SSL-Connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I αμ encountering a problem in ending a SSL-Connection properly, and i wonder if there is a problem of my application or a problem of openSSL.

My setup is:

Host Computer: ovs-dpdk (virtual switch)
vm1 : openssl
vm2 : dpdk-application (role of a virtual switch that connect vm1 and vm3)
vm3 : apache2 server

Role of each component:

vm1 : Just trying to connect to apache2 server through openssl
vm2 : Dpdk-applcation that is a learning switch.Its purpose is to block the traffic if openssl (or some client) is trying to connect to a forbidden Server)
vm3 : Just the Server

So what I am actually doing is blocking the connection by responding with a TLS-alert (fatal , unrecognized name) When I do that it take some time for open ssl to end the connection .But after 2 or 3 seconds I see that open ssl in VM1 has read my response even in the actual Desktop.I see that it has read 7 bytes and the correct ssl-alert message that I send.(I check these on Wireshark as well).

But that's a problem cause it take a lots of time.So the other thing I tried was to also send a TCP PACKET with a RST value in order to end the TCP session as well.That solved the problem from the perspective of speed because It now close the connection really fast but the problem is that now openssl don’t read my alert packet and the reason I closed the connection.I wanna mention also that when I receive the Client-Hello I response immediately with 2 packets .The one is the TLS-alert and the other one is TCP-RST packet.

So my questions are these:
1)Is TCP reset the correct way to end the TLS-session(Handshake) after TLS alert message?If yes shall I send these 2 packets together as I do now?(forgive me, for my lack of knowledge on TCP)
2)Is there another way to end the connection except TCP(Reset)?
3)Is there a possibility that openssl read only TCP reset and not my alert packet, so for that reason the I only see connection closed but not the actual reason?
4)Is there a better way to do this?

My end goal is to end the connection properly and openssl reads my SSl-alert message, so I will get in Vm1( with openssl) connection closed with unrecognized name as the actual reason.

Thanks for your time,

Konstantinos Schoinas
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux