Re: [openssl.org #2975] [BUG] Regression in Openssl 1.0.1d x86_64: Corrupted data stream

2013-02-08 Thread Kris Karas via RT 
Stephen Henson via RT wrote:
> Please see if commit 32cc247 fixes this:
>
> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=32cc247

Confirmed!  "Works for me."  (But, see P.S., below.)

I re-confirmed the error was repeatably reproducible.
Applied the patch, and was no longer able to reproduce the error.
Reverse-applied the patch, and the error instantly returned.

The patch does indeed do the right thing in this case.
Thank you!

Kris

P.S.  Was supposed to work from home today due to potentially worst snow 
in Boston in 35 years.  But I could not reproduce the error in this 
report on my server at home, despite many recompiles of related things 
into the wee hours.  I'm perplexed as to what the difference could be.  
Same OS, same libraries, at least for Apache and related.  Work system 
is Core-i7 and home is Athlon-II.  Did a diff between the output of 
"Configure" of both systems and it is identical.  (Certificates?)  I'll 
try pushing the binary package at work to home and see if that makes any 
difference.  Ergo, by virtue of the difficulty in reproducing this bug, 
it might not affect as many people as I first thought.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2975] [BUG] Regression in Openssl 1.0.1d x86_64: Corrupted data stream

2013-02-06 Thread Kris Karas via RT 
A serious regression was introduced in 1.0.1d that corrupts the data 
stream under certain circumstances.

Firefox requests to an Apache server running on Linux/X86_64 with 
OpenSSL-1.0.1d result in "501 Server Error" responses.  OpenSSL versions 
1.0.1c and earlier are not affected.  i686 (32 bit) versions are also 
not affected.

An excerpt from the Apache log with 1.0.1c, showing correct behavior:

10.1.2.3 - - [05/Feb/2013:23:06:59 -0500] "GET / HTTP/1.1" 200 203 "-" 
"Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0"
10.1.2.3 - - [05/Feb/2013:23:30:39 -0500] "GET / HTTP/1.1" 304 - "-" 
"Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0"

An excerpt from the Apache log with 1.0.1d, clearly showing the invalid 
request:

10.1.2.3 - - [05/Feb/2013:22:47:02 -0500] "G\xedET / HTTP/1.1" 501 932 
"-" "Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0"
10.1.2.3 - - [05/Feb/2013:23:04:03 -0500] "Ghttp://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org