Here are some more observations.
1. It did not take much load to cause this error(Creating even 2 connections in parallel gives this issue).
2. While a client is sending data, another client connecting does not error. The error seems to be only when two clients try to handshake together. If we serialise ssl wrap even thousands of clients do not give this issue.
3. There comes a time(after 40 iterations in case of 3 parallel handshaking clients) after which the server kind of gives up and keeps on giving the same error no matter how much we slow down the clients(I stopped my client script for 5 minutes before trying again).
On Thu, Jul 5, 2018 at 6:29 PM Ajay Nalawade <ajay.nalawade@xxxxxxxxx> wrote:
package mainimport ("log""net""net/http""fmt""os""bufio""io""strconv")func init_fips() {err := openssl.FIPSModeSet(true)if err != nil {panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err))}log.Print("OpenSSL FIPS mode is set to: True\n")}func main() {init_fips()laddr := ""var ln net.Listenervar err error// Init SSL shared context used across connectionsctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt", "/etc/certs/sslcert.key")if err != nil {log.Fatalf("Failed to read ssl certificate. Error: %v", err)}// Set options and do not allow SSLv2 and SSLv3 communication_ = ctx.SetOptions(openssl.CipherServerPreference |openssl.NoSSLv2 | openssl.NoSSLv3)// Read certificate// Listen on bind addressln, err = openssl.Listen("tcp", laddr, ctx)if err != nil {log.Fatalf("Failed to start server. Error: %v",err)os.Exit(1)} else {log.Println("Started secure server")}if err != nil {log.Fatalf("server: listen: %s", err)}log.Print("server: listening")for {accepted, err := ln.Accept()if err != nil {log.Println("Got errored while accepting connection. %v", err)return}go handleClient(accepted)}}func handleClient(conn net.Conn) {defer conn.Close()reader := bufio.NewReader(conn)for {//log.Print("server: conn: waiting")var err errorhttpreq, err := http.ReadRequest(reader)if err != nil {log.Print("Errored while reading request. Error: %v", err)break}buf := make([]byte, httpreq.ContentLength)toread := int(httpreq.ContentLength)rbytes := 0n := 0for toread > 0 {n, err = httpreq.Body.Read(buf[rbytes:])if err != nil && err != io.EOF {log.Print("Errored while reading request body. Error: %v", err)break}rbytes += ntoread = toread - n}resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)_, err = conn.Write(resp)if err != nil {log.Print("Errored while writing response. Error: %v", err)break}log.Printf("server: conn: wrote %d bytes", n)}log.Println("server: conn: closed")}On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <ajay.nalawade@xxxxxxxxx> wrote:I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.Is there any known issue, or any workaround available for this issue.Thanks,AjayOn Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <ajay.nalawade@xxxxxxxxx> wrote:Hello,I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.With Openssl 1.0.1u version, everything was running fine.Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error."SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.Thanks a lot in advance,Ajay
-- openssl-users mailing list To unsubscribe: