[Pkg-openssl-devel] Bug#813189: Bug#813189: libio-socket-ssl-perl: FTBFS with current libssl1.0.2: t/startssl-failed.t hangs
Kurt Roeckx
kurt at roeckx.be
Sat Feb 20 11:00:49 UTC 2016
On Mon, Feb 01, 2016 at 08:10:13PM +0100, Salvatore Bonaccorso wrote:
> Hi Kurt,
>
> On Mon, Feb 01, 2016 at 06:44:32PM +0100, Kurt Roeckx wrote:
> > On Mon, Feb 01, 2016 at 04:16:52PM +0100, Salvatore Bonaccorso wrote:
> > > On Sun, Jan 31, 2016 at 08:34:44PM +0100, Kurt Roeckx wrote:
> > > > On Sat, Jan 30, 2016 at 10:51:06PM +0100, Salvatore Bonaccorso wrote:
> > > > >
> > > > > FTR, Upstream has released a new version (I have imported in our git
> > > > > repo already):
> > > > >
> > > > > 2.023 2016/01/30
> > > > > - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS connection
> > > > > was not fully established (commit: f73c737c7ac908c5d6407c419769123392a3b0a9).
> > > > > This somehow resulted in Net::SSLeay::shutdown returning 0 (i.e. keep trying)
> > > > > which caused an endless loop. It will now ignore this result in case the TLS
> > > > > connection was not yet established and consider the TLS connection closed
> > > > > instead.
> > > > >
> > > > > But this does not seem to fully resolve the issue yet. When I try to
> > > > > build the testsuite still get stuck.
> > > >
> > > > So as I understand it, the problem is that the client just sends
> > > > crap, the server tells the client it sends crap, but then waits
> > > > for the client to properly terminate the question which it never
> > > > does?
> > > >
> > > > It's at least not behaviour I can reproducing using s_server, the
> > > > server actually closes the connection for me.
> > >
> > > JFTR, the additional problem is unrelated to the OpenSSL change. I
> > > (and as well Gregor) was able to reproduce it in the pbuilder setup
> > > when using the default USENETWORK=no (but not if switching to
> > > USENETWORK=yes). So #813189 on its own can be considered resolved.
> >
> > I'd like to understand what change was needed in
> > libio-socket-ssl-perl. Can you point me to it?
> >
> > I'm wondering if we should change something on the OpenSSL side or
> > not.
>
> Ack. Here is the change which was applied to IO::Socket::SSL to
> workaround the changes in OpenSSL:
>
> https://github.com/noxxi/p5-io-socket-ssl/commit/6e23ee4a433f83f1065bd2467255eba5ee9b1ddd
So upstream openss made this change:
commit 64f9f40696f993406e53c16d7c9d815004afd8ad
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 2 10:05:43 2016 +0000
Handle SSL_shutdown while in init more appropriately #2
Previous commit 7bb196a71 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.
Commit 7bb196a71 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).
This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).
This seesm to fix the issue.
Kurt
More information about the Pkg-openssl-devel
mailing list