Re: [openssl-dev] OpenSSL version 1.0.2n published

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] OpenSSL version 1.0.2n published

Viktor Dukhovni


> On Dec 7, 2017, at 8:55 AM, OpenSSL <[hidden email]> wrote:
>
>   OpenSSL - The Open Source toolkit for SSL/TLS
>   https://www.openssl.org/
>
>   The OpenSSL project team is pleased to announce the release of
>   version 1.0.2n of our open source toolkit for SSL/TLS. For details
>   of changes and known issues see the release notes at:
>
>        https://www.openssl.org/news/openssl-1.0.2-notes.html

It is perhaps useful to expand on one sentence in the CHANGE log:

 Changes between 1.0.2m and 1.0.2n [7 Dec 2017]

  *) Read/write after SSL object in error state

     OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
     mechanism. The intent was that if a fatal error occurred during a handshake
     then OpenSSL would move into the error state and would immediately fail if
     you attempted to continue the handshake. This works as designed for the
     explicit handshake functions (SSL_do_handshake(), SSL_accept() and
     SSL_connect()), however due to a bug it does not work correctly if
     SSL_read() or SSL_write() is called directly. ...

What "directly" means at the end of the quoted text is "directly, without
first performing an explicit handshake".  In that case the handshake is
an implicit side-effect of the first read or write call, and it was in
that case that the "error state" mechanism did not behave as intended.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users