Thomas Munro <thomas.munro@gmail.com> writes:
> On Wed, May 7, 2025 at 1:18 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Anyone know anything about where to submit LibreSSL bugs?
> I think it's done with sendbug on an OpenBSD box, or perhaps you can
> just write a normal email to the bugs@openbsd.org or
> libressl@openbsd.org list, based on:
> https://www.openbsd.org/mail.html
Thanks, I'll look into reporting it tomorrow. In the meantime,
I couldn't help noticing that the backtraces went through
lib/libssl/tls13_legacy.c, which doesn't give a warm feeling
about how supported they think our usage is (and perhaps also
explains why they didn't detect this bug themselves). This is
evidently because we set up the SSL context with SSLv23_method(),
per this comment in be_tls_init():
* We use SSLv23_method() because it can negotiate use of the highest
* mutually supported protocol version, while alternatives like
* TLSv1_2_method() permit only one specific version. Note that we don't
* actually allow SSL v2 or v3, only TLS protocols (see below).
This choice seems to be more than 20 years old, though the above
comment defending it dates only to 2014. I wonder if it's time to
revisit that idea.
regards, tom lane
