PolarSSL: version 1.3.8 now required #1401

Closed
MarcelRaad opened this Issue Apr 10, 2017 · 5 comments

Projects

None yet

3 participants

@MarcelRaad
Member
MarcelRaad commented Apr 10, 2017 edited

I did this

Tried to build curl with PolarSSL on Ubuntu 14.04 Trusty Tahr. It compiled, but linking failed because of an undefined reference to ssl_session_init which was introduced in 9f498de and is only available in PolarSSL versions 1.3.8 and 1.3.9. Ubuntu Trusty comes with PolarSSL 1.3.4.

I expected the following

Either the minimum version documented in INTERNALS.md bumped to 1.3.8 and the minimum POLARSSL_VERSION_NUMBER in polarssl.c bumped to 0x01030800 or a successful build.

curl/libcurl version

git master f9d1e9a

operating system

Ubuntu Trusty

@bagder bagder added the SSL/TLS label Apr 10, 2017
Owner
bagder commented Apr 10, 2017 edited

I'm inclined to say that we simply raise the bar to 1.3.8 unless someone steps forward and does the work to make sure older versions get supported again.

Reading up on recent security details, it seems PolarSSL users shouldn't use anything other than 1.3.19 anyway...

Owner
bagder commented Apr 10, 2017

I believe commit 04b4ee5 (June 2016) is what broke support for older versions, and that change doesn't look like a quick and easy fix to get working for older PolarSSL versions. The fact that it took 10 months for someone to report it could also work as a sign...

Owner
jay commented Apr 11, 2017

We could fix it I think. That call in the final two versions of PolarSSL is just this

void ssl_session_init( ssl_session *session )
{
    memset( session, 0, sizeof(ssl_session) );
}

Regarding security for PolarSSL in Trusty I assume it gets security fixes for their LTS?

Member

We could fix it I think. That call in the final two versions of PolarSSL is just this

Right, as there won't be new versions of PolarSSL, we don't need to consider future changes to ssl_session_init. If @bagder agrees and nobody's faster than me, I'll change that to just use the memset.

Owner
bagder commented Apr 11, 2017

I'm totally fine with that!

@MarcelRaad MarcelRaad added a commit to MarcelRaad/curl that referenced this issue Apr 11, 2017
@MarcelRaad MarcelRaad polarssl: unbreak build with versions < 1.3.8
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.

Suggested-by: Jay Satiro
Fixes curl#1401
475487b
@MarcelRaad MarcelRaad added a commit to MarcelRaad/curl that referenced this issue Apr 11, 2017
@MarcelRaad MarcelRaad polarssl: unbreak build with versions < 1.3.8
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.

Suggested-by: Jay Satiro
Fixes curl#1401
580da62
@MarcelRaad MarcelRaad added a commit that closed this issue Apr 11, 2017
@MarcelRaad MarcelRaad polarssl: unbreak build with versions < 1.3.8
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.

Suggested-by: Jay Satiro
Fixes #1401
580da62
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment