Re: [openssl.org #3106] [PATCH] Fix build with OPENSSL_NO_NEXTPROTONEG.
On Mon, Aug 5, 2013 at 7:50 PM, Piotr Sikora pi...@cloudflare.com wrote: While it cannot be enabled via ./config options, compiling OpenSSL with this define turned out to be extremely useful while adding ALPN support to 3rd-party software (i.e. to make sure that nothing in the added ALPN support relies on NPN code). Also, I wanted to make sure that SSL_select_next_proto() is not part of NPN and that it will be available going forward. I need to backport ALPN to 1.0.2 at some point, but I'll wait until this is in. (So, likely will be after my vacation.) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3107] Bug Report with Patch 1.0.1c/e (Typo in apps/ocsp.c line 1412)
Hello! Issue: Typo in apps/ocsp.c line 1412 Issue detail: Error querying OCSP responsder (stray S in responder) Issue found in: This typo was originally detected in 1.0.1c (also line 1412) but I checked the latest source to verify the bug still exists in 1.0.1e (line 1412) Patch submitted? Yes, inline below. Patch tested? Yes Patch fixes issue? Yes Below is a diff fixing a typo in line 1412 of apps/ocsp.c 1412 BIO_printf(bio_err, Error querying OCSP responsder\n); should be 1412 BIO_printf(bio_err, Error querying OCSP responder\n); diff ocsp.c ocsp-mjh.c 1412c1412 BIO_printf(bio_err, Error querying OCSP responsder\n); --- BIO_printf(bio_err, Error querying OCSP responder\n); This appears to be the only instance of the responsder typo: mjh@Host ~/c/o/apps grep -R responsder * ocsp.c: BIO_printf(bio_err, Error querying OCSP responsder\n); Patch fixes the issue Great work everyone, thanks for all the effort, I am glad to be able to contribute a quick patch to such an excellent project. Matthew. signature.asc Description: PGP signature
Re: [openssl.org #3038] [PATCH]: Fix warning-level alert handling in 0.9.8
mancha1 at hush.com via RT rt at openssl.org writes: Hello. OpenSSL 0.9.8y does not properly handle warning level alerts in SSLv23 client method unlike OpensSSL 1.0.0+. For example, when OpenSSL 0.9.8 initiates a connection using TLS-SNI extensions in SSLv23 mode and the server replies to client hello with an unrecognized_name warning alert, the handshake terminates client-side. This issue has been reported by many clients linked against OpenSSL 0.9.8 (see footer links). When connecting to a server that sends warning-level alerts on hostname mismatch in TLS-SNI, eg.: $ openssl s_client -CApath /etc/ssl -connect \ $CorrectHostname:443 -servername $InvalidHostname \ -state /dev/null 21 | grep -E 'alert|error' Current 0.9.8y behavior (output): SSL3 alert read:warning:unknown SSL_connect:error in SSLv2/v3 read server hello A 7632:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112):s23_clnt.c:602: Desired behavior (output) [consistent with OpenSSL 1.0.1e]: SSL3 alert read:warning:unrecognized name SSL3 alert write:warning:close notify Patch applies cleanly to OpenSSL_0_9_8-stable (HEAD at a44c9b9c) and makes behavior consistent with OpenSSL 1.0.1e. Also, it adds support for new alerts (RFC 6066 and RFC 4279). Please consider its inclusion after appropriate code review. --mancha Note: A higher-level discussion is whether non-fatal unrecognized_name alerts should be sent at all. Per RFC 6066, If a server name is provided but not recognized, the server should either continue the handshake without an error or send a fatal error. Sending a warning-level message is not recommended because client behavior will be unpredictable. = [1] http://marc.info/?l=openssl-usersm=131736995412529w=2 [2] http://sourceforge.net/p/curl/bugs/1037/ [3] https://bugs.php.net/bug.php?id=61276 [4] https://github.com/joyent/node/issues/3033 Attachment (0001-Fix-handling-of-warning-level-alerts-in-SSL23-client.patch): application/octet-stream, 11 KiB Hello. I never received a reply to this patch submission but wanted to follow up because I am receiving update requests from affected users (e.g. http://sourceforge.net/p/curl/bugs/1037/?page=3). I imagine 0.9.8 is in feature-freeze however I believe this qualifies as a bug-fix more than a feature-enhancement. Would someone let me know if this code might eventually make its way into 0.9.8 so I know how to respond to people requesting status updates from me? Thanks. --mancha __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
