[racket-dev] possible bug in openssl/mzssl

From: Matthew Flatt (mflatt at cs.utah.edu)
Date: Thu Mar 1 13:05:03 EST 2012

At Thu, 1 Mar 2012 09:31:40 +0400, Sergey Pinaev wrote:
> On Wed, 29 Feb 2012 09:20:54 -0700
> Matthew Flatt <mflatt at cs.utah.edu> wrote:
> > Neil and Timur: Thanks for detailed information about the problem.
> > 
> > So far, I haven't managed to replicate the problem on my machine. Do
> > you have any hints on how to configure Apache to trigger the problem
> > or a server that I might try?
> you must access document in location, where SSLVerifyClient required:
>   <Location /dir/>
>     SSLRequireSSL
>     SSLVerifyClient require
>     SSLVerifyDepth 10
>   </Location>
> and do "GET /dir/some.file HTTP/1.0" to cause apache do connection
> re-negotiation.

Ah, now I get it. If the server requires a certificate for all
connections, then there's no problem. It's only when certificate
verification is triggered after some communication that the
problem happens.

I've pushed a repair. The problem was that the `pump-output' call was
too early; it needs to happen after SSL_read(), in case the SSL_read()
triggers new output for the socket level.

I also added support for renegotiation to the library, which makes it
easier to write tests for problems exposed by renegotiation.


Posted on the dev mailing list.