[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: FW: is the ssl3_send_alert() function public ( part of the API )? (ITS#1954)
Submitting the request is a good idea.
But I doubt the api change, if any, would be made before a new release
of OpenSSL. In the mean time, is it a good idea to continue using that
private function? The results are indeterminant and this *is* the
security layer.
I think the mixture of users using, different versions of OpenLDAP,
OpenSSL, and OSes may be lead eventually to a possible security issue.
--Kervin
Howard Chu wrote:
> The API is deficient. I will submit the request to their tracker.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> -----Original Message-----
> From: Lutz Jaenicke [mailto:Lutz.Jaenicke@aet.TU-Cottbus.DE]
> Sent: Tuesday, July 16, 2002 10:51 AM
> To: Howard Chu
> Subject: Re: is the ssl3_send_alert() function public ( part of the API
> )?
>
>
> On Tue, Jul 16, 2002 at 10:35:38AM -0700, Howard Chu wrote:
>
>>Since alerts are defined by the SSLv3 spec this seems to be a glaring
>>omission from the exported API. In particular, there is no way for the
>>verify callback to send a warning to the other side without this function,
>>and simply making the callback return "not OK" results in a fatal
>>condition, instead of a warning.
>
>
> Hmm. Interesting suggestion. Some of the alerts must always be fatal
> according to the spec, but not all of them. I don't think that the
> application should ever send an alert itself (I think that it would mess
> up the complete control structure with respect to non-blocking etc.)
> It might however be possible to introduce some variable/flag that
> one can set inside the callback function. Currently only SUCCESS/FAIL
> can be signalled via the return value of the callback(). Of course,
> an addition like this one should be compatible with respect to the
> current API...
>
> Hmm. Maybe you should send a corresponding request to rt@openssl.org
> such that the idea is recorded in the request tracker.
>
> Best regards,
> Lutz