diff options
author | Tomas Mraz <tmraz@fedoraproject.org> | 2020-03-25 14:18:13 +0100 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-03-25 14:18:13 +0100 |
commit | 0cd2ee64bffcdece599c3e4b5fac3830a55dc0fa (patch) | |
tree | 262cb031648e153a4f6bbca029d90ccfce91fcfe | |
parent | 30d190caf311d534867df97e26b552e628cb7d85 (diff) |
Document the revert of the proper reporting of an unexpected EOF
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11400)
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | doc/man3/SSL_get_error.pod | 12 |
3 files changed, 22 insertions, 1 deletions
@@ -9,6 +9,13 @@ Changes between 1.1.1e and 1.1.1f [xx XXX xxxx] + *) Revert the change of EOF detection while reading in libssl to avoid + regressions in applications depending on the current way of reporting + the EOF. As the existing method is not fully accurate the change to + reporting the EOF via SSL_ERROR_SSL is kept on the current development + branch and will be present in the 3.0 release. + [Tomas Mraz] + *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1 when primes for RSA keys are computed. Since we previously always generated primes == 2 (mod 3) for RSA keys, @@ -7,12 +7,14 @@ Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development] - o + o Revert the unexpected EOF reporting via SSL_ERROR_SSL Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] o Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) + o Properly detect unexpected EOF while reading in libssl and report + it via SSL_ERROR_SSL Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod index 97320a6c15..6ef6f7d4c5 100644 --- a/doc/man3/SSL_get_error.pod +++ b/doc/man3/SSL_get_error.pod @@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called. =back +=head1 BUGS + +The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from +the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason +code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because +it is truly a TLS protocol error to terminate the connection without +a SSL_shutdown(). + +The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications +which choose to ignore this protocol error depend on the existing way of +reporting the error. + =head1 SEE ALSO L<ssl(7)> |