https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191799 Bug ID: 191799 Summary: [patch] openssl - fix regression from CVE-2014-0224 - "ccs received early" Product: Base System Version: 8.4-RELEASE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: andrew.daugherity@gmail.com Created attachment 144567 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144567&action=edit patch to fix "ccs received early" error I've recently been having issues with net/relayd randomly (e.g. once every 10 minutes or so) flagging backend HTTPS servers as down for one check, then back up the next. Running it in debug+extra verbose mode showed a libssl error: SSL library error: 10.95.8.221: cannot connect: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early hce_notify_done: 10.95.8.221 (ssl connect failed) host 10.95.8.221, check http code use ssl (94ms), state up -> down, availability 95.65% The only relevant results I found searching for this error was the changelog for Ubuntu's openssl package, where apparently the patch for CVE-2014-0224 introduced this error for people running pg_dump (postgres) with ssl enabled. The issue was fixed upstream in openssl's git (post-1.0.1h), and Debian & Ubuntu cherry-picked this commit. After manually applying the same one-line patch to my tree and rebuilding world, relayd is back to 100% uptime. I've attached the diff (against ^/releng/8.4); 9/10/HEAD are also affected and the patch should apply with only changing line numbers. I suppose the security/openssl port should also be fixed. External links: OpenSSL bug: https://rt.openssl.org/Ticket/Display.html?id=3400&user=guest&pass=guest OpenSSL git commit: https://git.openssl.org/gitweb/?p=openssl.git;a=history;f=ssl/s3_clnt.c;hb=3b77f01702cbbb75c77 Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1332643 -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"