[openssl-users] Rehandshake problem

Ignacio Casal ignacio.casal at nice-software.com
Fri Nov 13 10:18:48 UTC 2015


Hey,

this is on fedora 23, though I built openssl 1.0.1k (since it is the
version supported on rhel 6)
These are the specific test cases that are failing with openssl for us:
https://git.gnome.org/browse/glib-networking/tree/tls/tests/connection.c?h=wip/openssl#n1948
https://git.gnome.org/browse/glib-networking/tree/tls/tests/connection.c?h=wip/openssl#n1950

And here is where the second handshake happens:
https://git.gnome.org/browse/glib-networking/tree/tls/tests/connection.c?h=wip/openssl#n389

FWIW we are using our own bio:
https://git.gnome.org/browse/glib-networking/tree/tls/openssl/gtlsbio.c?h=wip/openssl

I can try to get you the pcap packet trace.

About " You would normally expect to get an SSL_ERROR_WANT_READ on the
client
side when the server sends the HelloRequest."

Yes this is what I would have expected as well.

Cheers.


On Fri, Nov 13, 2015 at 11:08 AM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 13/11/15 08:37, Ignacio Casal wrote:
> > Hey guys,
> >
> > I am having a specific problem that I do not seem to find a solution for.
> >
> > - I have a server and a client that handshake properly
> > - the server will read from the client and the client from the server a
> > few bytes
> > - the client will try to read again
> > - the server will try to handshake again by calling SSL_renegotiate and
> > SSL_do_handshake. I get no errors in these calls.
> > - then I would expect the client to exit from the read call with an
> > error saying that needs to handshake again, instead it stays blocked on
> > the read until the server sends some data. But then I get an error
> > server side that there was no proper handshaking.
> >
> > Do you know how to get a notification client side that the client needs
> > to handshake again when blocked on a read or write?
>
> Which OpenSSL version/platform are you using? Can you get a pcap packet
> trace and post the specific errors that you are receiving?
>
> You would normally expect to get an SSL_ERROR_WANT_READ on the client
> side when the server sends the HelloRequest.
>
> Matt
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Ignacio Casal Quinteiro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151113/2a9658b4/attachment.html>


More information about the openssl-users mailing list