Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

Fri, 26 Jun 2009 05:47:04 -0700 

On Thu, Jun 25, 2009 at 06:05:08PM +0200, Stephen Henson via RT wrote:
> > [[email protected] - Tue Jun 23 11:06:26 2009]:
> > The bug report over on the apache tracker:
> > 
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=46952
> > 
> > has been updated - there is a utility to generate a set of CA  
> > certificates, which should allow one to reproduce the problem and more  
> > information about when the failure has been seen.
> > 
> > I also sent an analysis of the sequence of events leading up to the  
> > problem; and a "trial" fix - meaning that I see that it does fix the  
> > problem but I'd like the community's opinion on the approach. Could  
> > some of the openssl developers follow the link and consider the  
> > analysis and possibly the change?
> 
> I agree with the analysis. 

Do you also agree with David's proposal to change the calls to 
BIO_ctrl(, BIO_CTRL_INFO, ) into BIO_wpending() in ssl/*.c?  It seems to 
make sense to me.

> An alternative normally would be to try and flush any pending data in 
> the BIO state machine on subsequent I/O calls (i.e. including a 
> subsequent read) but since there can be separate read and write bios 
> in OpenSSL that's not guaranteed to work.

This is a good point. We already do this conditionally, in fact.

David, could you try this mod_ssl patch as an alternative solution, 
which doesn't necessitate fixes to OpenSSL?

Index: ssl_engine_io.c
===================================================================
--- ssl_engine_io.c     (revision 787722)
+++ ssl_engine_io.c     (working copy)
@@ -481,7 +481,7 @@
      * OpenSSL calls BIO_flush() at the appropriate times for
      * the other protocols.
      */
-    if ((SSL_version(inctx->ssl) == SSL2_VERSION) || sslconn->is_proxy) {
+    if (1 || (SSL_version(inctx->ssl) == SSL2_VERSION) || sslconn->is_proxy) {
         if (bio_filter_out_flush(inctx->bio_out) < 0) {
             bio_filter_out_ctx_t *outctx =
                    (bio_filter_out_ctx_t *)(inctx->bio_out->ptr);
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to