[OpenWrt-Devel] [RFC PATCH 0/1] openssl: fix session resumption

[Eneas U de Queiroz]

OpenSSL 1.1.1e brought a change in behavior when reaching EOF in
SSL_read().  Previous versions returned SSL_ERROR_SYSCALL but errno
would be 0.  New behavior returns SSL_ERROR_SSL and adds an error to the
stack.

This breaks session resumption in nginx, and has the potential to break
other apps as well. (https://github.com/openssl/openssl/issues/10880)
It is a bug, and it affects security--they're talking about a possible
truncation attack.

There's an issue open in https://github.com/openssl/openssl/issues/11378
where they're discussing what to do.  Apparently they are leaning
towards reverting the change in 1.1.1, but keeping it for the next
release.

I imagine affected software will eventually adapt, so this revert may be
temporary.  I'm not sure what to do in this case.  My initial idea is to
wait for openssl/openssl#11378 closure, and see what they decide.  If
they keep the change (don't revert), then we should probably revert this
now, and take the patches out once most/all affected apps have adapted.

Since this might cause trouble right away, and it was applied to 19.07,
I decided to post this now, as RFC.

This was tested in mvebx, WRT3200ACM, using nginx.

Eneas U de Queiroz (1):
  openssl: revert EOF detection change in 1.1.1

 package/libs/openssl/Makefile                 |   2 +-
 ...t-Detect-EOF-while-reading-in-libssl.patch | 112 ++++++++++++++++++
 ...more-BIOs-how-to-handle-BIO_CTRL_EOF.patch |  71 +++++++++++
 3 files changed, 184 insertions(+), 1 deletion(-)
 create mode 100644 package/libs/openssl/patches/200-Revert-Detect-EOF-while-reading-in-libssl.patch
 create mode 100644 package/libs/openssl/patches/210-Revert-Teach-more-BIOs-how-to-handle-BIO_CTRL_EOF.patch


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel