On Tue, Nov 16, 2010, Victor Duchovni wrote:
> On Tue, Nov 16, 2010 at 03:48:13PM -0500, Victor Duchovni wrote:
>
> >
> > Anyone know why I am seeing the below errors:
> >
> > ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert
> > ../apps/server2.pem -no_dhe -num 10 -f -time
> > Available compression methods:
> > NONE
> > DONE via BIO pair: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit
> > RSA
> > ERROR in SERVER
> > 182902820544:error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse
> > tlsext:s3_srvr.c:1043:
>
> Running under gdb with symbols seems to the suggest the issue is with
> the ec
>
> else if (type == TLSEXT_TYPE_ec_point_formats &&
> s->version != DTLS1_VERSION)
> {
> unsigned char *sdata = data;
> int ecpointformatlist_length = *(sdata++);
>
> if (ecpointformatlist_length != size - 1)
> {
> *al = TLS1_AD_DECODE_ERROR;
> return 0;
> }
> if (!s->hit)
> {
> if(s->session->tlsext_ecpointformatlist)
> {
> ---> fail here --->
> *al = TLS1_AD_DECODE_ERROR;
> return 0;
> }
>
> Is this related to the CVE fix to the session state? Some other change?
>
Yes the CVE fix broke it. It was assuming that the session fields would only
be set by extensions so if they were already set the extension (illegally)
occurred more than once: but in the case of EC point format list it can be
set elsewhere anyway.
This should fix it:
http://cvs.openssl.org/chngview?cn=19998
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
