[openssl-dev] [openssl.org #4395] OpenSSL doesn't reject out-of-context empty records
David Benjamin via RT
rt at openssl.org
Mon Mar 7 22:27:24 UTC 2016
ssl3_get_record silently discards empty records without much context, which
means OpenSSL will happily accept, e.g., empty app data records
mid-handshake or empty records of bogus type. They get silently discarded
and never returned to the caller, so this is harmless, just a little odd.
This is what we did to fix it:
Something similar would probably work.
The AppDataBeforeHandshake-Empty and
AppDataAfterChangeCipherSpec-Empty tests in BoringSSL's test suite can be
used to repro this:
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4395
Please log in as guest with password guest if prompted
More information about the openssl-dev