SSL Updates – NET+OS 6.3

 

 

 

Last Updated: 02/16/07         Fix Count: 12

 

 

Title

Browser authentication failure

 

Case: 1224523

 

Date Fixed: 02/02/07

 

Description

Browser fails to authenticate with SSL\web server if SSL_CIPHER_LIST_ALL_DEFAULT is used.

 

Solution

Declare array that holds cipher list as a static array.

 
 
Title
SSLConnect() fails to return due to memory leak
 
Case: 19716
 
Date Fixed:  12/06/06
 
Description
There was a memory leak while generating the SSL key material in SSL handshake. The function which generates the SSL key material is called twice during each session; once while sending the client key exchange, and the other while sending the finished. Each time this function is called it mallocs 2 cipher data buffers one for read and one for write, but these buffers are freed only once at the end of the session. 
 
Solution
The fix is to call an openssl function which releases the buffer, if there is any allocated, before initializing the tls handshake protocol control block which clears the allocated read and write data buffer pointers.
 
 
Title
Unit Freezes
 
Case: 1216806
 
Date fixed: 09/22/06
 
Description
Unit freezes after some time.
 
Solution
Corrected memory leak in certificate handling for SSL
 
 

Title

SSL Proxy socket port number now user selectable

 

Case: feature request

 

Date Fixed:  07/07/06

Description

SSL Proxy socket port number was hard-coded at the default 443

 

Solution

Added new SSL API to allow changing the SSL Proxy socket port number from the default 443 to a user specified value.

 

 

Title
Remote Connection Info Feature

 

Case: 16375

 

Date Fixed:  07/05/06

Description
The remote IP address and port of the HTTPS client were not available across proxy.

 

Solution

Added a new function NASSLGetRemoteConnectionInformation()that can grab the remote IP address and port of the HTTPS client from the other side of
the proxy. The intent is to use this function in conjunction with RpGetConnectionInformation()when this value shows a loopback connection.

 


Title

Connection errors

 

Case:  18909

 

Date Fixed:  6/29/06

Description

Problems connecting with some secure servers

 

Solution

Modified tls_connection() to check for the connection_end argument.Failure to check for this argument results in an error condition causing an immediate exit of the function.

 

Title

SSL Memory Leak

 

Case:  16392

 

Date Fixed:  06/22/06

Description
Running the Nessus NewT security scanner causes SSL to hang.

Solution                                 
Corrected memory leaks in the SSL library to prevent an SSL server from hanging.

 

 

Title

Data missing from secure web page


Case: 1212465

 

Date Fixed:  06/13/06

 

Description

On occasion, web page display would be incomplete.

 

Solution

When reading from either local or remote, the while loops for recv incorrectly assumed that stream would end with a short packet (< 1024 bytes) and that following
read would handle EOF. If read ended on 1024 byte boundary and next read was EOF, bytes in buffer would be lost.

 

 

Title

Communication error during data transfer with some secure servers

 

Case: 1209405

 

Date Fixed:  04/08/05

 

Description

Some secure servers send multiple messages in each packet rather than individually.  This was causing communication errors during data transfer.

 

Solution

Modified code to recognize when multiple messages are in a packet and act accordingly.

 


Title

Certificate verification added

 

Case: feature request

 

Date fixed:  01/31/06

Description

Current implementation did not support certificate verification.

 

Solution

Added support for certificate verification.

 

 

Title
Secure Web Server page upload hangs

 

Case: 17778

 

Date Fixed:  01/26/06

Description
Using the secure web server, web pages may not completely display. In addition, this may be associated with the web server appearing hung
(being unavailable). The Symptom is a web page, pulling data from the NET+OS secure web server displaying all of the pages data, but the IE's
progress bar moving to the maximum (right most) position and not returning to its home (left most) position, showing the transfer complete. Additionally, after this event, the secure web server would not accept additional connections from other instances of any web browser. The web server would appear hung.

Solution
A programming error caused lower levels of the ssl proxy to miss a close signal from the web server. The associated links would not close down and a FIN would not be sent to the web browser.  This was noticed most frequently on Japanese Windows 2000 systems running Japanese Internet Explorer V6 SP1.

 


Title

Session Resume feature added

 

Case:  16313

 

Date Fixed:  06/09/05

Description

In our SSL module implementation we did not support the session resume feature. In the ServerHello message, we always set the session ID to 0.  Therefore, each time a new connection comes in, it always goes through the negotiation process, and so slows down performance.

 

Solution
Added session cache feature.

 

 

Files:   netos\h\ssl.h

            netos\lib\arm7\32b\ghs\libssl.a
            netos\lib\arm9\32b\gnu\libssl.a
            netos\lib\arm7\32b\ghs\libssl.a
            netos\lib\arm9\32b\gnu\libssl.a
            netos\lib\arm7\32b\ghs\libcrypto.a
            netos\lib\arm9\32b\gnu\libcrypto.a
            netos\lib\arm7\32b\ghs\libcrypto.a
            netos\lib\arm9\32b\gnu\libcrypto.a

Special Instructions

 

  • Unzip the patch(es) to the root of your NET+OS installation, for example C:\netos63_gnu\.
  • Be sure to install any patches listed under Dependencies below
  • Rebuild your application.

 

Patch Link:  SSLUpdates_63

 

Dependencies

This patch also requires the installation of the following patch(es):

 

TCPIPUpdates_63

ACEUpdates_63

WebServerUpdates_63

ApiReference_63