diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2018-05-15 19:01:41 +0200 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2018-05-22 22:45:28 +0200 |
commit | 693cf80c6ff54ae276a44d305d4ad07168ec6895 (patch) | |
tree | bed0784d42fe6d1544cbe3c1ebf1abe56eb65cf1 /CHANGES | |
parent | 1aac20f5095fca8691ef4495c3e7438c935a33dc (diff) |
Enable SSL_MODE_AUTO_RETRY by default
Because TLS 1.3 sends more non-application data records some clients run
into problems because they don't expect SSL_read() to return and set
SSL_ERROR_WANT_READ after processing it.
This can cause problems for clients that use blocking I/O and use
select() to see if data is available. It can be cleared using
SSL_CTX_clear_mode().
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #6260
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -9,6 +9,17 @@ Changes between 1.1.0h and 1.1.1 [xx XXX xxxx] + *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking + I/O in combination with something like select() or poll() will hang. This + can be turned off again using SSL_CTX_clear_mode(). + Many applications do not properly handle non-application data records, and + TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works + around the problems in those applications, but can also break some. + It's recommended to read the manpages about SSL_read(), SSL_write(), + SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and + SSL_CTX_set_read_ahead() again. + [Kurt Roeckx] + *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. [Richard Levitte] |