|
Hi, We are in a process of porting our software to aarch64 (Raspberry Pi). One problem what we have is with openssl, it appears that our build of it always fails in SSL_connect(). I have debugged it a bit and it seems the problem
appears in the function ossl_statem_client13_read_transition(), where after receiving SSL3_MT_SERVER_HELLO and SSL3_MT_ENCRYPTED_EXTENSIONS it receives SSL3_MT_NEWSESSION_TICKET, but there is no handling of SSL3_MT_NEWSESSION_TICKET in ’
case TLS_ST_CR_ENCRYPTED_EXTENSIONS’ in statem_clnt.c around line 121.
I am no expert in SSL, so not sure where the problem might be, most probably we build the openssl somehow in the wrong way. We also have corporate firewall protected by ZScaler, but other tools like wget work fine with external
URL-s, so it ought to be possible to get it working. We build openssl like that: # EGD needed for libIce ./config -d no-shared enable-egd --prefix=$INSTALL_ROOT/$PROJECT # Hide the symbols to avoid that undesired .so-s will find them (there is a zoo of binary incompatible openssl versions out there). make CFLAGS="-g -O0 -fvisibility=hidden" CXXFLAGS="-g -O0 -fvisibility=hidden" make install bin> ./openssl version OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev ) The error (unexpected message) is visible also with the openssl command line. In our code SSL_connect() fails. bin> ./openssl s_client
www.google.com:443 Connecting to 172.217.169.36 CONNECTED(00000003) 4080C5B57F000000:error:0A0000F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:399: --- no peer certificate available --- No client certificate CA names sent Server Temp Key: X25519, 253 bits --- SSL handshake has read 4296 bytes and written 333 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- Any advice appreciated TIA Paavo |
