[openssl-users] [openssl-dev] OpenSSL version 1.0.2n published
openssl-users at dukhovni.org
Thu Dec 7 18:40:44 UTC 2017
> On Dec 7, 2017, at 8:55 AM, OpenSSL <openssl at openssl.org> wrote:
> OpenSSL - The Open Source toolkit for SSL/TLS
> The OpenSSL project team is pleased to announce the release of
> version 1.0.2n of our open source toolkit for SSL/TLS. For details
> of changes and known issues see the release notes at:
It is perhaps useful to expand on one sentence in the CHANGE log:
Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
*) Read/write after SSL object in error state
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
mechanism. The intent was that if a fatal error occurred during a handshake
then OpenSSL would move into the error state and would immediately fail if
you attempted to continue the handshake. This works as designed for the
explicit handshake functions (SSL_do_handshake(), SSL_accept() and
SSL_connect()), however due to a bug it does not work correctly if
SSL_read() or SSL_write() is called directly. ...
What "directly" means at the end of the quoted text is "directly, without
first performing an explicit handshake". In that case the handshake is
an implicit side-effect of the first read or write call, and it was in
that case that the "error state" mechanism did not behave as intended.
More information about the openssl-users