>From ticket 2720, it seems the official position is that "no-tlsext" is NOT
>supported. However, for those who still try to use it, the recent fixes for
>CVE-2015-1791 seem to have introduced more problems for the 0.9.8 code base
>(and maybe others - not sure).
This report can be added to RT#
SSL_CTX_set_msg_callback.pod lists the first parameter to the
SSL_set_msg_callback[_arg] functions as type "SSL_CTX *" when they are, in
fact, "SSL *".
Geoff
-
Geoff Lowe
Principal Engineer
McAfee, Inc.
__
OpenSSL Project
These patches primarily move around a few #ifdefs so that 1.0.1e will compile
when the "no-tlsext" option is specified.
Note that when "no-tlsext" is specified, "no-srtp" is forced now too in
addition to "no-srp" and "no-heartbeats".
I'm not 100% confident in these changes, so I'd appreciate so
Don't send SCSV if TLS extensions are disabled. Applies to 1.0.1e also.
Also see Ticket #2788. (I did not investigate item #2 in that Ticket though.)
system:lowe/FIXED/openssl-0.9.8y/ssl 28% diff -p
~/working/openssl-0.9.8y/ssl/ssl_lib.c ./ssl_lib.c
*** /home/lowe/working/openssl-0.9.8y/ssl/s
On 0.9.8 branch:
ssl/t1_enc.c
tls1_mac() approximately line 771:
#ifdef OPENSSL_FIPS
if (!send && FIPS_mode())
tls_fips_digest_extra(
ssl->enc_read_ctx,
hash,