[jira] [Commented] (SERF-198) OpenSSL BIO control method incorrectly handles unknown requests

Mon, 08 Feb 2021 10:16:09 -0800 


    [ 
https://issues.apache.org/jira/browse/SERF-198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281273#comment-17281273
 ] 

John Baldwin commented on SERF-198:
-----------------------------------

I mostly care about getting a fix upstream.  Currently we are using the 
supplied patch locally in FreeBSD's ports tree and in a private libserf we use 
for the bundled subversion client in FreeBSD.  For the ports tree FreeBSD will 
just use your new 1.4.x release once it is released.  For the private libserf 
in FreeBSD's base system, we would probably either keep the current patch or 
adopt the official serf patch.  Since FreeBSD has moved from svn to git, 
FreeBSD is likely to remove the private libserf in the future and it is not 
likely to be updated from its current 1.3.x release.

> OpenSSL BIO control method incorrectly handles unknown requests
> ---------------------------------------------------------------
>
>                 Key: SERF-198
>                 URL: https://issues.apache.org/jira/browse/SERF-198
>             Project: serf
>          Issue Type: Bug
>    Affects Versions: serf-1.3.9, serf-trunk
>         Environment: FreeBSD 14 with KTLS enabled-OpenSSL and the base system 
> svnlite using a bundled serf.  Has also been observed with subversion + serf 
> built from FreeBSD ports.
>            Reporter: John Baldwin
>            Priority: Major
>         Attachments: serf.patch
>
>
> According to the BIO_ctrl(3) manpage from OpenSSL, control methods in custom 
> BIO classes should return 0 for unknown control requests:
> {quote}Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl() 
> operation.
> {quote}
> ssl_buckets.c includes two custom BIO classes both of which are sink BIOs, 
> but the custom control method returns 1 instead of 0 for unknown operations.  
> This causes breakage with newer version of OpenSSL.  In particular, in 
> OpenSSL versions supporting KTLS, this causes OpenSSL to believe that the 
> custom BIOs support KTLS and thus handle TLS header insertion and 
> encryption/decryption in the BIO layer breaking the use of HTTPS.  This was 
> observed in FreeBSD when FreeBSD integrated KTLS support into OpenSSL:
> [253135|https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135]
> The patch below changes the default value of the control methods to 0 which 
> fixes the KTLS case.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to