However this type of TLS leak was not there when my application was using OpenSSL 1.0.2 Noticed after using OpenSSL 1.1.0b
On Sat, Mar 25, 2017 at 8:12 PM, <openssl-users-requ...@openssl.org> wrote: > Send openssl-users mailing list submissions to > openssl-users@openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users > or, via email, send a message with subject or body 'help' to > openssl-users-requ...@openssl.org > > You can reach the person managing the list at > openssl-users-ow...@openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > 1. OpenSSL sending close_notify right after responding to a > heartbeat request (R Kaja Mohideen) > 2. Re: how to implement functions for STACK OF custom type? > (Dr. Stephen Henson) > 3. TLSv1_2_method (Lei Kong) > 4. Re: TLSv1_2_method (Viktor Dukhovni) > 5. TLS leak for openssl 1.1.0b with libcurl 7.50.3 > (ghanashyam satpathy) > 6. Re: TLS leak for openssl 1.1.0b with libcurl 7.50.3 (Salz, Rich) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 24 Mar 2017 19:10:41 +0530 > From: R Kaja Mohideen <reac...@kajasweb.com> > To: openssl-users@openssl.org > Subject: [openssl-users] OpenSSL sending close_notify right after > responding to a heartbeat request > Message-ID: > <CAMSoAtDCh7AZTBJeOtVa=Gdk3YZ2yTStdwem56eN_d=eNVgaCQ@ > mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Hi, > > We have a TLS Server (Written in C) and Client (Written in Java using > Netty + OpenSSL). > > I see that when Server sends a TLS extension Heartbeat request to > client - OpenSSL responds to it and sends a close_notify alert right > after it - causing the server to close the session with client. > > I don't have any callback registered in client (HB request recipient > side - Java/Netty doesn't really have that support) and so I'm sure > that it is OpenSSL by itself is responding to that heartbeat request. > But, who or what is making OpenSSL to send an alert & close the > session upon responding to heartbeat remains a mystery. > > Any help / suggestions to investigate this issue is highly appreciated. > > Thanks & regards, > R Kaja Mohideen > > > ------------------------------ > > Message: 2 > Date: Fri, 24 Mar 2017 17:46:28 +0000 > From: "Dr. Stephen Henson" <st...@openssl.org> > To: openssl-users@openssl.org > Subject: Re: [openssl-users] how to implement functions for STACK OF > custom type? > Message-ID: <20170324174628.ga16...@openssl.org> > Content-Type: text/plain; charset=iso-8859-1 > > On Tue, Mar 21, 2017, lists wrote: > > > Sorry, I first posted this on the -dev list, likely inappropriate... now > with an update: > > > > I am exploring my options with OpenSSL and specifically I am trying to > manage the stacks for some custom objects. > > Currently, I have this code (sort of) in the headers: > > > > typedef struct myThingA_st > > { > > ???? ASN1_OBJECT aID; > > ???? ASN1_OCTET_STRING aOCST; > > } > > ???? myThingA; > > > > DECLARE_ASN1_ITEM(myThingA) > > DECLARE_ASN1_FUNCTIONS(myThingA) > > DECLARE_STACK_OF(myThingA) > > // the next one seems to be ininfluent for my purpose, is it? > > DECLARE_ASN1_SET_OF(myThingA) > > > > typedef struct myThingB_st > > { > > ???? // SEQUENCE OF { ... } > > ???? STACK_OF(myThingA) myThingA_sk; > > } > > ???? myThingB; > > > > // DECLARE_ASN1_ITEM(myThingB) > > DECLARE_STACK_OF(myThingB) > > // DECLARE_ASN1_FUNCTIONS(myThingB) > > // the next one seems to be ininfluent for my purpose, is it? > > DECLARE_ASN1_SET_OF(myThingB) > > > > Then, in the .c file... > > > > IMPLEMENT_STACK_OF(myThingA) > > IMPLEMENT_STACK_OF(myThingB) > > > > I thought that the basic functions for the stacks to be available (such > as sk_myThingA_new, sk_myThingA_push...), yet by compiling a main, for > > the first one that I try to use I get: > > > > ?????? undefined reference to `sk_myThingA_value' > > > > What am I doing wrong here? > > If you're using OpenSSL 1.1.0 you need to include: > > DEFINE_STACK_OF(FOO) > > in a header file and that should be it. That implements a set of inline > functions that do the right thing. > > For OpenSSL versions before 1.1.0 it's a bit messier. The type specific > STACK_OF functions are actually macros which are generated by the > mkstack.pl > script and appear in the safestack.h header file. If you want to create > your > own one way is to extract a type specific section from safestack.h, copy it > to your own header file and do a search/replace for the new type. > > So for example extract the sk_OPENSSL_BLOCK macros and replace > OPENSSL_BLOCK > with FOO. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > > > ------------------------------ > > Message: 3 > Date: Fri, 24 Mar 2017 21:51:07 +0000 > From: Lei Kong <leik...@msn.com> > To: "openssl-users@openssl.org" <openssl-users@openssl.org> > Subject: [openssl-users] TLSv1_2_method > Message-ID: > <bn1pr01mb021823477985dd1afb7d042a8...