Hi,

there is a bug in 0.9.9 (openssl-SNAP-20080815) which leads to a crash due to a
NULL pointer. I can reproduce it when I use FireFox3 and a ssl server based on
the snapshot version. From what I can see is that it happens when FF3 makes the
second connection. The most noticeable difference is that in the first handshake
FF3 sends an empty SessionTicket TLS extension whereas the second one contains a
160 byte session ticket. The server application crashed while working on the
client_hello message in s3_enc.c line 578

if (s->s3->handshake_dgst[i]!= NULL)

because s->s3->handshake_dgst is NULL.

The call stack is:
SSL_accept
ssl23_accept
ssl23_get_client_hello
SSL_accept
ssl3_accept
ssl3_send_server_hello
ssl3_do_write
ssl3_finish_mac (s3_enc.c, line 578)

Bye
Jan
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org