Re: [External] Re: SSL_connect() failing on SSL3_MT_NEWSESSION_TICKET on Raspberry Pi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 23/03/2022 12:39, Helde, Paavo via openssl-users wrote:
It would be interesting to see what output you get from s_client when you use the "-trace" argument.
Also, is this TLSv1.3 specific? If you add the argument "-no_tls1_3" to s_client does it start working?

Thanks for looking into this! I paste the outputs here. With -no_tls1_3 it goes further, but there is another error in the end.

The error you see with "-no_tls1_3" is:

40E0A6A87F000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:308:

This is actually normally behaviour with the google server. What is happening is that you are succesfully creating a connection and the google server is waiting for you to send it an HTTP request. After a short while, having not received one, the server is aborting the connection abruptly, i.e. it's doing a non-clean shutdown without sending a close_notify alert. This results in the "unexpected eof" message. So TLSv1.2 appears to be working correctly.


Received Record
Header:
   Version = TLS 1.2 (0x303)
   Content Type = ApplicationData (23)
   Length = 4156
   Inner Content Type = Handshake (22)

This is actually interesting. If I do the same thing from my machine what I see at this point in the communication is this:

Received Record

Header:

  Version = TLS 1.2 (0x303)

  Content Type = ApplicationData (23)

  Length = 4156

  Inner Content Type = Handshake (22)

    EncryptedExtensions, Length=2

      No extensions



    Certificate, Length=3998

      context (len=0):

      certificate_list, length=3994

        ASN.1Cert, length=1163

------details-----

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            8d:0d:f9:1d:bc:de:87:69:12:00:00:00:00:05:a8:0f

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

        Validity

            Not Before: Mar 17 11:49:13 2022 GMT

            Not After : Jun  9 11:49:12 2022 GMT

        Subject: CN = www.google.com

        ...snip...

So we both receive a TLSv1.3 record of length 4156. For me this contains the EncryptedExtensions, Certificate, CertificateVerify and Finished messages. Given that the length is identical for you this suggests to me that this is also what you are intended to receive. Something somewhere has corrupted the contents.

Possible causes that spring to mind:
- OpenSSL bug
- Compiler bug

Some things you could try:
- Do you have an alternative compiler you could use? If its a compiler bug then swapping to a different compiler might resolve it - I notice that you are using the latest master version 3.1.0-dev. The master branch is where all dev work goes on and consequently may be unstable. You might be better off using the latest 3.0 stable version, i.e. 3.0.2

Matt



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux