[Bug 191799] New: [patch] openssl - fix regression from CVE-2014-0224 - "ccs received early"

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jul 11 01:25:38 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191799

            Bug ID: 191799
           Summary: [patch] openssl - fix regression from CVE-2014-0224 -
                    "ccs received early"
           Product: Base System
           Version: 8.4-RELEASE
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: andrew.daugherity at gmail.com

Created attachment 144567
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144567&action=edit
patch to fix "ccs received early" error

I've recently been having issues with net/relayd randomly (e.g. once every 10
minutes or so) flagging backend HTTPS servers as down for one check, then back
up the next.

Running it in debug+extra verbose mode showed a libssl error:
SSL library error: 10.95.8.221: cannot connect: error:14094085:SSL
routines:SSL3_READ_BYTES:ccs received early
hce_notify_done: 10.95.8.221 (ssl connect failed)
host 10.95.8.221, check http code use ssl (94ms), state up -> down,
availability 95.65%

The only relevant results I found searching for this error was the changelog
for Ubuntu's openssl package, where apparently the patch for CVE-2014-0224
introduced this error for people running pg_dump (postgres) with ssl enabled. 
The issue was fixed upstream in openssl's git (post-1.0.1h), and Debian &
Ubuntu cherry-picked this commit.  After manually applying the same one-line
patch to my tree and rebuilding world, relayd is back to 100% uptime.

I've attached the diff (against ^/releng/8.4); 9/10/HEAD are also affected and
the patch should apply with only changing line numbers.  I suppose the
security/openssl port should also be fixed.


External links:
OpenSSL bug:
https://rt.openssl.org/Ticket/Display.html?id=3400&user=guest&pass=guest
OpenSSL git commit:
https://git.openssl.org/gitweb/?p=openssl.git;a=history;f=ssl/s3_clnt.c;hb=3b77f01702cbbb75c77
Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1332643

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list