<div dir="ltr">However this type of TLS leak was not there when my application was using OpenSSL 1.0.2<div>Noticed after using OpenSSL 1.1.0b</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Mar 25, 2017 at 8:12 PM, <span dir="ltr"><<a href="mailto:openssl-users-request@openssl.org" target="_blank">openssl-users-request@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send openssl-users mailing list submissions to<br>
<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:openssl-users-request@openssl.org">openssl-users-request@openssl.<wbr>org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:openssl-users-owner@openssl.org">openssl-users-owner@openssl.<wbr>org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of openssl-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. OpenSSL sending close_notify right after responding to a<br>
heartbeat request (R Kaja Mohideen)<br>
2. Re: how to implement functions for STACK OF custom type?<br>
(Dr. Stephen Henson)<br>
3. TLSv1_2_method (Lei Kong)<br>
4. Re: TLSv1_2_method (Viktor Dukhovni)<br>
5. TLS leak for openssl 1.1.0b with libcurl 7.50.3<br>
(ghanashyam satpathy)<br>
6. Re: TLS leak for openssl 1.1.0b with libcurl 7.50.3 (Salz, Rich)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Fri, 24 Mar 2017 19:10:41 +0530<br>
From: R Kaja Mohideen <<a href="mailto:reachme@kajasweb.com">reachme@kajasweb.com</a>><br>
To: <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
Subject: [openssl-users] OpenSSL sending close_notify right after<br>
responding to a heartbeat request<br>
Message-ID:<br>
<CAMSoAtDCh7AZTBJeOtVa=<wbr>Gdk3YZ2yTStdwem56eN_d=<a href="mailto:eNVgaCQ@mail.gmail.com">eNVgaCQ@<wbr>mail.gmail.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Hi,<br>
<br>
We have a TLS Server (Written in C) and Client (Written in Java using<br>
Netty + OpenSSL).<br>
<br>
I see that when Server sends a TLS extension Heartbeat request to<br>
client - OpenSSL responds to it and sends a close_notify alert right<br>
after it - causing the server to close the session with client.<br>
<br>
I don't have any callback registered in client (HB request recipient<br>
side - Java/Netty doesn't really have that support) and so I'm sure<br>
that it is OpenSSL by itself is responding to that heartbeat request.<br>
But, who or what is making OpenSSL to send an alert & close the<br>
session upon responding to heartbeat remains a mystery.<br>
<br>
Any help / suggestions to investigate this issue is highly appreciated.<br>
<br>
Thanks & regards,<br>
R Kaja Mohideen<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 24 Mar 2017 17:46:28 +0000<br>
From: "Dr. Stephen Henson" <<a href="mailto:steve@openssl.org">steve@openssl.org</a>><br>
To: <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
Subject: Re: [openssl-users] how to implement functions for STACK OF<br>
custom type?<br>
Message-ID: <<a href="mailto:20170324174628.GA16753@openssl.org">20170324174628.GA16753@<wbr>openssl.org</a>><br>
Content-Type: text/plain; charset=iso-8859-1<br>
<br>
On Tue, Mar 21, 2017, lists wrote:<br>
<br>
> Sorry, I first posted this on the -dev list, likely inappropriate... now with an update:<br>
><br>
> I am exploring my options with OpenSSL and specifically I am trying to manage the stacks for some custom objects.<br>
> Currently, I have this code (sort of) in the headers:<br>
><br>
> typedef struct myThingA_st<br>
> {<br>
> ???? ASN1_OBJECT aID;<br>
> ???? ASN1_OCTET_STRING aOCST;<br>
> }<br>
> ???? myThingA;<br>
><br>
> DECLARE_ASN1_ITEM(myThingA)<br>
> DECLARE_ASN1_FUNCTIONS(<wbr>myThingA)<br>
> DECLARE_STACK_OF(myThingA)<br>
> // the next one seems to be ininfluent for my purpose, is it?<br>
> DECLARE_ASN1_SET_OF(myThingA)<br>
><br>
> typedef struct myThingB_st<br>
> {<br>
> ???? // SEQUENCE OF { ... }<br>
> ???? STACK_OF(myThingA) myThingA_sk;<br>
> }<br>
> ???? myThingB;<br>
><br>
> // DECLARE_ASN1_ITEM(myThingB)<br>
> DECLARE_STACK_OF(myThingB)<br>
> // DECLARE_ASN1_FUNCTIONS(<wbr>myThingB)<br>
> // the next one seems to be ininfluent for my purpose, is it?<br>
> DECLARE_ASN1_SET_OF(myThingB)<br>
