httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Support for OpenSSL 1.1.0
Date Fri, 12 Feb 2016 00:48:55 GMT
The list is getting shorter. The test suite currently only shows a few 
failures due to the missing "talking http on https" support.

Am 09.02.2016 um 11:20 schrieb Rainer Jung:

> Open problems:
>
> 1) HTTP on HTTPS
>
> OpenSSL 1.1.0 currently doesn't support the "HTTP spoken on HTTPS port"
> error. The code to detect HTTP was removed due to a major rewrite of the
> state engine. The OpenSSL project is willing to review patches for
> reintroducing the feature there but currently doesn't plan to work on it
> themselves.

I'll try tackling this next. Nut sure how well it will go.

> 2) Renegotiation
>
> It needs to be implemented differently. The OpenSSL project suggest to
> try reading application data until the renegotiation has finished. I
> committed some rather ugly code that does loop waiting for reneg, but it
> has a couple of problems:

Still using poll, but better state tracking now.

> a) it will not work for EC or DH ciphers. Some opaque structure element
> in the ssl struct is already set and confuses the state machine. I hope
> to get some helpful feedback from the OpenSSL project for this.

Still open.

> 5) ssl_engine_kernel.c
>
> In ssl_callback_Info() the explicit state constants
> SSL3_ST_SR_CLNT_HELLO_A and SSL23_ST_SR_CLNT_HELLO_A are used which no
> longer exist. I can't find obvious replacements in the list of new state
> constants:
>
> 2100         int state = SSL_get_state((SSL *)ssl);
> 2101
> 2102         if (state == SSL3_ST_SR_CLNT_HELLO_A
> 2103             || state == SSL23_ST_SR_CLNT_HELLO_A) {
> 2104             scr->reneg_state = RENEG_ABORT;
> 2105             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
> 2106                           "rejecting client initiated renegotiation");
> 2107         }

That shouldn't be too hard. Will look into it.

Regards,

Rainer

Mime
View raw message