[openssl-dev] [openssl.org #4395] OpenSSL doesn't reject out-of-context empty records

David Benjamin via RT rt at openssl.org
Mon Mar 7 22:27:24 UTC 2016

ssl3_get_record silently discards empty records without much context, which
means OpenSSL will happily accept, e.g., empty app data records
mid-handshake or empty records of bogus type. They get silently discarded
and never returned to the caller, so this is harmless, just a little odd.

This is what we did to fix it:
Something similar would probably work.

The AppDataBeforeHandshake-Empty and
AppDataAfterChangeCipherSpec-Empty tests in BoringSSL's test suite can be
used to repro this:


Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4395
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list