On 30/08/16 15:26, Matt Caswell wrote: > > > On 29/08/16 17:37, Julien Vermillard wrote: >> I patched s_server to send a fake OCSP content (4 bytes). >> I suppose the server will just push that to the client and the client >> should fail complaining it's not a correct OCSP response. >> But the server crash with: >> ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed: >> s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH >> >> Command line used: >> >> ./openssl s_server -dtls1_2 -port 5684 -cipher >> ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8 >> -CAfile ca.pem -cert server.pem -key server.key -chainCAfile bundle.pem >> -status -status_verbose -mtu 1200 >> >> and >> ./openssl s_client -dtls1_2 -port 5684 -psk 73656372657450534b -host >> localhost -cipher >> ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8 >> -CAfile ca.pem -verify_hostname "IMEI:1234567890" -cert client.pem -key >> client.key -chainCAfile bundle-client.pem -status >> >> >> I attached also the test certificate and keys. > > Actually, even the unpatched s_server has this problem. AFAICT this has > never worked for DTLS. I'm quite surprised no one has noticed before! > Even 1.0.2 has this problem (although the symptoms are different)...and > probably 1.0.1 although I haven't checked. > > I have a fix here: > > https://github.com/openssl/openssl/pull/1516 > > Only the first commit with the changes to ssl/statem/statem_srvr.c are > the fix itself. Everything else in the second commit is about adding a > test for this. This fix has now been merged in commit 06314c029. Matt > > Matt > >> >> -- >> Julien Vermillard >> >> On Mon, Aug 29, 2016 at 6:17 PM, Julien Vermillard >> <jvermillard at gmail.com <mailto:jvermillard at gmail.com>> wrote: >> >> It's a mix of C and Go, so it's really not minimal, but I'll try to >> modify s_server to see if I can reproduce it. >> >> -- >> Julien Vermillard >> >> On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <matt at openssl.org >> <mailto:matt at openssl.org>> wrote: >> >> >> >> On 29/08/16 17:08, Julien Vermillard wrote: >> > I have a DTLS 1.2 server based on last master (commit >> > d196305aa0de1fc38837c27cb1ea6e60af9dd98d) >> > I try to add ocsp stapling support (based on code in s_server.c). >> > >> > Basicaly in my callback I set the OCSP response by: >> > >> > >> > if (SSL_set_tlsext_status_ocsp_resp(s,dataPtr,respLen) == 0) { >> > return SSL_TLSEXT_ERR_NOACK; >> > } else { >> > return SSL_TLSEXT_ERR_OK; >> > } >> > >> > but if my server manage to get an OCSP response it crash with this message: >> > >> > ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed: >> > s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH >> > >> > Any clue? >> >> Do you have some minimal reproducer? >> >> Matt >> >> -- >> openssl-users mailing list >> To unsubscribe: >> https://mta.openssl.org/mailman/listinfo/openssl-users >> <https://mta.openssl.org/mailman/listinfo/openssl-users> >> >> >> >> >>