><br>
> Then, in the .c file...<br>
><br>
> IMPLEMENT_STACK_OF(myThingA)<br>
> IMPLEMENT_STACK_OF(myThingB)<br>
><br>
> I thought that the basic functions for the stacks to be available (such as sk_myThingA_new, sk_myThingA_push...), yet by compiling a main, for<br>
> the first one that I try to use I get:<br>
><br>
> ?????? undefined reference to `sk_myThingA_value'<br>
><br>
> What am I doing wrong here?<br>
<br>
If you're using OpenSSL 1.1.0 you need to include:<br>
<br>
DEFINE_STACK_OF(FOO)<br>
<br>
in a header file and that should be it. That implements a set of inline<br>
functions that do the right thing.<br>
<br>
For OpenSSL versions before 1.1.0 it's a bit messier. The type specific<br>
STACK_OF functions are actually macros which are generated by the <a href="http://mkstack.pl" rel="noreferrer" target="_blank">mkstack.pl</a><br>
script and appear in the safestack.h header file. If you want to create your<br>
own one way is to extract a type specific section from safestack.h, copy it<br>
to your own header file and do a search/replace for the new type.<br>
<br>
So for example extract the sk_OPENSSL_BLOCK macros and replace OPENSSL_BLOCK<br>
with FOO.<br>
<br>
Steve.<br>
--<br>
Dr Stephen N. Henson. OpenSSL project core developer.<br>
Commercial tech support now available see: <a href="http://www.openssl.org" rel="noreferrer" target="_blank">http://www.openssl.org</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 24 Mar 2017 21:51:07 +0000<br>
From: Lei Kong <<a href="mailto:leikong@msn.com">leikong@msn.com</a>><br>
To: "<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>" <<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>><br>
Subject: [openssl-users] TLSv1_2_method<br>
Message-ID:<br>
<<a href="mailto:BN1PR01MB021823477985DD1AFB7D042A83E0@BN1PR01MB021.prod.exchangelabs.com">BN1PR01MB021823477985DD1AFB7D<wbr>042A83E0@BN1PR01MB021.prod.<wbr>exchangelabs.com</a>><br>
<br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Can processes running with TLSv1_2_method talk to processes running with something older, e.g. TLSv1_1_method? Along the same lines, will new TLS versions be backward compatible with TLSv1_2_method ?<br>
<br>
I would like to make my code proof, is there something like TLS_latest_method()?<br>
<br>
I have a cluster of nodes that talk to each other with TLS, currently the version is hardcoded to TLSv1_2_method. Suppose TLSv1_2 is deprecated by TLS_new one day, I update my service to use TLS_new node by node, during this time, some old nodes are running with TLSv1_2, some new nodes are running with new TLS_new, will the communication between old and new nodes work?<br>
<br>
Thanks.<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170324/1f4d53f0/attachment-0001.html" rel="noreferrer" target="_blank">http://mta.openssl.org/<wbr>pipermail/openssl-users/<wbr>attachments/20170324/1f4d53f0/<wbr>attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Sat, 25 Mar 2017 03:19:55 -0400<br>
From: Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org">openssl-users@dukhovni.org</a>><br>
To: <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
Subject: Re: [openssl-users] TLSv1_2_method<br>
Message-ID: <<a href="mailto:5D881D46-87A5-4053-B166-F1EE4AA52619@dukhovni.org">5D881D46-87A5-4053-B166-<wbr>F1EE4AA52619@dukhovni.org</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
<br>
> On Mar 24, 2017, at 5:51 PM, Lei Kong <<a href="mailto:leikong@msn.com">leikong@msn.com</a>> wrote:<br>
><br>
> TLS_latest_method<br>
<br>
<a href="https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/<wbr>man1.1.0/ssl/SSL_CTX_new.html</a><br>
<br>
...<br>
<br>
TLS_method(), TLS_server_method(), TLS_client_method()<br>
<br>
These are the general-purpose version-flexible SSL/TLS methods.<br>
The actual protocol version used will be negotiated to the<br>
highest version mutually supported by the client and the server.<br>
The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.<br>
Applications should use these methods, and avoid the version-specific<br>
methods described below.<br>
<br>
