-
-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compatibility with OpenSSL 3.2 #105
Comments
I tried to find the commit that introduced the issue with git bisect, and it seems to be openssl/openssl@4030869 |
Not sure why this commit introduced the bug, but I could fix my issue by returning in if r <= 0 then
match @SSL_get_error(_ssl, r)
| 1 | 5 => _state = SSLError
| 2 =>
// SSL buffer has more data but it is not yet decoded (or something)
_read_buf.truncate(offset)
return None
| 6 =>
// SSL_ERROR_ZERO_RETURN, peer has closed connection, no more data to read
return None
end Maybe other errors should also be handled in some way? |
Thanks @sacovo. I'll take a look in the next couple days and get some CI setup with the OpenSSL 3.2 environment I set up yesterday. I'll get it failing and then I'll take the excellent work you've done and get a fix out. Thanks for all the triaging. You've been awesome. |
It is checked in ssl_connection.pony though in
in addition to setting the state, should also do Can you try: match @SSL_get_error(_ssl, r)
| 1 | 5 | 6 =>
_state = SSLError
return None
| 2 =>
// SSL buffer has more data but it is not yet decoded (or something)
_read_buf.truncate(offset)
return None
end ` |
Yes, this works in fixing the issue. I still think there is something wrong with the |
@sacovo do you feel up to opening an issue with the OpenSSL folks and I can make that change (which I think is correct regardless) in our Pony code? An interesting note from their manpage:
|
Yes, implementing that change seems reasonable and I'll open an issue in the openssl repo. The quote from the manpage is interesting. I think it doesn't apply to the situation here, since there really is no more data to process and nothing should be in the buffer. |
I'm wondering if they introduced a bug where it thinks there is data. Something along the lines of an "off by one" or equivalent when they switched how they are determining it in the commit you referenced. |
Note to future humans. Given this regression requires |
Prior to this commit, we were only testing against a single SSL library on Linux plus also a version on Windows. We have seen that with http related code, we can encounter errors on different SSL versions. See ponylang/net_ssl#105. To adjust to this, with this test, we are adding testing against all our main supported SSL versions on Linux. This does not change our MacOS (not currently done) or our Windows testing matrix for ponylang/http.
Prior to this commit, we were only testing against a single SSL library on Linux plus also a version on Windows. We have seen that with http related code, we can encounter errors on different SSL versions. See ponylang/net_ssl#105. To adjust to this, with this test, we are adding testing against all our main supported SSL versions on Linux. This does not change our MacOS (not currently done) or our Windows testing matrix for ponylang/http.
Prior to this commit, we were only testing against a single SSL library on Linux plus also a version on Windows. We have seen that with http related code, we can encounter errors on different SSL versions. See ponylang/net_ssl#105. To adjust to this, with this test, we are adding testing against all our main supported SSL versions on Linux. This does not change our MacOS (not currently done) or our Windows testing matrix for ponylang/http.
This switches us to testing against OpenSSL 3.2.0 from OpenSSL 3.1.3. 3.1.3 seems to work fine for us, but we've identified a bug with OpenSSL 3.2.0. See ponylang/net_ssl#105 for more information on the bug.
This switches us to testing against OpenSSL 3.2.0 from OpenSSL 3.1.3. 3.1.3 seems to work fine for us, but we've identified a bug with OpenSSL 3.2.0. See ponylang/net_ssl#105 for more information on the bug.
I have a working regression test in ponylang/http that catches this problem. https://github.com/ponylang/http/actions/runs/7521779093/job/20473011093?pr=105 |
Fix is verified in CI. https://github.com/ponylang/http/actions/runs/7521816087/job/20473093908?pr=105 I'm going to finish up #107 then merge it and do a release then update the HTTP PR to use the new net_ssl and do an HTTP release. Thank you so much for your assistance with this issue @sacovo. I did the final few feet to get releases out and regression testing in place, but none of this would have happened without you. That was some awesome debugging. You rock. |
Retrieving a website over ssl leads to an infinite loop when using openssl 3.2.0, when compiled with
--debug
a segfault occurs.This is the code:
The content is retrieved and displayed, but the program doesn't exit.
Compiling with
--debug
leads to a segfautl with the follwoing call stack:So there seems to be an endless recursion when checking if there are more bytes to read from ssl.
Downgrading to 3.1.4 fixes this issue.
The text was updated successfully, but these errors were encountered: