CVSROOT: /cvs
Module name: src
Changes by: js...@cvs.openbsd.org 2020/05/23 06:14:52
Modified files:
lib/libssl : ssl_lib.c
Log message:
Enable SSL_MODE_AUTO_RETRY by default.
In TLSv1.2 and earlier, when an application goes to read application data,
handshake messages may be received instead, when the peer has triggered
renegotation. A similar thing occurs in TLSv1.3 when key updates are
triggered or the server sends new session tickets. Due to the SSL_read()
API there is no way to indicate that we got no application data, instead
after processing the in-band handshake messages it would be normal to
return SSL_ERROR_WANT_READ and have the caller call SSL_read() again.
However, various applications expect SSL_read() to return with either
application data or a fatal error, when used on a blocking socket. These
applications do not play well with TLSv1.3 post-handshake handshake
messages (PHH), as they fail to handle SSL_ERROR_WANT_READ. The same code
is also broken in the case of a TLSv1.2 or older renegotiation, however
these are less likely to be encountered. Such code should set
SSL_MODE_AUTO_RETRY in order to avoid these issues.
Contrary to the naming, SSL_MODE_AUTO_RETRY does not actually retry in
every case - it retries following handshake messages in the application
data stream (i.e. renegotiation and PHH messages). This works around the
unretried SSL_read() on a blocking socket case, however in the case where
poll/select is used with blocking sockets, the retry will likely result
in the read blocking after the handshake messages are processed.
Rather than pushing for broken code to be fixed, OpenSSL decided to enable
SSL_MODE_AUTO_RETRY by default, instead breaking code that does poll or
select on blocking sockets (like s_client and s_server). Unfortunately we
get to follow suit.
ok beck@ inoguchi@ tb@
