Re: API SSL_Connect fails and always returns SSL_ERROR_WANT_READ causes infinite loop in application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Matt,

I have raised bug.

https://github.com/openssl/openssl/issues/4763

Thanks,
Mahesh G S

On Tue, Nov 21, 2017 at 3:26 PM, Matt Caswell <matt@xxxxxxxxxxx> wrote:
Sounds like a bug. Can you raise this as an issue on github?

https://github.com/openssl/openssl/issues

Thanks

Matt


On 21/11/17 08:53, mahesh gs wrote:
> Hi,
>
> We were able to further localize this problem and found the problem is
> with the function "BIO_dgram_sctp_wait_for_dry". In this function after
> enabling the "sctp_sender_dry_event" we are trying to do MSG_PEEK to
> peek to the message at SCTP layer, in this case the size of the message
> waiting in the lower layer is 15 which size is exactly the size of
> "Handshake Alert" that is received from the server and waiting to be
> read. Dry event is never read from the lower layer that causes the
> SUB_STATE_ERROR and intern causes the SSL_Connect to loop in application.
>
> Current version of openssl we are using is 01.01.00g.
>
> We have tested and able to reproduce this issue with the OPENSSL
> 01.00.02k version that is packaged with RHEL 7.4 as well.
>
>
> Thanks,
> Mahesh G S
>
> On Mon, Nov 20, 2017 at 4:42 PM, mahesh gs <mahesh116@xxxxxxxxx
> <mailto:mahesh116@xxxxxxxxx>> wrote:
>
>     Hi Matt,
>
>     Thanks for the response.
>
>     We debugged through openssl code to get to know the reason why
>     client is not reading "SSL Alert".
>
>     Once the "ClientKeyExchange" is sent openssl trying to send out the
>     "ChangeCipherSpec"  message which is creating the problem. 
>
>     The pre-work function for "ChangeCipherSpec" enables SCTP dry event
>     and wait for dry event notification.
>
>     Inline image 1
>
>
>     In this scenario, dry notification is never sent from SCTP.
>     "dtls_wait_for_dry" always returns "WORK_MORE_A". Hereafter flow
>     never enters "read_state_machine" where alert is to be red.This
>     causes SSL_Connect to be in infinite loop.
>
>
>     Thanks,
>     Mahesh G S
>
>     On Fri, Nov 17, 2017 at 3:36 PM, Matt Caswell <matt@xxxxxxxxxxx
>     <mailto:matt@xxxxxxxxxxx>> wrote:
>
>
>
>         On 17/11/17 06:42, mahesh gs wrote:
>         >  Why
>         > does client respond with "Client key exchange" even if the the handshake
>         > failure alert is sent from server?
>
>         The client will send its entire flight of messages before it
>         attempts to
>         read anything from the server. So, in this case, the
>         ClientKeyExchange
>         message is still sent because the client hasn't read the alert yet.
>
>         Matt
>
>         --
>         openssl-users mailing list
>         To unsubscribe:
>         https://mta.openssl.org/mailman/listinfo/openssl-users
>         <https://mta.openssl.org/mailman/listinfo/openssl-users>
>
>
>
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux