> It would be interesting to see what output you get from s_client when you use the "-trace" argument.
> Also, is this TLSv1.3 specific? If you add the argument "-no_tls1_3" to s_client does it start working?
Thanks for looking into this! I paste the outputs here. With -no_tls1_3 it goes further, but there is another error in the end.
The system-wide installed openssl (1.1.1k) seems to work fine, the problem is with my own compilation of openssl 3.1.0-dev.
bin> ./openssl s_client -trace www.google.com:443
Connecting to 142.250.200.4
CONNECTED(00000003)
Sent Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 321
ClientHello, Length=317
client_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0x4A87443A
random_bytes (len=28): 029DE5C77134ACF4FE97FD1954D3D353D1802B3B5AFE3098AB53B22C
session_id (len=32): C8641A261655A635E8578F4BB0F1125FC592A68D3CF7919881BB27DA4B40407B
cipher_suites (len=62)
{0x13, 0x02} TLS_AES_256_GCM_SHA384
{0x13, 0x03} TLS_CHACHA20_POLY1305_SHA256
{0x13, 0x01} TLS_AES_128_GCM_SHA256
{0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
{0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
{0xCC, 0xA9} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
{0xCC, 0xA8} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
{0xCC, 0xAA} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
{0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
{0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
{0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
{0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
{0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
{0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
{0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
{0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
{0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
{0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
{0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
{0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
{0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
{0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
{0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
{0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 182
extension_type=server_name(0), length=19
0000 - 00 11 00 00 0e 77 77 77-2e 67 6f 6f 67 6c 65 .....www.google
000f - 2e 63 6f 6d .com
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=supported_groups(10), length=22
ecdh_x25519 (29)
secp256r1 (P-256) (23)
ecdh_x448 (30)
secp521r1 (P-521) (25)
secp384r1 (P-384) (24)
ffdhe2048 (256)
ffdhe3072 (257)
ffdhe4096 (258)
ffdhe6144 (259)
ffdhe8192 (260)
extension_type=session_ticket(35), length=0
extension_type=encrypt_then_mac(22), length=0
extension_type=extended_master_secret(23), length=0
extension_type=signature_algorithms(13), length=48
ecdsa_secp256r1_sha256 (0x0403)
ecdsa_secp384r1_sha384 (0x0503)
ecdsa_secp521r1_sha512 (0x0603)
ed25519 (0x0807)
ed448 (0x0808)
ecdsa_brainpoolP256r1_sha256 (0x081a)
ecdsa_brainpoolP384r1_sha384 (0x081b)
ecdsa_brainpoolP512r1_sha512 (0x081c)
rsa_pss_pss_sha256 (0x0809)
rsa_pss_pss_sha384 (0x080a)
rsa_pss_pss_sha512 (0x080b)
rsa_pss_rsae_sha256 (0x0804)
rsa_pss_rsae_sha384 (0x0805)
rsa_pss_rsae_sha512 (0x0806)
rsa_pkcs1_sha256 (0x0401)
rsa_pkcs1_sha384 (0x0501)
rsa_pkcs1_sha512 (0x0601)
ecdsa_sha224 (0x0303)
rsa_pkcs1_sha224 (0x0301)
dsa_sha224 (0x0302)
dsa_sha256 (0x0402)
dsa_sha384 (0x0502)
dsa_sha512 (0x0602)
extension_type=supported_versions(43), length=9
TLS 1.3 (772)
TLS 1.2 (771)
TLS 1.1 (770)
TLS 1.0 (769)
extension_type=psk_key_exchange_modes(45), length=2
psk_dhe_ke (1)
extension_type=key_share(51), length=38
NamedGroup: ecdh_x25519 (29)
key_exchange: (len=32): 9C6DCAE979C6FCD147C1A7B71A75F825B8209561C02A83E0DF6DCE14FDEE2305
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 122
ServerHello, Length=118
server_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0xB3F52DD8
