Setting an OCSP stapling response on a DTLS server result in crash

matt@xxxxxxxxxxx (Matt Caswell) · Mon, 29 Aug 2016 17:44:11 +0100

Ok - thanks. I'll try and take a look tomorrow.

Matt

On 29/08/16 17:37, Julien Vermillard wrote:
> I patched s_server to send a fake OCSP content (4 bytes).
> I suppose the server will just push that to the client and the client
> should fail complaining it's not a correct OCSP response.
> But the server crash with:
> ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed:
> s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH
> 
> Command line used:
> 
> ./openssl s_server -dtls1_2 -port 5684  -cipher
> ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8
> -CAfile ca.pem -cert server.pem -key server.key -chainCAfile bundle.pem
> -status -status_verbose -mtu 1200
> 
> and
> ./openssl s_client -dtls1_2 -port 5684 -psk 73656372657450534b -host
> localhost -cipher
> ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8
> -CAfile ca.pem -verify_hostname "IMEI:1234567890" -cert client.pem -key
> client.key -chainCAfile bundle-client.pem -status
> 
> 
> I attached also the test certificate and keys.
> 
> --
> Julien Vermillard
> 
> On Mon, Aug 29, 2016 at 6:17 PM, Julien Vermillard
> <jvermillard at gmail.com <mailto:jvermillard at gmail.com>> wrote:
> 
>     It's a mix of C and Go, so it's really not minimal, but I'll try to
>     modify s_server to see if I can reproduce it.
> 
>     --
>     Julien Vermillard
> 
>     On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <matt at openssl.org
>     <mailto:matt at openssl.org>> wrote:
> 
> 
> 
>         On 29/08/16 17:08, Julien Vermillard wrote:
>         > I have a DTLS 1.2 server based on last master (commit
>         > d196305aa0de1fc38837c27cb1ea6e60af9dd98d)
>         > I try to add ocsp stapling support (based on code in s_server.c).
>         >
>         > Basicaly in my callback I set the OCSP response by:
>         >
>         >
>         >     if (SSL_set_tlsext_status_ocsp_resp(s,dataPtr,respLen) == 0) {
>         >         return SSL_TLSEXT_ERR_NOACK;
>         >     } else {
>         >         return SSL_TLSEXT_ERR_OK;
>         >     }
>         >
>         > but if my server manage to get an OCSP response it crash with this message:
>         >
>         > ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed:
>         > s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH
>         >
>         > Any clue?
> 
>         Do you have some minimal reproducer?
> 
>         Matt
> 
>         --
>         openssl-users mailing list
>         To unsubscribe:
>         https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>
> 
> 
> 
> 
> 