RE: [External] Re: SSL_connect() failing on SSL3_MT_NEWSESSION_TICKET on Raspberry Pi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> It would be interesting to see what output you get from s_client when you use the "-trace" argument.
> Also, is this TLSv1.3 specific? If you add the argument "-no_tls1_3" to s_client does it start working?

Thanks for looking into this! I paste the outputs here. With -no_tls1_3 it goes further, but there is another error in the end.

The system-wide installed openssl (1.1.1k) seems to work fine, the problem is with my own compilation of openssl 3.1.0-dev.

bin> ./openssl s_client -trace www.google.com:443
Connecting to 142.250.200.4
CONNECTED(00000003)
Sent Record
Header:
  Version = TLS 1.0 (0x301)
  Content Type = Handshake (22)
  Length = 321
    ClientHello, Length=317
      client_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0x4A87443A
        random_bytes (len=28): 029DE5C77134ACF4FE97FD1954D3D353D1802B3B5AFE3098AB53B22C
      session_id (len=32): C8641A261655A635E8578F4BB0F1125FC592A68D3CF7919881BB27DA4B40407B
      cipher_suites (len=62)
        {0x13, 0x02} TLS_AES_256_GCM_SHA384
        {0x13, 0x03} TLS_CHACHA20_POLY1305_SHA256
        {0x13, 0x01} TLS_AES_128_GCM_SHA256
        {0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        {0xCC, 0xA9} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xA8} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xCC, 0xAA} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        {0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        {0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        {0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        {0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        {0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        {0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        {0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        {0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
        {0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
        {0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
        {0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
        {0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
        {0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
        {0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
      compression_methods (len=1)
        No Compression (0x00)
      extensions, length = 182
        extension_type=server_name(0), length=19
          0000 - 00 11 00 00 0e 77 77 77-2e 67 6f 6f 67 6c 65   .....www.google
          000f - 2e 63 6f 6d                                    .com
        extension_type=ec_point_formats(11), length=4
          uncompressed (0)
          ansiX962_compressed_prime (1)
          ansiX962_compressed_char2 (2)
        extension_type=supported_groups(10), length=22
          ecdh_x25519 (29)
          secp256r1 (P-256) (23)
          ecdh_x448 (30)
          secp521r1 (P-521) (25)
          secp384r1 (P-384) (24)
          ffdhe2048 (256)
          ffdhe3072 (257)
          ffdhe4096 (258)
          ffdhe6144 (259)
          ffdhe8192 (260)
        extension_type=session_ticket(35), length=0
        extension_type=encrypt_then_mac(22), length=0
        extension_type=extended_master_secret(23), length=0
        extension_type=signature_algorithms(13), length=48
          ecdsa_secp256r1_sha256 (0x0403)
          ecdsa_secp384r1_sha384 (0x0503)
          ecdsa_secp521r1_sha512 (0x0603)
          ed25519 (0x0807)
          ed448 (0x0808)
          ecdsa_brainpoolP256r1_sha256 (0x081a)
          ecdsa_brainpoolP384r1_sha384 (0x081b)
          ecdsa_brainpoolP512r1_sha512 (0x081c)
          rsa_pss_pss_sha256 (0x0809)
          rsa_pss_pss_sha384 (0x080a)
          rsa_pss_pss_sha512 (0x080b)
          rsa_pss_rsae_sha256 (0x0804)
          rsa_pss_rsae_sha384 (0x0805)
          rsa_pss_rsae_sha512 (0x0806)
          rsa_pkcs1_sha256 (0x0401)
          rsa_pkcs1_sha384 (0x0501)
          rsa_pkcs1_sha512 (0x0601)
          ecdsa_sha224 (0x0303)
          rsa_pkcs1_sha224 (0x0301)
          dsa_sha224 (0x0302)
          dsa_sha256 (0x0402)
          dsa_sha384 (0x0502)
          dsa_sha512 (0x0602)
        extension_type=supported_versions(43), length=9
          TLS 1.3 (772)
          TLS 1.2 (771)
          TLS 1.1 (770)
          TLS 1.0 (769)
        extension_type=psk_key_exchange_modes(45), length=2
          psk_dhe_ke (1)
        extension_type=key_share(51), length=38
            NamedGroup: ecdh_x25519 (29)
            key_exchange:  (len=32): 9C6DCAE979C6FCD147C1A7B71A75F825B8209561C02A83E0DF6DCE14FDEE2305

Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Handshake (22)
  Length = 122
    ServerHello, Length=118
      server_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0xB3F52DD8
        random_bytes (len=28): B1BC92425FD4D68273D46E80DF99142FF5A477E8FE9CF90A9BEA1B64
      session_id (len=32): C8641A261655A635E8578F4BB0F1125FC592A68D3CF7919881BB27DA4B40407B
      cipher_suite {0x13, 0x02} TLS_AES_256_GCM_SHA384
      compression_method: No Compression (0x00)
      extensions, length = 46
        extension_type=key_share(51), length=36
            NamedGroup: ecdh_x25519 (29)
            key_exchange:  (len=32): 6AA26AC34AFDCE41CE986D1FDC3EB8B49D661F5E0CA3E091CAE0850342B5494A
        extension_type=supported_versions(43), length=2
            TLS 1.3 (772)

Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ChangeCipherSpec (20)
  Length = 1
Received Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = ApplicationData (23)
  Length = 4156
  Inner Content Type = Handshake (22)
Sent Record
Header:
  Version = TLS 1.2 (0x303)
  Content Type = Alert (21)
  Length = 2
    Level=fatal(2), description=unexpected_message(10)

40A0B3AD7F000000:error:0A0000F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:399:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4294 bytes and written 333 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

bin> ./openssl s_client -no_tls1_3 www.google.com:443
Connecting to 142.250.187.228
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
verify return:1
depth=0 CN=www.google.com
verify return:1
---
Certificate chain
 0 s:CN=www.google.com
   i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 28 03:35:56 2022 GMT; NotAfter: May 23 03:35:55 2022 GMT
 1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEiTCCA3GgAwIBAgIRAMBJlF+DTAD7EgAAAAAET78wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjIwMjI4MDMzNTU2WhcNMjIwNTIz
MDMzNTU1WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABNU9/YwChmDmgsclBBLVZqQ9YTWNuddykMKmlqaZchBQo4Vt
Y0LXBnItLtEQheMO8Tco4972gO4wtaVz03p3sC2jggJoMIICZDAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUxLBa1gCt8iLW8sb+JwzPMehIZX4wHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvUU92SjBOMXNUMkEuY3Js
MIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAKXm+8J45OSHwVnOfY6V35b5XfZxg
Cvj5TV0mXCVdx4QAAAF/Pp0ZIQAABAMASDBGAiEApB0Z6LsZnLuEHPnqGiKwMJxa
MDpe7RmT0+nLZQfAn08CIQCwWrJ8vLTFHcpk5JKcTIA8lU/0xF5OogQ7wxg5qUqE
IAB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXlAAABfz6dGTkAAAQD
AEcwRQIgAmoUG6wePjmKyTv8Eo1SOYOJEZP3zNEpx4mF7F6Y5CICIQCDVw2/D6XB
/q5aaT1Y5Lz3QZh8rBiJQjoCrQhWNXu8SjANBgkqhkiG9w0BAQsFAAOCAQEAt0Sy
T/7JsaAG/bH6KtglzO7fzvh4UHkhbrxu5Nr/HPlmerPBk+ubJb66f2wlVeWG21+2
g/Edav4YBkcwegrqY94zXXAA/HI4eh8DljFPu8TWys0eQfJ0/D5JaYMzrcd1I+Jf
xReM00EcakZZC9aVD16FKSBT6UW65svJNlRhdbvJ9ndSz8kMhripwkpbZPrdk7f1
N70/NfmGZVuNmgsvL8L22zLubKrLVuHpVr5505yhEV1NHEziGoO7YYWCdrx2lPW0
gOLIVtevx7XKKHXhj6AR83tgdviyNMBX23JSaN5Y2KMUXFtw7X6lAgrs8HLFbn6v
WTbHJCQj70zkAokp8g==
-----END CERTIFICATE-----
subject=CN=www.google.com
issuer=C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4482 bytes and written 302 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: E352271D58FE8A55E15D2203A2961B488E83D3A9B1B2A2D04CCC59ADF1154D1F
    Session-ID-ctx:
    Master-Key: 86BA2A3C64BA60572597C57E7ABBECB96158B54E4B2BC7D507C5DE1803A88080147B77B584AA0393C80F12BDA4E561C2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 22 f3 90 27 e0 7b 22-14 13 b4 43 ad 16 02 55   ."..'.{"...C...U
    0010 - 2d f5 b2 94 ba 77 21 2e-a8 e0 79 91 89 64 41 f1   -....w!...y..dA.
    0020 - 14 5f aa 3d 1c 4f c7 1f-a7 93 71 6c e1 15 68 10   ._.=.O....ql..h.
    0030 - 8d 9d 53 6f 71 42 24 85-1d c3 42 44 3f 68 4d fd   ..SoqB$...BD?hM.
    0040 - 9e d1 57 c5 5a 8b 9c 54-46 05 36 be 98 4c 09 cd   ..W.Z..TF.6..L..
    0050 - 9d 12 c3 9f f6 81 1e 64-e7 0e 7d 6c 16 6b 8e 70   .......d..}l.k.p
    0060 - 7f 06 e3 c0 1f 0a 96 81-06 e9 40 19 70 1d 56 ed   ..........@.p.V.
    0070 - 5d f3 e9 94 62 ae bd 8b-0a c1 a9 a5 f1 35 b2 3f   ]...b........5.?
    0080 - 95 43 45 59 6e 52 f9 09-5b 67 bb 76 b4 17 ab b7   .CEYnR..[g.v....
    0090 - 13 77 bc 25 ec 22 6d 04-cc 96 2e eb 23 3c c4 60   .w.%."m.....#<.`
    00a0 - 28 f5 75 5d 79 85 74 f0-c3 9c a1 51 ce f1 4d b3   (.u]y.t....Q..M.
    00b0 - b2 c8 9d 7a 09 61 3e 62-c8 d4 e2 d1 b0 8e 78 54   ...z.a>b......xT
    00c0 - 90 4d 0b c1 08 a3 fe b1-92 51 71 71 d4 55 6d d4   .M.......Qqq.Um.
    00d0 - 9c 1a cc aa 38 70 f9 24-2b b7 42 57 59 ee 71 b6   ....8p.$+.BWY.q.
    00e0 - 79 0e                                             y.

