../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time
Available compression methods:
NONE
DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
ERROR in SERVER
182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
10 handshakes of 256 bytes done
Approximate total server time: 0.00 s
Approximate total client time: 0.01 s
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dang, I'm seeing that too now. Why didn't I see that when I tested it
earlier today?
I'll look into it.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
>
> Anyone know why I am seeing the below errors:
>
> ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time
> Available compression methods:
> NONE
> DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA
> ERROR in SERVER
> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
Running under gdb with symbols seems to the suggest the issue is with
the ec
else if (type == TLSEXT_TYPE_ec_point_formats &&
s->version != DTLS1_VERSION)
{
unsigned char *sdata = data;
int ecpointformatlist_length = *(sdata++);
if (ecpointformatlist_length != size - 1)
{
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
if (!s->hit)
{
if(s->session->tlsext_ecpointformatlist)
{
---> fail here --->
*al = TLS1_AD_DECODE_ERROR;
return 0;
}
Is this related to the CVE fix to the session state? Some other change?
--
Viktor.
> On Tue, Nov 16, 2010 at 03:48:13PM -0500, Victor Duchovni wrote:
>
> >
> > Anyone know why I am seeing the below errors:
> >
> > ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time
> > Available compression methods:
> > NONE
> > DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA
> > ERROR in SERVER
> > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>
> Running under gdb with symbols seems to the suggest the issue is with
> the ec
>
> else if (type == TLSEXT_TYPE_ec_point_formats &&
> s->version != DTLS1_VERSION)
> {
> unsigned char *sdata = data;
> int ecpointformatlist_length = *(sdata++);
>
> if (ecpointformatlist_length != size - 1)
> {
> *al = TLS1_AD_DECODE_ERROR;
> return 0;
> }
> if (!s->hit)
> {
> if(s->session->tlsext_ecpointformatlist)
> {
> ---> fail here --->
> *al = TLS1_AD_DECODE_ERROR;
> return 0;
> }
>
> Is this related to the CVE fix to the session state? Some other change?
>
Yes the CVE fix broke it. It was assuming that the session fields would only
be set by extensions so if they were already set the extension (illegally)
occurred more than once: but in the case of EC point format list it can be
set elsewhere anyway.
This should fix it:
http://cvs.openssl.org/chngview?cn=19998
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
I don't see anything OS specific in the changes introduced in t1_lib.c
or s3_srvr.c. Could it be a gcc bug?
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 11/16/2010 9:56 PM, Dr. Stephen Henson wrote:
> On Tue, Nov 16, 2010, Victor Duchovni wrote:
>
>> Anyone know why I am seeing the below errors:
>>
>> ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time
>> Available compression methods:
>> NONE
>> DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> ERROR in SERVER
>> 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext:s3_srvr.c:1043:
>> 10 handshakes of 256 bytes done
>> Approximate total server time: 0.00 s
>> Approximate total client time: 0.01 s
>>
> Dang, I'm seeing that too now. Why didn't I see that when I tested it
> earlier today?
>
> I'll look into it.
>
> Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under
> Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error.
>
> I don't see anything OS specific in the changes introduced in t1_lib.c or
> s3_srvr.c. Could it be a gcc bug?
>
No, the Windows build uses different tests from a batch file which doesn't
include the failing test. If you manually run the same command line under
Windows it fails on that too.
Fix is this:
http://cvs.openssl.org/chngview?cn=19998
> Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under
> Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error.
>
> I don't see anything OS specific in the changes introduced in t1_lib.c or
> s3_srvr.c. Could it be a gcc bug?
No, rather the tests on Windows are not as comprehensive as those
on Unix. There is no tls1 test.
--
Viktor.
So does anyone know if this test failure and quick checkin fix mean
that we should shelve the 1.0.0b release and we wait for a more fully
tested 1.0.0c?
Regards,
Brodie
> On Wed, Nov 17, 2010 at 9:38 AM, Victor Duchovni
> <Victor....@morganstanley.com> wrote:
> > On Tue, Nov 16, 2010 at 11:36:50PM +0100, Mounir IDRASSI wrote:
> >
> >> Under Windows (32bit and 64bit) with VC++ 2008, all tests are OK. But under
> >> Ubuntu 8.04 LTS with gcc 4.2.4, I have the same error.
> >>
> >> I don't see anything OS specific in the changes introduced in t1_lib.c or
> >> s3_srvr.c. Could it be a gcc bug?
> >
> > No, rather the tests on Windows are not as comprehensive as those
> > on Unix. There is no tls1 test.
>
> So does anyone know if this test failure and quick checkin fix mean
> that we should shelve the 1.0.0b release and we wait for a more fully
> tested 1.0.0c?
>
A 1.0.0c release is planned in the next few days. We're just seeing if any
other issues arise before the release: a couple have been fixed already.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Have any observed issues affected 0.9.8p? If so, is there a planned .8q?
> On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote:
> >
> > A 1.0.0c release is planned in the next few days. We're just seeing if any
> > other issues arise before the release: a couple have been fixed already.
>
> Have any observed issues affected 0.9.8p? If so, is there a planned .8q?
No, both the original SNAFU (the self test failure) and the other issues
(all platform compilation problems so far) affect OpenSSL 1.0.0b only.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
> On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote:
> >
> > A 1.0.0c release is planned in the next few days. We're just seeing if any
> > other issues arise before the release: a couple have been fixed already.
>
> Have any observed issues affected 0.9.8p? If so, is there a planned .8q?
None that are publically visible. You can check for yourself:
http://cvs.openssl.org/timeline
No commits to the 0.9.8 branch after the release of 0.9.8p.
http://cvs.openssl.org/chngview?cn=19996
The 1.0.0b issues are just the one reported in this thread:
http://cvs.openssl.org/chngview?cn=20001
and a couple of platform variants where elimination of dead variables
left non-working code referencing the eliminated variables.
http://cvs.openssl.org/chngview?cn=20008
http://cvs.openssl.org/chngview?cn=20005
So far, it looks like the "20001" patch is sufficient for most
platforms.
--
Viktor.
I was aware of this. It's why I raised the question, if any of these were
slated for backport, but simply not applied yet. The answer is no, so that
resolves my questions.