A flaw was found in the way OpenSSL verified certificates via the X509_verify_cert() function. X509_verify_cert() fuunction may return a negative return value to indicate an internal error (for example, out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be unexpected, and applications may not behave correctly as a result. The exact behavior will depend on the application, but it could result in crashes, infinite loops, or other similar incorrect responses.
****Products Confirmed Not Affected
No other Brocade Fibre Channel products are affected.
******Revision History