Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PolarSSL: version 1.3.8 now required #1401

Closed
MarcelRaad opened this issue Apr 10, 2017 · 5 comments
Closed

PolarSSL: version 1.3.8 now required #1401

MarcelRaad opened this issue Apr 10, 2017 · 5 comments
Labels

Comments

@MarcelRaad
Copy link
Member

MarcelRaad commented Apr 10, 2017

I did this

Tried to build curl with PolarSSL on Ubuntu 14.04 Trusty Tahr. It compiled, but linking failed because of an undefined reference to ssl_session_init which was introduced in 9f498de and is only available in PolarSSL versions 1.3.8 and 1.3.9. Ubuntu Trusty comes with PolarSSL 1.3.4.

I expected the following

Either the minimum version documented in INTERNALS.md bumped to 1.3.8 and the minimum POLARSSL_VERSION_NUMBER in polarssl.c bumped to 0x01030800 or a successful build.

curl/libcurl version

git master f9d1e9a

operating system

Ubuntu Trusty

@bagder bagder added the TLS label Apr 10, 2017
@bagder
Copy link
Member

bagder commented Apr 10, 2017

I'm inclined to say that we simply raise the bar to 1.3.8 unless someone steps forward and does the work to make sure older versions get supported again.

Reading up on recent security details, it seems PolarSSL users shouldn't use anything other than 1.3.19 anyway...

@bagder
Copy link
Member

bagder commented Apr 10, 2017

I believe commit 04b4ee5 (June 2016) is what broke support for older versions, and that change doesn't look like a quick and easy fix to get working for older PolarSSL versions. The fact that it took 10 months for someone to report it could also work as a sign...

@jay
Copy link
Member

jay commented Apr 11, 2017

We could fix it I think. That call in the final two versions of PolarSSL is just this

void ssl_session_init( ssl_session *session )
{
    memset( session, 0, sizeof(ssl_session) );
}

Regarding security for PolarSSL in Trusty I assume it gets security fixes for their LTS?

@MarcelRaad
Copy link
Member Author

We could fix it I think. That call in the final two versions of PolarSSL is just this

Right, as there won't be new versions of PolarSSL, we don't need to consider future changes to ssl_session_init. If @bagder agrees and nobody's faster than me, I'll change that to just use the memset.

@bagder
Copy link
Member

bagder commented Apr 11, 2017

I'm totally fine with that!

MarcelRaad added a commit to MarcelRaad/curl that referenced this issue Apr 11, 2017
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.

Suggested-by: Jay Satiro
Fixes curl#1401
@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Development

No branches or pull requests

3 participants