[Bug 191799] New: [patch] openssl - fix regression from CVE-2014-0224 - "ccs received early"

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jul 11 01:25:38 UTC 2014


            Bug ID: 191799
           Summary: [patch] openssl - fix regression from CVE-2014-0224 -
                    "ccs received early"
           Product: Base System
           Version: 8.4-RELEASE
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: andrew.daugherity at gmail.com

Created attachment 144567
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144567&action=edit
patch to fix "ccs received early" error

I've recently been having issues with net/relayd randomly (e.g. once every 10
minutes or so) flagging backend HTTPS servers as down for one check, then back
up the next.

Running it in debug+extra verbose mode showed a libssl error:
SSL library error: cannot connect: error:14094085:SSL
routines:SSL3_READ_BYTES:ccs received early
hce_notify_done: (ssl connect failed)
host, check http code use ssl (94ms), state up -> down,
availability 95.65%

The only relevant results I found searching for this error was the changelog
for Ubuntu's openssl package, where apparently the patch for CVE-2014-0224
introduced this error for people running pg_dump (postgres) with ssl enabled. 
The issue was fixed upstream in openssl's git (post-1.0.1h), and Debian &
Ubuntu cherry-picked this commit.  After manually applying the same one-line
patch to my tree and rebuilding world, relayd is back to 100% uptime.

I've attached the diff (against ^/releng/8.4); 9/10/HEAD are also affected and
the patch should apply with only changing line numbers.  I suppose the
security/openssl port should also be fixed.

External links:
OpenSSL bug:
OpenSSL git commit:
Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1332643

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list