RE: KTLS with openssl 3.0 fail with error ENOTCONN(Transport endpoint is not connected)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Boris/John

 

I am from NXP and currently working on enabling KTLS on NXP platforms via openssl.

I see that you enabled KTLS support in openssl 3.0(https://www.openssl.org/news/changelog.html#openssl-30).

 

when I configure openssl 3.0 or 3.1.0 with enable-ktls and and try to run the s_server, s_client application.

I observe that connection is successfully established - but it didn't use KTLS.

 

Then I added additional log in kernel(file net/tls/tls_main.c) and see that kernel is returning error -ENOTCONN

when (sk->sk_state != TCP_ESTABLISHED) in function static int tls_init(struct sock *sk)

 

please help to see the problem.

 

Openssl repo: https://github.com/openssl/openssl , branch: master or openssl-3.0

logs:

$ ./ Configure enable-ktls linux-aarch64

$ openssl version
OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )

$ openssl s_server -ktls -key rsa.key -cert server.pem -accept 443
sk->sk_state != TCP_ESTABLISHED   (log added in kernel net/tls/tls_main.c)

ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDADNEkWucVTZpiKPtRz48bGM1wHHnOUlta9WcSH9Q3y
4jdP8DgTAZAkrkD9SbCbs6uhBgIEYdQH96IEAgIcIKQGBAQBAAAArQMCAQGzAwIB
HQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1
Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

$ openssl s_client -quiet -connect 192.168.0.139:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -tls1_2 -ktls
[1119274.610941] sk->sk_state != TCP_ESTABLISHED
Connecting to 192.168.0.139
Can't use SSL_get_servername
depth=0 C=IN, ST=NOIDA, L=NOIDA, O=NXP, OU=EP, CN=Gaurav, emailAddress=gaura.jain@xxxxxxx
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=IN, ST=NOIDA, L=NOIDA, O=NXP, OU=EP, CN=Gaurav, emailAddress=gaura.jain@xxxxxxx
verify return:1

 

 

Regards

Gaurav Jain

From: Gaurav Jain
Sent: Wednesday, December 22, 2021 3:54 PM
To: openssl-users@xxxxxxxxxxx
Cc: Varun Sethi <V.Sethi@xxxxxxx>; Pankaj Gupta <pankaj.gupta@xxxxxxx>
Subject: KTLS with openssl 3.0 fail with error ENOTCONN(Transport endpoint is not connected)

 

Hi

Kernel Support for KTLS:
kernel version is 5.15
CONFIG_TLS=y
CONFIG_TLS_DEVICE=y
CONFIG_CRYPTO_TLS=y

Openssl:
$ ./
Configure enable-ktls linux-aarch64
$ make

Server
$ ./openssl version
OpenSSL 3.0.2-dev 14 Dec 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
$ ./openssl s_server -key rsa.key -cert server.pem -accept 443

error
file: crypto/bio/bio_sock2.c
function: BIO_socket()
ktls_enable(sock); failed with ENOTCONN error
setsockopt failed, 107, Transport endpoint is not connected

server logs( added some debug logs)

root@imx8mmevk:~# ./openssl s_server -key rsa.key -cert server.pem -accept 443
sk->sk_state != TCP_ESTABLISHED (log added in kernel net/tls/tls_main.c)
sk->sk_state != TCP_ESTABLISHED

BIO_socket sock_family = 10, sock_type = 1, sock_protocol = 6, return = 3
setsockopt failed, 107, Transport endpoint is not connected
BIO_socket, ktls_enable(asock) = 0
ACCEPT
setsockopt failed, 17, File exists
BIO_new_socket, ktls_enable(s) = 0
-----BEGIN SSL SESSION PARAMETERS-----
MF8CAQECAgMDBALAMAQABDAC9MHCSSlLXrS0D8tq2hCZtW0vmB1EC6HQerBThuev
PdX7VOUnD1a2bybdw1LfEiqhBgIEYcLciaIEAgIcIKQGBAQBAAAArQMCAQGzAwIB
HQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1
Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
Using Kernel TLS for sending fail
Using Kernel TLS for receiving fail


Regards

Gaurav Jain

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux