[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: FW: is the ssl3_send_alert() function public ( part of the API )? (ITS#1954)

Submitting the request is a good idea.

But I doubt the api change, if any, would be made before a new release 
of OpenSSL.  In the mean time, is it a good idea to continue using that 
private function?  The results are indeterminant and this *is* the 
security layer.

I think the mixture of users using, different versions of OpenLDAP, 
OpenSSL, and OSes may be lead eventually to a possible security issue.


Howard Chu wrote:
> The API is deficient. I will submit the request to their tracker.
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support 
> -----Original Message-----
> From: Lutz Jaenicke [mailto:Lutz.Jaenicke@aet.TU-Cottbus.DE]
> Sent: Tuesday, July 16, 2002 10:51 AM
> To: Howard Chu
> Subject: Re: is the ssl3_send_alert() function public ( part of the API
> )?
> On Tue, Jul 16, 2002 at 10:35:38AM -0700, Howard Chu wrote:
>>Since alerts are defined by the SSLv3 spec this seems to be a glaring
>>omission from the exported API. In particular, there is no way for the
>>verify callback to send a warning to the other side without this function,
>>and simply making the callback return "not OK" results in a fatal
>>condition, instead of a warning.
> Hmm. Interesting suggestion. Some of the alerts must always be fatal
> according to the spec, but not all of them. I don't think that the
> application should ever send an alert itself (I think that it would mess
> up the complete control structure with respect to non-blocking etc.)
> It might however be possible to introduce some variable/flag that
> one can set inside the callback function. Currently only SUCCESS/FAIL
> can be signalled via the return value of the callback(). Of course,
> an addition like this one should be compatible with respect to the
> current API...
> Hmm. Maybe you should send a corresponding request to rt@openssl.org
> such that the idea is recorded in the request tracker.
> Best regards,
> 	Lutz