows are not as comprehensive as those > on Unix. There is no tls1 test. So does anyone know if this test failure and quick checkin fix mean that we should shelve the 1.0.0b release and we wait for a more fully tested 1.0.0c? Regards, Brodie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Tue, Nov 16, 2010 at 11:36:50PM +0100, Mounir IDRASSI wrote: > Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under > Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error. > > I don't see anything OS specific in the changes introduced in t1_lib.c or > s3_srvr.c. Could it be a gcc bug? No, rather the tests on Windows are not as comprehensive as those on Unix. There is no tls1 test. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Tue, Nov 16, 2010, Mounir IDRASSI wrote: > Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under > Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error. > > I don't see anything OS specific in the changes introduced in t1_lib.c or > s3_srvr.c. Could it be a gcc bug? > No, the Windows build uses different tests from a batch file which doesn't include the failing test. If you manually run the same command line under Windows it fails on that too. Fix is this: http://cvs.openssl.org/chngview?cn=19998 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error. I don't see anything OS specific in the changes introduced in t1_lib.c or s3_srvr.c. Could it be a gcc bug? -- Mounir IDRASSI IDRIX http://www.idrix.fr On 11/16/2010 9:56 PM, Dr. Stephen Henson wrote: On Tue, Nov 16, 2010, Victor Duchovni wrote: Anyone know why I am seeing the below errors: ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time Available compression methods: NONE DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: 10 handshakes of 256 bytes done Approximate total server time: 0.00 s Approximate total client time: 0.01 s Dang, I'm seeing that too now. Why didn't I see that when I tested it earlier today? I'll look into it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Tue, Nov 16, 2010, Victor Duchovni wrote: > On Tue, Nov 16, 2010 at 03:48:13PM -0500, Victor Duchovni wrote: > > > > > Anyone know why I am seeing the below errors: > > > > ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert > > ../apps/server2.pem -no_dhe -num 10 -f -time > > Available compression methods: > > NONE > > DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit > > RSA > > ERROR in SERVER > > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > > tlsext:s3_srvr.c:1043: > > Running under gdb with symbols seems to the suggest the issue is with > the ec > > else if (type == TLSEXT_TYPE_ec_point_formats && > s->version != DTLS1_VERSION) > { > unsigned char *sdata = data; > int ecpointformatlist_length = *(sdata++); > > if (ecpointformatlist_length != size - 1) > { > *al = TLS1_AD_DECODE_ERROR; > return 0; > } > if (!s->hit) > { > if(s->session->tlsext_ecpointformatlist) > { > ---> fail here ---> > *al = TLS1_AD_DECODE_ERROR; > return 0; > } > > Is this related to the CVE fix to the session state? Some other change? > Yes the CVE fix broke it. It was assuming that the session fields would only be set by extensions so if they were already set the extension (illegally) occurred more than once: but in the case of EC point format list it can be set elsewhere anyway. This should fix it: http://cvs.openssl.org/chngview?cn=19998 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Tue, Nov 16, 2010 at 03:48:13PM -0500, Victor Duchovni wrote: > > Anyone know why I am seeing the below errors: > > ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem > -no_dhe -num 10 -f -time > Available compression methods: > NONE > DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit > RSA > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: Running under gdb with symbols seems to the suggest the issue is with the ec else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) { *al = TLS1_AD_DECODE_ERROR; return 0; } if (!s->hit) { if(s->session->tlsext_ecpointformatlist) { ---> fail here ---> *al = TLS1_AD_DECODE_ERROR; return 0; } Is this related to the CVE fix to the session state? Some other change? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0b testssl fails
On Tue, Nov 16, 2010, Victor Duchovni wrote: > > Anyone know why I am seeing the below errors: > > ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem > -no_dhe -num 10 -f -time > Available compression methods: > NONE > DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit > RSA > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > ERROR in SERVER > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse > tlsext:s3_srvr.c:1043: > 10 handshakes of 256 bytes done > Approximate total server time: 0.00 s > Approximate total client time: 0.01 s > Dang, I'm seeing that too now. Why didn't I see that when I tested it earlier today? I'll look into it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.0b testssl fails
Anyone know why I am seeing the below errors: ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time Available compression methods: NONE DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: ERROR in SERVER 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043: 10 handshakes of 256 bytes done Approximate total server time: 0.00 s Approximate total client time: 0.01 s -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org