Use existing session context if new is actually NULL#2946
Merged
torben-hansen merged 1 commit intoaws:mainfrom Jan 20, 2026
Merged
Use existing session context if new is actually NULL#2946torben-hansen merged 1 commit intoaws:mainfrom
torben-hansen merged 1 commit intoaws:mainfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2946 +/- ##
==========================================
- Coverage 78.11% 78.10% -0.01%
==========================================
Files 679 679
Lines 117949 117949
Branches 16599 16598 -1
==========================================
- Hits 92130 92122 -8
- Misses 24930 24939 +9
+ Partials 889 888 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
skmcgrail
approved these changes
Jan 20, 2026
geedo0
approved these changes
Jan 20, 2026
Contributor
geedo0
left a comment
There was a problem hiding this comment.
Confirmed that this is OpenSSL behavior.
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/ssl_lib.c#L4111
haproxy-mirror
pushed a commit
to haproxy/haproxy
that referenced
this pull request
Jan 21, 2026
It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 aws/aws-lc#2946. This must be backported in every branches.
Merged
justsmth
added a commit
that referenced
this pull request
Jan 22, 2026
### Description of changes: Prepare AWS-LC v1.67.0 #### What's Changed * Migrate Wycheproof test vectors for ECDSA, RSA PKCS#1, and some more by @sgmenda in #2887 * increase timeout for SDE tests by @sgmenda in #2936 * Rename volatile state/memory to unique state/memory by @torben-hansen in #2935 * Fix failing Windows Docker image build by @nhatnghiho in #2931 * Service Indicator: Add error call trampoline to avoid delocator issue by @jakemas in #2920 * Add support for Big Endian in ACVP tool by @samuel40791765 in #2938 * AES-GCM: Add function pointer trampolines to avoid delocator issue by @jakemas in #2919 * Use already defined macro for no inline by @torben-hansen in #2942 * Remove Kyber completely by @torben-hansen in #2941 * Windows 7 support by @justsmth in #2940 * Import mldsa-native by @jakemas in #2902 * Use existing session context if new is actually NULL by @torben-hansen in #2946 * Integrate Wycheproof ML-KEM test vectors by @sgmenda in #2891 * Avoid cross-compilation build failure by @justsmth in #2944 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
FireBurn
pushed a commit
to FireBurn/haproxy
that referenced
this pull request
Jan 24, 2026
It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 aws/aws-lc#2946. This must be backported in every branches. (cherry picked from commit fbc98eb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit a7218df) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit da95d0e) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
FireBurn
pushed a commit
to FireBurn/haproxy
that referenced
this pull request
Jan 24, 2026
It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 aws/aws-lc#2946. This must be backported in every branches. (cherry picked from commit fbc98eb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit a7218df) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit da95d0e) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit ba87a9a) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 7c08e35) [cf: applied on ssl_sock.c] Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
FireBurn
pushed a commit
to FireBurn/haproxy
that referenced
this pull request
Jan 24, 2026
It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 aws/aws-lc#2946. This must be backported in every branches. (cherry picked from commit fbc98eb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
FireBurn
pushed a commit
to FireBurn/haproxy
that referenced
this pull request
Jan 24, 2026
It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 aws/aws-lc#2946. This must be backported in every branches. (cherry picked from commit fbc98eb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit a7218df) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit da95d0e) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit ba87a9a) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
FireBurn
pushed a commit
to FireBurn/haproxy
that referenced
this pull request
Jan 24, 2026
It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 aws/aws-lc#2946. This must be backported in every branches. (cherry picked from commit fbc98eb) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit a7218df) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues:
P369474299
Description of changes:
SSL_set_SSL_CTX()doesn't currently tolerate thectxargument beingNULL(it would just crash in some cases). I was pondering handling this by just explicitly error out if it wasNULL. But I realised upstream OpenSSL has a different behaviour: falls back to existing session context fromssl.This is unnecessary complexity, but in the name of interoperability I did that instead of flipping to an error state.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.