With OpenSSL 1.0.2 these are called SSLv23_method(), ...<br>
<br>
<a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/<wbr>man1.0.2/ssl/SSL_CTX_new.html</a><br>
<br>
--<br>
Viktor.<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Sat, 25 Mar 2017 19:35:06 +0530<br>
From: ghanashyam satpathy <<a href="mailto:ghanashyam.satpathy@gmail.com">ghanashyam.satpathy@gmail.com</a><wbr>><br>
To: <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
Subject: [openssl-users] TLS leak for openssl 1.1.0b with libcurl<br>
7.50.3<br>
Message-ID:<br>
<CAKn+8OKWHspSvk=<a href="mailto:sxZfz3PSOZK5qXkWQTy3z%2B3PimCiFrOnXkw@mail.gmail.com">sxZfz3PSOZK5q<wbr>XkWQTy3z+3PimCiFrOnXkw@mail.<wbr>gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
I use libcurl 7.50.3 as statically linked in my application dll , along<br>
with openssl 1.1.0b also statically linked. The dll is dynamically loaded<br>
using LoadLibrary() and unloaded using FreeLibrary() inside application<br>
exe. I observed a TLS index is not getting freed which was allocated inside<br>
openssl. To narrow down the issue I have following exported function, which<br>
I call from my application exe. After FreeLibrary() I see the TLS leak<br>
through APplication verifier.<br>
<br>
extern "C" __declspec(dllexport)<br>
void CurlSetup()<br>
{<br>
<br>
curl_global_init(CURL_GLOBAL_<wbr>DEFAULT);<br>
curl_global_cleanup();<br>
return;<br>
<br>
}<br>
<br>
An early reply in this context is appreciated.<br>
<br>
Thanks<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170325/12c0ccde/attachment-0001.html" rel="noreferrer" target="_blank">http://mta.openssl.org/<wbr>pipermail/openssl-users/<wbr>attachments/20170325/12c0ccde/<wbr>attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Sat, 25 Mar 2017 14:13:47 +0000<br>
From: "Salz, Rich" <<a href="mailto:rsalz@akamai.com">rsalz@akamai.com</a>><br>
To: "<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>" <<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>><br>
Subject: Re: [openssl-users] TLS leak for openssl 1.1.0b with libcurl<br>
7.50.3<br>
Message-ID:<br>
<<a href="mailto:6d87957f6c654825a6a6c6f0d3d4a20a@usma1ex-dag1mb1.msg.corp.akamai.com">6d87957f6c654825a6a6c6f0d3d4a<wbr>20a@usma1ex-dag1mb1.msg.corp.<wbr>akamai.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Those are curl functions, not openssl<br>
<br>
--<br>
Senior Architect, Akamai Technologies<br>
Member, OpenSSL Dev Team<br>
IM: <a href="mailto:richsalz@jabber.at">richsalz@jabber.at</a> Twitter: RichSalz<br>
<br>
From: ghanashyam satpathy [mailto:<a href="mailto:ghanashyam.satpathy@gmail.com">ghanashyam.satpathy@<wbr>gmail.com</a>]<br>
Sent: Saturday, March 25, 2017 10:05 AM<br>
To: <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
Subject: [openssl-users] TLS leak for openssl 1.1.0b with libcurl 7.50.3<br>
<br>
I use libcurl 7.50.3 as statically linked in my application dll , along<br>
with openssl 1.1.0b also statically linked. The dll is dynamically loaded<br>
using LoadLibrary() and unloaded using FreeLibrary() inside application<br>
exe. I observed a TLS index is not getting freed which was allocated inside<br>
openssl. To narrow down the issue I have following exported function, which<br>
I call from my application exe. After FreeLibrary() I see the TLS leak<br>
through APplication verifier.<br>
<br>
extern "C" __declspec(dllexport)<br>
void CurlSetup()<br>
{<br>
<br>
curl_global_init(CURL_GLOBAL_<wbr>DEFAULT);<br>
curl_global_cleanup();<br>
return;<br>
<br>
}<br>
<br>
An early reply in this context is appreciated.<br>
<br>
Thanks<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170325/1a5b8980/attachment.html" rel="noreferrer" target="_blank">http://mta.openssl.org/<wbr>pipermail/openssl-users/<wbr>attachments/20170325/1a5b8980/<wbr>attachment.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
______________________________<wbr>_________________<br>
openssl-users mailing list<br>
<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of openssl-users Digest, Vol 28, Issue 33<br>
******************************<wbr>***************<br>
</blockquote></div><br></div>