@bn1pr01mb021.prod. > exchangelabs.com> > > Content-Type: text/plain; charset="us-ascii" > > Can processes running with TLSv1_2_method talk to processes running with > something older, e.g. TLSv1_1_method? Along the same lines, will new TLS > versions be backward compatible with TLSv1_2_method ? > > I would like to make my code proof, is there something like > TLS_latest_method()? > > I have a cluster of nodes that talk to each other with TLS, currently the > version is hardcoded to TLSv1_2_method. Suppose TLSv1_2 is deprecated by > TLS_new one day, I update my service to use TLS_new node by node, during > this time, some old nodes are running with TLSv1_2, some new nodes are > running with new TLS_new, will the communication between old and new nodes > work? > > Thanks. > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://mta.openssl.org/pipermail/openssl-users/ > attachments/20170324/1f4d53f0/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Sat, 25 Mar 2017 03:19:55 -0400 > From: Viktor Dukhovni <openssl-us...@dukhovni.org> > To: openssl-users@openssl.org > Subject: Re: [openssl-users] TLSv1_2_method > Message-ID: <5d881d46-87a5-4053-b166-f1ee4aa52...@dukhovni.org> > Content-Type: text/plain; charset=us-ascii > > > > On Mar 24, 2017, at 5:51 PM, Lei Kong <leik...@msn.com> wrote: > > > > TLS_latest_method > > https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html > > ... > > TLS_method(), TLS_server_method(), TLS_client_method() > > These are the general-purpose version-flexible SSL/TLS methods. > The actual protocol version used will be negotiated to the > highest version mutually supported by the client and the server. > The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2. > Applications should use these methods, and avoid the version-specific > methods described below. > > With OpenSSL 1.0.2 these are called SSLv23_method(), ... > > https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html > > -- > Viktor. > > > > ------------------------------ > > Message: 5 > Date: Sat, 25 Mar 2017 19:35:06 +0530 > From: ghanashyam satpathy <ghanashyam.satpa...@gmail.com> > To: openssl-users@openssl.org > Subject: [openssl-users] TLS leak for openssl 1.1.0b with libcurl > 7.50.3 > Message-ID: > <CAKn+8OKWHspSvk=sxZfz3PSOZK5qXkWQTy3z+3PimCiFrOnXkw@mail. > gmail.com> > Content-Type: text/plain; charset="utf-8" > > I use libcurl 7.50.3 as statically linked in my application dll , along > with openssl 1.1.0b also statically linked. The dll is dynamically loaded > using LoadLibrary() and unloaded using FreeLibrary() inside application > exe. I observed a TLS index is not getting freed which was allocated inside > openssl. To narrow down the issue I have following exported function, which > I call from my application exe. After FreeLibrary() I see the TLS leak > through APplication verifier. > > extern "C" __declspec(dllexport) > void CurlSetup() > { > > curl_global_init(CURL_GLOBAL_DEFAULT); > curl_global_cleanup(); > return; > > } > > An early reply in this context is appreciated. > > Thanks > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://mta.openssl.org/pipermail/openssl-users/ > attachments/20170325/12c0ccde/attachment-0001.html> > > ------------------------------ > > Message: 6 > Date: Sat, 25 Mar 2017 14:13:47 +0000 > From: "Salz, Rich" <rs...@akamai.com> > To: "openssl-users@openssl.org" <openssl-users@openssl.org> > Subject: Re: [openssl-users] TLS leak for openssl 1.1.0b with libcurl > 7.50.3 > Message-ID: > <6d87957f6c654825a6a6c6f0d3d4a...@usma1ex-dag1mb1.msg.corp. > akamai.com> > Content-Type: text/plain; charset="utf-8" > > Those are curl functions, not openssl > > -- > Senior Architect, Akamai Technologies > Member, OpenSSL Dev Team > IM: richs...@jabber.at Twitter: RichSalz > > From: ghanashyam satpathy [mailto:ghanashyam.satpa...@gmail.com] > Sent: Saturday, March 25, 2017 10:05 AM > To: openssl-users@openssl.org > Subject: [openssl-users] TLS leak for openssl 1.1.0b with libcurl 7.50.3 > > I use libcurl 7.50.3 as statically linked in my application dll , along > with openssl 1.1.0b also statically linked. The dll is dynamically loaded > using LoadLibrary() and unloaded using FreeLibrary() inside application > exe. I observed a TLS index is not getting freed which was allocated inside > openssl. To narrow down the issue I have following exported function, which > I call from my application exe. After FreeLibrary() I see the TLS leak > through APplication verifier. > > extern "C" __declspec(dllexport) > void CurlSetup() > { > > curl_global_init(CURL_GLOBAL_DEFAULT); > curl_global_cleanup(); > return; > > } > > An early reply in this context is appreciated. > > Thanks > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://mta.openssl.org/pipermail/openssl-users/ > attachments/20170325/1a5b8980/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > openssl-users mailing list > openssl-users@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-users > > > ------------------------------ > > End of openssl-users Digest, Vol 28, Issue 33 > ********************************************* >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
