https://bz.apache.org/bugzilla/show_bug.cgi?id=65160
Bug ID: 65160
Summary: Custom OpenSSL BIO_ctrl methods return incorrect
default value
Product: Apache httpd-2
Version: 2.4.46
Hardware: PC
OS: FreeBSD
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 37747
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37747&action=edit
bio_ctrl_methods.patch
This is similar to the bug I reported for serf at
https://issues.apache.org/jira/browse/SERF-198. Specifically, the BIO_ctrl(3)
manual page documents that BIO control methods should return 0 for unknown
requests. Technically the custom BIO classes in mod_ssl look like filters
rather than source/sink BIOs at least in name, but functionally they need to
follow the same convention.
The specific breakage is that OpenSSL 3.0 introduces new control operations
related to kernel TLS offload that are used by libssl to determine if a BIO is
using kernel TLS offload. A non-zero return value from the BIO_ctrl method is
for these operations is interpreted by libssl as meaning that the BIO is using
kernel TLS offload, and thus OpenSSL does not perform encrypt/decryption or
append/strip trailers assuming the kernel will do that instead. The current
control methods were returning non-zero values meaning that OpenSSL would not
encrypt/decrypt TLS records. Note that OpenSSL 3.0 is still in beta, but
FreeBSD 14-current also includes a back ported version of these patches in its
OpenSSL 1.1.1 in the base system which is where this breakage was observed.
The attached patch changes the two BIO_ctrl methods in mod_ssl to return 0 for
unknown requests. It also clarifies that one of the control methods is now
used by OpenSSL.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
