package main
import (
"log"
"net"
"net/http"
"fmt"
"os"
"bufio"
"io"
"strconv"
)
func init_fips() {
err := openssl.FIPSModeSet(true)
if err != nil {
panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err))
}
log.Print("OpenSSL FIPS mode is set to: True\n")
}
func main() {
init_fips()
laddr := "0.0.0.0:443"
var ln net.Listener
var err error
// Init SSL shared context used across connections
ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt", "/etc/certs/sslcert.key")
if err != nil {
log.Fatalf("Failed to read ssl certificate. Error: %v", err)
}
// Set options and do not allow SSLv2 and SSLv3 communication
_ = ctx.SetOptions(openssl.CipherServerPreference |
openssl.NoSSLv2 | openssl.NoSSLv3)
// Read certificate
// Listen on bind address
ln, err = openssl.Listen("tcp", laddr, ctx)
if err != nil {
log.Fatalf("Failed to start server. Error: %v",
err)
os.Exit(1)
} else {
log.Println("Started secure server")
}
if err != nil {
log.Fatalf("server: listen: %s", err)
}
log.Print("server: listening")
for {
accepted, err := ln.Accept()
if err != nil {
log.Println("Got errored while accepting connection. %v", err)
return
}
go handleClient(accepted)
}
}
func handleClient(conn net.Conn) {
defer conn.Close()
reader := bufio.NewReader(conn)
for {
//log.Print("server: conn: waiting")
var err error
httpreq, err := http.ReadRequest(reader)
if err != nil {
log.Print("Errored while reading request. Error: %v", err)
break
}
buf := make([]byte, httpreq.ContentLength)
toread := int(httpreq.ContentLength)
rbytes := 0
n := 0
for toread > 0 {
n, err = httpreq.Body.Read(buf[rbytes:])
if err != nil && err != io.EOF {
log.Print("Errored while reading request body. Error: %v", err)
break
}
rbytes += n
toread = toread - n
}
resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+
strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)
_, err = conn.Write(resp)
if err != nil {
log.Print("Errored while writing response. Error: %v", err)
break
}
log.Printf("server: conn: wrote %d bytes", n)
}
log.Println("server: conn: closed")
}
On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <ajay.nalawade@xxxxxxxxx> wrote:
I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.Is there any known issue, or any workaround available for this issue.Thanks,AjayOn Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <ajay.nalawade@xxxxxxxxx> wrote:Hello,I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.With Openssl 1.0.1u version, everything was running fine.Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error."SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.Thanks a lot in advance,Ajay
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
