Awesome thanks :) I'll try it. Yes I have the feeling I'm the first user of stapling with DTLS -- Julien Vermillard On Tue, Aug 30, 2016 at 4:26 PM, Matt Caswell <matt at openssl.org> wrote: > > > On 29/08/16 17:37, Julien Vermillard wrote: > > I patched s_server to send a fake OCSP content (4 bytes). > > I suppose the server will just push that to the client and the client > > should fail complaining it's not a correct OCSP response. > > But the server crash with: > > ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed: > > s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH > > > > Command line used: > > > > ./openssl s_server -dtls1_2 -port 5684 -cipher > > ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256- > CCM8:PSK-AES128-CCM8 > > -CAfile ca.pem -cert server.pem -key server.key -chainCAfile bundle.pem > > -status -status_verbose -mtu 1200 > > > > and > > ./openssl s_client -dtls1_2 -port 5684 -psk 73656372657450534b -host > > localhost -cipher > > ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256- > CCM8:PSK-AES128-CCM8 > > -CAfile ca.pem -verify_hostname "IMEI:1234567890" -cert client.pem -key > > client.key -chainCAfile bundle-client.pem -status > > > > > > I attached also the test certificate and keys. > > Actually, even the unpatched s_server has this problem. AFAICT this has > never worked for DTLS. I'm quite surprised no one has noticed before! > Even 1.0.2 has this problem (although the symptoms are different)...and > probably 1.0.1 although I haven't checked. > > I have a fix here: > > https://github.com/openssl/openssl/pull/1516 > > Only the first commit with the changes to ssl/statem/statem_srvr.c are > the fix itself. Everything else in the second commit is about adding a > test for this. > > Matt > > > > > -- > > Julien Vermillard > > > > On Mon, Aug 29, 2016 at 6:17 PM, Julien Vermillard > > <jvermillard at gmail.com <mailto:jvermillard at gmail.com>> wrote: > > > > It's a mix of C and Go, so it's really not minimal, but I'll try to > > modify s_server to see if I can reproduce it. > > > > -- > > Julien Vermillard > > > > On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <matt at openssl.org > > <mailto:matt at openssl.org>> wrote: > > > > > > > > On 29/08/16 17:08, Julien Vermillard wrote: > > > I have a DTLS 1.2 server based on last master (commit > > > d196305aa0de1fc38837c27cb1ea6e60af9dd98d) > > > I try to add ocsp stapling support (based on code in > s_server.c). > > > > > > Basicaly in my callback I set the OCSP response by: > > > > > > > > > if (SSL_set_tlsext_status_ocsp_resp(s,dataPtr,respLen) == > 0) { > > > return SSL_TLSEXT_ERR_NOACK; > > > } else { > > > return SSL_TLSEXT_ERR_OK; > > > } > > > > > > but if my server manage to get an OCSP response it crash with > this message: > > > > > > ssl/statem/statem_dtls.c:127: OpenSSL internal error: > assertion failed: > > > s->init_num == (int)s->d1->w_msg_hdr.msg_len + > DTLS1_HM_HEADER_LENGTH > > > > > > Any clue? > > > > Do you have some minimal reproducer? > > > > Matt > > > > -- > > openssl-users mailing list > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-users > > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > > > > > > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160830/a538892a/attachment.html>
