Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 92411 invoked from network); 22 Oct 2009 17:08:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 22 Oct 2009 17:08:00 -0000 Received: (qmail 42503 invoked by uid 500); 22 Oct 2009 17:07:59 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 42414 invoked by uid 500); 22 Oct 2009 17:07:59 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 42405 invoked by uid 99); 22 Oct 2009 17:07:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Oct 2009 17:07:59 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=BAYES_00 X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of shenson@oss-institute.org designates 67.18.157.234 as permitted sender) Received: from [67.18.157.234] (HELO ns1.oss-institute.org) (67.18.157.234) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Oct 2009 17:07:57 +0000 Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[160.13.254.0]) by ns1.oss-institute.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1N118O-0001Or-Sw for dev@httpd.apache.org; Thu, 22 Oct 2009 12:07:33 -0500 Message-ID: <4AE0914F.1010008@oss-institute.org> Date: Thu, 22 Oct 2009 18:07:27 +0100 From: Dr Stephen Henson User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12 References: <4ADF0D8E.1000202@collab.net> <4ADF2153.9070601@apache.org> <0213965108DEAD48960CE83455E07DFF0192BAB6@maa-exchmb.maa.corp.collab.net> <4AE0433D.6000309@collab.net> <4AE0480B.3070606@oss-institute.org> <4AE04C48.40604@collab.net> In-Reply-To: <4AE04C48.40604@collab.net> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ns1.oss-institute.org X-AntiAbuse: Original Domain - httpd.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - oss-institute.org X-Source: X-Source-Args: X-Source-Dir: Kamesh Jayachandran wrote: > On 10/22/2009 05:24 PM, Dr Stephen Henson wrote: >> That's due to the function pointer issues which gcc 4.2 and later >> doesn't like: >> this was fixed in newer versions of OpenSSL. >> >> > > Is there any switch we can pass to gcc 4.2 to compile and make it work > properly. > No. If you really want to use 0.9.8b it needs an older version of gcc or you can backport the fixes. They are rather extensive but mainly contained in: http://cvs.openssl.org/chngview?cn=16526 and http://cvs.openssl.org/chngview?cn=16528 OpenSSL 0.9.8b doesn't use TLS extensions at all. >> Do you need TLS extensions on the client/server? If not try compiling >> OpenSSL >> with no-tlsext. >> > > May not be possible as *client* builds are not in our control. > > I believe no-tlsext does *not* disable TLS functionality itself. > The no-tlsext option disables TLS extension functionality. If that works on the server side then an alternative workaround could be found. >> Did you say what version of OpenSSL the failing client was using on >> Windows? >> >> > > It happens with openssl-0.9.8j on client openssl-0.9.8k on server > Hmm... could be 0.9.8j sending bad data with invalid extension syntax under rare circumstances. A packet sniffer or logging the errant extensions received by OpenSSL could help trace this further. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org