> On Dec 7, 2017, at 8:55 AM, OpenSSL <openssl@xxxxxxxxxxx> wrote: > > OpenSSL - The Open Source toolkit for SSL/TLS > https://www.openssl.org/ > > The OpenSSL project team is pleased to announce the release of > version 1.0.2n of our open source toolkit for SSL/TLS. For details > of changes and known issues see the release notes at: > > https://www.openssl.org/news/openssl-1.0.2-notes.html It is perhaps useful to expand on one sentence in the CHANGE log: Changes between 1.0.2m and 1.0.2n [7 Dec 2017] *) Read/write after SSL object in error state OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. ... What "directly" means at the end of the quoted text is "directly, without first performing an explicit handshake". In that case the handshake is an implicit side-effect of the first read or write call, and it was in that case that the "error state" mechanism did not behave as intended. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
