On Mon, Feb 01, 2016 at 08:10:13PM +0100, Salvatore Bonaccorso wrote: > Hi Kurt, > > On Mon, Feb 01, 2016 at 06:44:32PM +0100, Kurt Roeckx wrote: > > On Mon, Feb 01, 2016 at 04:16:52PM +0100, Salvatore Bonaccorso wrote: > > > On Sun, Jan 31, 2016 at 08:34:44PM +0100, Kurt Roeckx wrote: > > > > On Sat, Jan 30, 2016 at 10:51:06PM +0100, Salvatore Bonaccorso wrote: > > > > > > > > > > FTR, Upstream has released a new version (I have imported in our git > > > > > repo already): > > > > > > > > > > 2.023 2016/01/30 > > > > > - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS > > > > > connection > > > > > was not fully established (commit: > > > > > f73c737c7ac908c5d6407c419769123392a3b0a9). > > > > > This somehow resulted in Net::SSLeay::shutdown returning 0 (i.e. > > > > > keep trying) > > > > > which caused an endless loop. It will now ignore this result in > > > > > case the TLS > > > > > connection was not yet established and consider the TLS connection > > > > > closed > > > > > instead. > > > > > > > > > > But this does not seem to fully resolve the issue yet. When I try to > > > > > build the testsuite still get stuck. > > > > > > > > So as I understand it, the problem is that the client just sends > > > > crap, the server tells the client it sends crap, but then waits > > > > for the client to properly terminate the question which it never > > > > does? > > > > > > > > It's at least not behaviour I can reproducing using s_server, the > > > > server actually closes the connection for me. > > > > > > JFTR, the additional problem is unrelated to the OpenSSL change. I > > > (and as well Gregor) was able to reproduce it in the pbuilder setup > > > when using the default USENETWORK=no (but not if switching to > > > USENETWORK=yes). So #813189 on its own can be considered resolved. > > > > I'd like to understand what change was needed in > > libio-socket-ssl-perl. Can you point me to it? > > > > I'm wondering if we should change something on the OpenSSL side or > > not. > > Ack. Here is the change which was applied to IO::Socket::SSL to > workaround the changes in OpenSSL: > > https://github.com/noxxi/p5-io-socket-ssl/commit/6e23ee4a433f83f1065bd2467255eba5ee9b1ddd
So upstream openss made this change: commit 64f9f40696f993406e53c16d7c9d815004afd8ad Author: Matt Caswell <m...@openssl.org> Date: Tue Feb 2 10:05:43 2016 +0000 Handle SSL_shutdown while in init more appropriately #2 Previous commit 7bb196a71 attempted to "fix" a problem with the way SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had SSL_shutdown() return immediately having taken no action if called mid- handshake with a return value of 1 (meaning everything was shutdown successfully). In fact the shutdown has not been successful. Commit 7bb196a71 changed that to send a close_notify anyway and then return. This seems to be causing some problems for some applications so perhaps a better (much simpler) approach is revert to the previous behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown was not successful). This also fixes a bug where SSL_shutdown always returns 0 when shutdown *very* early in the handshake (i.e. we are still using SSLv23_method). This seesm to fix the issue. Kurt