You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/02/26 21:30:41 UTC
[Bug 65160] New: Custom OpenSSL BIO_ctrl methods return incorrect
default value
https://bz.apache.org/bugzilla/show_bug.cgi?id=65160
Bug ID: 65160
Summary: Custom OpenSSL BIO_ctrl methods return incorrect
default value
Product: Apache httpd-2
Version: 2.4.46
Hardware: PC
OS: FreeBSD
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: jhb@FreeBSD.org
Target Milestone: ---
Created attachment 37747
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37747&action=edit
bio_ctrl_methods.patch
This is similar to the bug I reported for serf at
https://issues.apache.org/jira/browse/SERF-198. Specifically, the BIO_ctrl(3)
manual page documents that BIO control methods should return 0 for unknown
requests. Technically the custom BIO classes in mod_ssl look like filters
rather than source/sink BIOs at least in name, but functionally they need to
follow the same convention.
The specific breakage is that OpenSSL 3.0 introduces new control operations
related to kernel TLS offload that are used by libssl to determine if a BIO is
using kernel TLS offload. A non-zero return value from the BIO_ctrl method is
for these operations is interpreted by libssl as meaning that the BIO is using
kernel TLS offload, and thus OpenSSL does not perform encrypt/decryption or
append/strip trailers assuming the kernel will do that instead. The current
control methods were returning non-zero values meaning that OpenSSL would not
encrypt/decrypt TLS records. Note that OpenSSL 3.0 is still in beta, but
FreeBSD 14-current also includes a back ported version of these patches in its
OpenSSL 1.1.1 in the base system which is where this breakage was observed.
The attached patch changes the two BIO_ctrl methods in mod_ssl to return 0 for
unknown requests. It also clarifies that one of the control methods is now
used by OpenSSL.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65160] Custom OpenSSL BIO_ctrl methods return incorrect default value
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65160
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
The _out_ctrl part of that patch is a noop AFAICT since for unknown requests
the function will fall through the default switch statement:
https://github.com/apache/httpd/blob/2.4.x/modules/ssl/ssl_engine_io.c#L289
The _in_ctrl part was fixed in 2.4.x in r1895868 (for 2.4.52).
Feel free to re-open if I'm missing anything. Thanks for sending in the patch
& analysis.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org