    Start Time: 1648038678
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
40E0A6A87F000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:308:



-----Original Message-----
From: Matt Caswell <matt@xxxxxxxxxxx> 
Sent: kolmapäev, 23. märts 2022 13:55
To: Helde, Paavo <Paavo.Helde@xxxxxxxxxxxxxxx>; openssl-users@xxxxxxxxxxx
Subject: [External] Re: SSL_connect() failing on SSL3_MT_NEWSESSION_TICKET on Raspberry Pi


Use caution when opening links or attachments.



On 23/03/2022 07:39, Helde, Paavo via openssl-users wrote:
> Hi,
> 
> We are in a process of porting our software to aarch64 (Raspberry Pi). 
> One problem what we have is with openssl, it appears that our build of 
> it always fails in SSL_connect(). I have debugged it a bit and it 
> seems the problem appears in the function 
> ossl_statem_client13_read_transition(), where after receiving 
> SSL3_MT_SERVER_HELLO and SSL3_MT_ENCRYPTED_EXTENSIONS it receives 
> SSL3_MT_NEWSESSION_TICKET, but there is no handling of
>   SSL3_MT_NEWSESSION_TICKET in ’case TLS_ST_CR_ENCRYPTED_EXTENSIONS’ 
> in statem_clnt.c around line 121.

That is quite odd. It appears you are in a TLSv1.3 handshake and have received a NewSessionTicket message. But NewSessionTicket messages should only be sent post handshake in TLSv1.3. So, if that's really what has been received, then that is a protocol violation.

It would be interesting to see what output you get from s_client when you use the "-trace" argument.

Also, is this TLSv1.3 specific? If you add the argument "-no_tls1_3" to s_client does it start working?

Matt

> 
> I am no expert in SSL, so not sure where the problem might be, most 
> probably we build the openssl somehow in the wrong way. We also have 
> corporate firewall protected by ZScaler, but other tools like wget 
> work fine with external URL-s, so it ought to be possible to get it working.
> 
> We build openssl like that:
> 
>      # EGD needed for libIce
> 
>      ./config -d no-shared enable-egd --prefix=$INSTALL_ROOT/$PROJECT
> 
>      # Hide the symbols to avoid that undesired .so-s will find them 
> (there is a zoo of binary incompatible openssl versions out there).
> 
>      make CFLAGS="-g -O0 -fvisibility=hidden" CXXFLAGS="-g -O0 
> -fvisibility=hidden"
> 
>      make install
> 
> bin> ./openssl version
> 
> OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )
> 
> The error (unexpected message) is visible also with the openssl 
> command line. In our code SSL_connect() fails.
> 
> bin> ./openssl s_client 
> bin> https://urldefense.com/v3/__http://www.google.com__;!!GdTGuAHWOn0
> bin> L!fHTPt_L3vv-TUqwVGqbCIQlS64qPNKWVU7nd4Z-9cBpGSGuZxRdLn_z-PnFYN5M
> bin> 6Juthxg$ :443 
> bin> <https://urldefense.com/v3/__http://www.google.com:443__;!!GdTGuA
> bin> HWOn0L!fHTPt_L3vv-TUqwVGqbCIQlS64qPNKWVU7nd4Z-9cBpGSGuZxRdLn_z-Pn
> bin> FYN5Pdf0LOhw$ >
> 
> Connecting to 172.217.169.36
> 
> CONNECTED(00000003)
> 
> 4080C5B57F000000:error:0A0000F4:SSL
> routines:ossl_statem_client_read_transition:unexpected
> message:ssl/statem/statem_clnt.c:399:
> 
> ---
> 
> no peer certificate available
> 
> ---
> 
> No client certificate CA names sent
> 
> Server Temp Key: X25519, 253 bits
> 
> ---
> 
> SSL handshake has read 4296 bytes and written 333 bytes
> 
> Verification: OK
> 
> ---
> 
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> 
> This TLS version forbids renegotiation.
> 
> Compression: NONE
> 
> Expansion: NONE
> 
> No ALPN negotiated
> 
> Early data was not sent
> 
> Verify return code: 0 (ok)
> 
> ---
> 
> Any advice appreciated
> 
> TIA
> 
> Paavo
> 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux