Page MenuHomeFreeBSD
Differential D28932

Fix apache24 to work with KTLS-enabled OpenSSL.
ClosedPublic
Actions

Authored by jhb on Feb 26 2021, 12:20 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Apr 21, 8:15 PM
Unknown Object (File)
Thu, Apr 18, 3:56 PM
Unknown Object (File)
Tue, Apr 16, 12:53 PM
Unknown Object (File)
Sat, Apr 13, 6:21 AM
Unknown Object (File)
Sat, Apr 13, 1:00 AM
Unknown Object (File)
Wed, Apr 10, 11:43 PM
Unknown Object (File)
Wed, Apr 10, 11:43 PM
Unknown Object (File)
Wed, Apr 10, 11:42 PM
View All 59 Files
Subscribers
bjk
mat

Details

Reviewers
bjk
Commits
rP568258: MFH: r568256
rP568256: fix OpenSSL KTLS causes regression: SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT
Summary

Apache uses custom BIO classes to manage socket I/O on connections
using SSL via OpenSSL. These custom BIO classes contain a ctrl
method which should return 0 for unknown requests. However, the
custom BIO classes in Apache were returning non-zero values for
unknown requests. This resulted in OpenSSL believing that BIOs
were using KTLS when they were not.

Note that Apache will not take advantage of KTLS currently since
it does not use OpenSSL's built-in BIO classes for sockets.

Test Plan
  • tried to use apache24 on recent head with openssl s_client as the client. Previously this always failed during TLS negotiation even with KTLS disabled in the kernel. With the patch, simple requests now appear to work for me, but this needs more testing by folks who reported the initial breakage.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Feb 26 2021, 12:20 AM
Herald added a subscriber: mat. · View Herald TranscriptFeb 26 2021, 12:20 AM
jhb requested review of this revision.Feb 26 2021, 12:20 AM
Harbormaster completed remote builds in B37392: Diff 84723.Feb 26 2021, 12:20 AM
jhb added a comment.Feb 26 2021, 7:20 PM

I've had one user confirm this fixes apache24 for them in a real-world use case.

bjk accepted this revision.Feb 26 2021, 7:30 PM

The patch to ssl_engine_io.c is correct from an openssl perspective.
I'm not a ports committer, so technically I shouldn't approve the (trivial) Makefile update.

This revision is now accepted and ready to land.Feb 26 2021, 7:30 PM
Closed by commit rP568256: fix OpenSSL KTLS causes regression: SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT (authored by joneum). · Explain WhyMar 13 2021, 4:12 PM
This revision was automatically updated to reflect the committed changes.
joneum added a commit: rP568256: fix OpenSSL KTLS causes regression: SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT.
joneum added a commit: rP568258: MFH: r568256.Mar 13 2021, 4:15 PM

Revision Contents
Changeset List

PathSize
head/
www/
apache24/
2 lines
files/
38 lines

Diff 85693

View Options

head/www/apache24/Makefile

Loading...
View Options

head/www/apache24/files/patch-modules_ssl_ssl__engine__io.c

Loading...