Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Document the revert of the proper reporting of an unexpected EOF
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #11400)
  • Loading branch information
t8m committed Mar 25, 2020
1 parent 30d190c commit 0cd2ee6
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 1 deletion.
7 changes: 7 additions & 0 deletions CHANGES
Expand Up @@ -9,6 +9,13 @@

Changes between 1.1.1e and 1.1.1f [xx XXX xxxx]

*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]

*) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
when primes for RSA keys are computed.
Since we previously always generated primes == 2 (mod 3) for RSA keys,
Expand Down
4 changes: 3 additions & 1 deletion NEWS
Expand Up @@ -7,12 +7,14 @@

Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development]

o
o Revert the unexpected EOF reporting via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]

o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli (CVE-2019-1551)
o Properly detect unexpected EOF while reading in libssl and report
it via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]

Expand Down
12 changes: 12 additions & 0 deletions doc/man3/SSL_get_error.pod
Expand Up @@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called.

=back

=head1 BUGS

The B<SSL_ERROR_SYSCALL> with B<errno> value of 0 indicates unexpected EOF from
the peer. This will be properly reported as B<SSL_ERROR_SSL> with reason
code B<SSL_R_UNEXPECTED_EOF_WHILE_READING> in the OpenSSL 3.0 release because
it is truly a TLS protocol error to terminate the connection without
a SSL_shutdown().

The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications
which choose to ignore this protocol error depend on the existing way of
reporting the error.

=head1 SEE ALSO

L<ssl(7)>
Expand Down

0 comments on commit 0cd2ee6

Please sign in to comment.