TclTLS
Artifact [639511f397]
Login
HomeTimelineDownloadBrowse SourceBranchesTagsTicketsWiki
Download Hex Parsed

Artifact 639511f397f343ef62f1e6ef897748f31bb73d48a854f515b3a960fd27801d38:

Ticket change [639511f397] - New ticket [88c0c8496999c48f|88c0c84969] <i>EOF handling potentially broken with OpenSSL 1.1.1e or newer</i>. by gustafn3 on 2023-10-22 11:55:59. 
D 2023-10-22T11:55:59.456
J foundin tcltls-1.7.22
J icomment The\sEOF\shandling\shas\schanged\sin\sOpenSSL\s1.1.1e,\swhere\sit\schanged\sfrom\sSSL_ERROR_SYSCALL\swith\serrno\s0\sto\sSSL_ERROR_SSL\swith\sreason\scode\sSSL_R_UNEXPECTED_EOF_WHILE_READING\s[1].\sThis\schange\sin\sOpenSSL\srequires\salso\sadjustments\sin\sapplications\susing\sOpenSSL\s(see,\se.g.,\s[2]),\sincluding\stcltls.\r\n\r\nWe\snoticed\sthe\sproblem\swhen\supgrading\sa\smachine\sfrom\sCentOS\s7\sto\sRocky\r\nLinux\s9,\swhere\safter\sthe\supgrade\sa\sscript\slike\sthe\sfollowing\sstopped\r\nworking:\r\n\r\n````\r\n$\s/usr/local/ns/bin/tclsh8.6\r\n%\spackage\srequire\stls\s\s\s\s\s\s\s\s\s\s\s\s\s\s\s\s\s\r\n%\sset\sf\s[tls::socket\slocalhost\s8443]\r\n%\sputs\s$f\s"GET\s/\sHTTP/1.0\\n"\r\n%\sflush\s$f\r\n%\sset\scontent\s[read\s$f]\r\n%\sclose\s$f\r\n````\r\n\r\nThe\sproblem\smanifests\sitself\sin\sthe\s"read"\soperation,\swhere\sfirst,\sit\r\ntransfers\sthe\sfull\scontent,\sand\sthen\sit\sreports\s"software\scaused\r\nconnection\sabort".\sSee\sbelow\sthe\soutput\sfrom\sthe\sdebug\smacros\sof\r\ntcltls.\r\n\r\n````\r\n./tlsIO.c:385:TlsInputProc():BIO_read(4096)\r\n...\r\n./tlsIO.c:422:TlsInputProc():BIO_read\s->\s465\r\n./tlsIO.c:425:TlsInputProc():BIO_read\sreturned\serr\s0\r\n...\r\n./tlsIO.c:422:TlsInputProc():BIO_read\s->\s207\r\n./tlsIO.c:425:TlsInputProc():BIO_read\sreturned\serr\s0\r\n...\r\n./tlsBIO.c:262:BioCtrl():Got\sBIO_CTRL_EOF\r\n./tlsBIO.c:127:BioWrite():[chan=0x1438a7990]\sBioWrite(24)\s->\s24\s[tclEof=1;\stclErrno=0]\r\n./tlsBIO.c:148:BioWrite():Successfully\swrote\ssome\sdata\r\n...\r\n./tls.c:180:InfoCallback():Called\r\n./tlsIO.c:422:TlsInputProc():BIO_read\s->\s0\r\n./tlsIO.c:425:TlsInputProc():BIO_read\sreturned\serr\s1\r\n./tlsIO.c:460:TlsInputProc():SSL\snegotiation\serror,\sindicating\sthat\sthe\sconnection\shas\sbeen\saborted\r\n./tls.c:367:Tls_Error():Called\r\n./tlsIO.c:502:TlsInputProc():Input(4096)\s->\s-1\s[53]\r\n./tlsIO.c:719:TlsWatchProc():TlsWatchProc(0x0)\r\n./tlsIO.c:728:TlsWatchProc():statePtr->flags=0\r\n./tlsIO.c:992:Tls_GetParent():Requested\sto\sget\sparent\sof\schannel\s0x1438a0790\r\n./tlsIO.c:754:TlsWatchProc():Registering\sour\sinterest\sin\sthe\slower\schannel\s(chan=0x1438a7990)\r\nerror\sreading\s"sock144076990":\ssoftware\scaused\sconnection\sabort\r\n````\r\n\r\nThe\sproblem\sexists\snot\sonly\son\sLinux,\sbut\sas\swell\son\smacOS\s(13.6)\r\nBelow\sis\sa\spatch\sthat\sfixes\sthe\sproblem\swithout\sgoing\sinto\sthe\s(version\r\ndependent)\serror\scode\s/\serror\sreason\shandling\sof\sOpenSSL,\ssince\sthis\sapproach\smakes\sthe\sissue\smore\stransparent.\sThis\spatch\sbelow\swas\stested\swith\sTcl\s8.6.13,\stcltls-1.7.22\sand\sOpenSSL\s3.1.3\s(19\sSep\s2023).\r\n\r\n````\r\n$\sdiff\s-wu\stlsIO.c-orig\stlsIO.c\r\n---\stlsIO.c-orig\t2020-10-12\s22:39:22\r\n+++\stlsIO.c\t2023-10-22\s12:33:11\r\n@@\s-420,6\s+420,18\s@@\r\n\s\tERR_clear_error();\r\n\s\tbytesRead\s=\sBIO_read(statePtr->bio,\sbuf,\sbufSize);\r\n\s\tdprintf("BIO_read\s->\s%d",\sbytesRead);\r\n+\r\n+\tif\s(bytesRead\s==\s0\s&&\sTcl_Eof(statePtr->self))\s{\r\n+\s\s\s\s\s\s\s\s\s\s\s\s/*\s\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\s*\sWe\sknow\sthrough\sBIO_CTRL_EOF\sthat\swe\sare\salready\sat\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\s*\sEOF\s(determined\sduring\sBIO_read()).\sThere\sis\sno\sneed\sto\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\s*\stry\sto\shandle\sthis\ssituation\svia\serror\sand\sreason\scodes\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\s*\sfrom\sOpenSSL.\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\s*/\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\sdprintf("tried\sto\sread\swhile\schannel\sis\salready\sat\sEOF");\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\s*errorCodePtr\s=\s0;\r\n+\s\s\s\s\s\s\s\s\s\s\s\s\sreturn(bytesRead);\r\n````\r\n\r\n\r\n[1]\shttps://mta.openssl.org/pipermail/openssl-project/2020-May/001975.html\s\s\s\r\n[2]\shttps://groups.google.com/g/mailing.openssl.users/c/9C2rT9WVqW8/m/1F-8JWnzAQAJ
J login gustafn3
J mimetype text/x-markdown
J private_contact ef1993a98c1daa778fe0b246a7af12b3076f2240
J severity Critical
J status Open
J title EOF\shandling\spotentially\sbroken\swith\sOpenSSL\s1.1.1e\sor\snewer
J type Code\sDefect
K 88c0c8496999c48f513eb4f97aaa0ac9829b35d3
U gustafn3
Z 8f75bdc26b60609ad29afe22a5ff7745
Powered by Fossil · RSS