You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@serf.apache.org by "Evgeny Kotkov (Jira)" <ji...@apache.org> on 2023/05/25 09:44:00 UTC

[jira] [Comment Edited] (SERF-198) OpenSSL BIO control method incorrectly handles unknown requests

    [ https://issues.apache.org/jira/browse/SERF-198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17559659#comment-17559659 ] 

Evgeny Kotkov edited comment on SERF-198 at 5/25/23 9:43 AM:
-------------------------------------------------------------

On trunk, this issue has been fixed in [r1902304|https://svn.apache.org/r1902304]. This change was backported to the 1.3.x branch as a part of the r1902208 group.


was (Author: kotkov):
For serf trunk, an updated and slightly extended patch was committed in https://svn.apache.org/r1902304

> OpenSSL BIO control method incorrectly handles unknown requests
> ---------------------------------------------------------------
>
>                 Key: SERF-198
>                 URL: https://issues.apache.org/jira/browse/SERF-198
>             Project: serf
>          Issue Type: Bug
>    Affects Versions: serf-1.3.9, serf-trunk
>         Environment: FreeBSD 14 with KTLS enabled-OpenSSL and the base system svnlite using a bundled serf.  Has also been observed with subversion + serf built from FreeBSD ports.
>            Reporter: John Baldwin
>            Priority: Major
>         Attachments: serf.patch
>
>
> According to the BIO_ctrl(3) manpage from OpenSSL, control methods in custom BIO classes should return 0 for unknown control requests:
> {quote}Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl() operation.
> {quote}
> ssl_buckets.c includes two custom BIO classes both of which are sink BIOs, but the custom control method returns 1 instead of 0 for unknown operations.  This causes breakage with newer version of OpenSSL.  In particular, in OpenSSL versions supporting KTLS, this causes OpenSSL to believe that the custom BIOs support KTLS and thus handle TLS header insertion and encryption/decryption in the BIO layer breaking the use of HTTPS.  This was observed in FreeBSD when FreeBSD integrated KTLS support into OpenSSL:
> [253135|https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135]
> The patch below changes the default value of the control methods to 0 which fixes the KTLS case.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)