From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 11 01:25:38 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1C61CDEA for ; Fri, 11 Jul 2014 01:25:38 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DD8D42C42 for ; Fri, 11 Jul 2014 01:25:37 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6B1PbAm089354 for ; Fri, 11 Jul 2014 01:25:37 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 191799] New: [patch] openssl - fix regression from CVE-2014-0224 - "ccs received early" Date: Fri, 11 Jul 2014 01:25:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 8.4-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: andrew.daugherity@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 01:25:38 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191799 Bug ID: 191799 Summary: [patch] openssl - fix regression from CVE-2014-0224 - "ccs received early" Product: Base System Version: 8.4-RELEASE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: andrew.daugherity@gmail.com Created attachment 144567 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144567&action=edit patch to fix "ccs received early" error I've recently been having issues with net/relayd randomly (e.g. once every 10 minutes or so) flagging backend HTTPS servers as down for one check, then back up the next. Running it in debug+extra verbose mode showed a libssl error: SSL library error: 10.95.8.221: cannot connect: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early hce_notify_done: 10.95.8.221 (ssl connect failed) host 10.95.8.221, check http code use ssl (94ms), state up -> down, availability 95.65% The only relevant results I found searching for this error was the changelog for Ubuntu's openssl package, where apparently the patch for CVE-2014-0224 introduced this error for people running pg_dump (postgres) with ssl enabled. The issue was fixed upstream in openssl's git (post-1.0.1h), and Debian & Ubuntu cherry-picked this commit. After manually applying the same one-line patch to my tree and rebuilding world, relayd is back to 100% uptime. I've attached the diff (against ^/releng/8.4); 9/10/HEAD are also affected and the patch should apply with only changing line numbers. I suppose the security/openssl port should also be fixed. External links: OpenSSL bug: https://rt.openssl.org/Ticket/Display.html?id=3400&user=guest&pass=guest OpenSSL git commit: https://git.openssl.org/gitweb/?p=openssl.git;a=history;f=ssl/s3_clnt.c;hb=3b77f01702cbbb75c77 Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1332643 -- You are receiving this mail because: You are the assignee for the bug.