random_bytes (len=28): B1BC92425FD4D68273D46E80DF99142FF5A477E8FE9CF90A9BEA1B64
session_id (len=32): C8641A261655A635E8578F4BB0F1125FC592A68D3CF7919881BB27DA4B40407B
cipher_suite {0x13, 0x02} TLS_AES_256_GCM_SHA384
compression_method: No Compression (0x00)
extensions, length = 46
extension_type=key_share(51), length=36
NamedGroup: ecdh_x25519 (29)
key_exchange: (len=32): 6AA26AC34AFDCE41CE986D1FDC3EB8B49D661F5E0CA3E091CAE0850342B5494A
extension_type=supported_versions(43), length=2
TLS 1.3 (772)
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ChangeCipherSpec (20)
Length = 1
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 4156
Inner Content Type = Handshake (22)
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 2
Level=fatal(2), description=unexpected_message(10)
40A0B3AD7F000000:error:0A0000F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:399:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4294 bytes and written 333 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
bin> ./openssl s_client -no_tls1_3 www.google.com:443
Connecting to 142.250.187.228
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
verify return:1
depth=0 CN=www.google.com
verify return:1
---
Certificate chain
0 s:CN=www.google.com
i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 28 03:35:56 2022 GMT; NotAfter: May 23 03:35:55 2022 GMT
1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEiTCCA3GgAwIBAgIRAMBJlF+DTAD7EgAAAAAET78wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjIwMjI4MDMzNTU2WhcNMjIwNTIz
MDMzNTU1WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABNU9/YwChmDmgsclBBLVZqQ9YTWNuddykMKmlqaZchBQo4Vt
Y0LXBnItLtEQheMO8Tco4972gO4wtaVz03p3sC2jggJoMIICZDAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUxLBa1gCt8iLW8sb+JwzPMehIZX4wHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvUU92SjBOMXNUMkEuY3Js
MIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAKXm+8J45OSHwVnOfY6V35b5XfZxg
Cvj5TV0mXCVdx4QAAAF/Pp0ZIQAABAMASDBGAiEApB0Z6LsZnLuEHPnqGiKwMJxa
MDpe7RmT0+nLZQfAn08CIQCwWrJ8vLTFHcpk5JKcTIA8lU/0xF5OogQ7wxg5qUqE
IAB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXlAAABfz6dGTkAAAQD
AEcwRQIgAmoUG6wePjmKyTv8Eo1SOYOJEZP3zNEpx4mF7F6Y5CICIQCDVw2/D6XB
/q5aaT1Y5Lz3QZh8rBiJQjoCrQhWNXu8SjANBgkqhkiG9w0BAQsFAAOCAQEAt0Sy
T/7JsaAG/bH6KtglzO7fzvh4UHkhbrxu5Nr/HPlmerPBk+ubJb66f2wlVeWG21+2
g/Edav4YBkcwegrqY94zXXAA/HI4eh8DljFPu8TWys0eQfJ0/D5JaYMzrcd1I+Jf
xReM00EcakZZC9aVD16FKSBT6UW65svJNlRhdbvJ9ndSz8kMhripwkpbZPrdk7f1
N70/NfmGZVuNmgsvL8L22zLubKrLVuHpVr5505yhEV1NHEziGoO7YYWCdrx2lPW0
gOLIVtevx7XKKHXhj6AR83tgdviyNMBX23JSaN5Y2KMUXFtw7X6lAgrs8HLFbn6v
WTbHJCQj70zkAokp8g==
-----END CERTIFICATE-----
subject=CN=www.google.com
issuer=C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4482 bytes and written 302 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-CHACHA20-POLY1305
Session-ID: E352271D58FE8A55E15D2203A2961B488E83D3A9B1B2A2D04CCC59ADF1154D1F
Session-ID-ctx:
Master-Key: 86BA2A3C64BA60572597C57E7ABBECB96158B54E4B2BC7D507C5DE1803A88080147B77B584AA0393C80F12BDA4E561C2
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 01 22 f3 90 27 e0 7b 22-14 13 b4 43 ad 16 02 55 ."..'.{"...C...U
0010 - 2d f5 b2 94 ba 77 21 2e-a8 e0 79 91 89 64 41 f1 -....w!...y..dA.
0020 - 14 5f aa 3d 1c 4f c7 1f-a7 93 71 6c e1 15 68 10 ._.=.O....ql..h.
0030 - 8d 9d 53 6f 71 42 24 85-1d c3 42 44 3f 68 4d fd ..SoqB$...BD?hM.
0040 - 9e d1 57 c5 5a 8b 9c 54-46 05 36 be 98 4c 09 cd ..W.Z..TF.6..L..
0050 - 9d 12 c3 9f f6 81 1e 64-e7 0e 7d 6c 16 6b 8e 70 .......d..}l.k.p
0060 - 7f 06 e3 c0 1f 0a 96 81-06 e9 40 19 70 1d 56 ed ..........@.p.V.
0070 - 5d f3 e9 94 62 ae bd 8b-0a c1 a9 a5 f1 35 b2 3f ]...b........5.?
0080 - 95 43 45 59 6e 52 f9 09-5b 67 bb 76 b4 17 ab b7 .CEYnR..[g.v....
0090 - 13 77 bc 25 ec 22 6d 04-cc 96 2e eb 23 3c c4 60 .w.%."m.....#<.`
00a0 - 28 f5 75 5d 79 85 74 f0-c3 9c a1 51 ce f1 4d b3 (.u]y.t....Q..M.
00b0 - b2 c8 9d 7a 09 61 3e 62-c8 d4 e2 d1 b0 8e 78 54 ...z.a>b......xT
00c0 - 90 4d 0b c1 08 a3 fe b1-92 51 71 71 d4 55 6d d4 .M.......Qqq.Um.
00d0 - 9c 1a cc aa 38 70 f9 24-2b b7 42 57 59 ee 71 b6 ....8p.$+.BWY.q.
00e0 - 79 0e y.
Start Time: 1648038678
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
40E0A6A87F000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:308:
-----Original Message-----
From: Matt Caswell <matt@xxxxxxxxxxx>
Sent: kolmapäev, 23. märts 2022 13:55
To: Helde, Paavo <Paavo.Helde@xxxxxxxxxxxxxxx>; openssl-users@xxxxxxxxxxx
Subject: [External] Re: SSL_connect() failing on SSL3_MT_NEWSESSION_TICKET on Raspberry Pi
Use caution when opening links or attachments.
On 23/03/2022 07:39, Helde, Paavo via openssl-users wrote:
> Hi,
>
> We are in a process of porting our software to aarch64 (Raspberry Pi).
> One problem what we have is with openssl, it appears that our build of
> it always fails in SSL_connect(). I have debugged it a bit and it
> seems the problem appears in the function
> ossl_statem_client13_read_transition(), where after receiving
> SSL3_MT_SERVER_HELLO and SSL3_MT_ENCRYPTED_EXTENSIONS it receives
> SSL3_MT_NEWSESSION_TICKET, but there is no handling of
> SSL3_MT_NEWSESSION_TICKET in ’case TLS_ST_CR_ENCRYPTED_EXTENSIONS’
> in statem_clnt.c around line 121.
That is quite odd. It appears you are in a TLSv1.3 handshake and have received a NewSessionTicket message. But NewSessionTicket messages should only be sent post handshake in TLSv1.3. So, if that's really what has been received, then that is a protocol violation.
It would be interesting to see what output you get from s_client when you use the "-trace" argument.
Also, is this TLSv1.3 specific? If you add the argument "-no_tls1_3" to s_client does it start working?
Matt
>
> I am no expert in SSL, so not sure where the problem might be, most
> probably we build the openssl somehow in the wrong way. We also have
> corporate firewall protected by ZScaler, but other tools like wget
> work fine with external URL-s, so it ought to be possible to get it working.
>
> We build openssl like that:
>
> # EGD needed for libIce
>
> ./config -d no-shared enable-egd --prefix=$INSTALL_ROOT/$PROJECT
>
> # Hide the symbols to avoid that undesired .so-s will find them
> (there is a zoo of binary incompatible openssl versions out there).
>
> make CFLAGS="-g -O0 -fvisibility=hidden" CXXFLAGS="-g -O0
> -fvisibility=hidden"
>
> make install
>
> bin> ./openssl version
>
> OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )
>
> The error (unexpected message) is visible also with the openssl
> command line. In our code SSL_connect() fails.
>
> bin> ./openssl s_client
> bin> https://urldefense.com/v3/__http://www.google.com__;!!GdTGuAHWOn0
> bin> L!fHTPt_L3vv-TUqwVGqbCIQlS64qPNKWVU7nd4Z-9cBpGSGuZxRdLn_z-PnFYN5M
> bin> 6Juthxg$ :443
> bin> <https://urldefense.com/v3/__http://www.google.com:443__;!!GdTGuA
> bin> HWOn0L!fHTPt_L3vv-TUqwVGqbCIQlS64qPNKWVU7nd4Z-9cBpGSGuZxRdLn_z-Pn
> bin> FYN5Pdf0LOhw$ >
>
> Connecting to 172.217.169.36
>
> CONNECTED(00000003)
>
> 4080C5B57F000000:error:0A0000F4:SSL
> routines:ossl_statem_client_read_transition:unexpected
> message:ssl/statem/statem_clnt.c:399:
>
> ---
>
> no peer certificate available
>
> ---
>
> No client certificate CA names sent
>
> Server Temp Key: X25519, 253 bits
>
> ---
>
> SSL handshake has read 4296 bytes and written 333 bytes
>
> Verification: OK
>
> ---
>
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>
> This TLS version forbids renegotiation.
>
> Compression: NONE
>
> Expansion: NONE
>
> No ALPN negotiated
>
> Early data was not sent
>
> Verify return code: 0 (ok)
>
> ---
>
> Any advice appreciated
>
> TIA
>
> Paavo
>
