http://rt.openssl.org/Ticket/Display.html?id=2240&user=guest&pass=guest
This affects us, I noticed when I had problems connecting with gajim to
a certain server using TLS. Below patch lifted from openssl CVS fixes
this.
On a different note, we still have openssl 1.0.0a when "OpenSSL 1.0.0e
is now available, including important bug and security fixes".
--
viq
Index: src/ssl/t1_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/t1_lib.c,v
retrieving revision 1.8
diff -u -d -r1.8 t1_lib.c
--- src/ssl/t1_lib.c 10 Feb 2011 22:40:27 -0000 1.8
+++ src/ssl/t1_lib.c 17 Sep 2011 20:57:50 -0000
@@ -1453,23 +1453,20 @@
int al = SSL_AD_UNRECOGNIZED_NAME;
#ifndef OPENSSL_NO_EC
- /* If we are client and using an elliptic curve cryptography cipher
suite, then server
- * must return a an EC point formats lists containing uncompressed.
+ /* If we are client and using an elliptic curve cryptography cipher
+ * suite, then if server returns an EC point formats lists extension
+ * it must contain uncompressed.
*/
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
if ((s->tlsext_ecpointformatlist != NULL) &&
(s->tlsext_ecpointformatlist_length > 0) &&
+ (s->session->tlsext_ecpointformatlist != NULL) &&
(s->session->tlsext_ecpointformatlist_length > 0) &&
((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a &
SSL_aECDSA)))
{
/* we are using an ECC cipher */
size_t i;
unsigned char *list;
int found_uncompressed = 0;
- if ((s->session->tlsext_ecpointformatlist == NULL) ||
(s->session->tlsext_ecpointformatlist_length == 0))
- {
-
SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
- return -1;
- }
list = s->session->tlsext_ecpointformatlist;
for (i = 0; i < s->session->tlsext_ecpointformatlist_length;
i++)
{
