[openssl-users] API SSL_Connect fails and always returns SSL_ERROR_WANT_READ causes infinite loop in application

mahesh gs mahesh116 at gmail.com
Tue Nov 21 10:42:34 UTC 2017


Hi Matt,

I have raised bug.

https://github.com/openssl/openssl/issues/4763

Thanks,
Mahesh G S

On Tue, Nov 21, 2017 at 3:26 PM, Matt Caswell <matt at openssl.org> wrote:

> Sounds like a bug. Can you raise this as an issue on github?
>
> https://github.com/openssl/openssl/issues
>
> Thanks
>
> Matt
>
>
> On 21/11/17 08:53, mahesh gs wrote:
> > Hi,
> >
> > We were able to further localize this problem and found the problem is
> > with the function "BIO_dgram_sctp_wait_for_dry". In this function after
> > enabling the "sctp_sender_dry_event" we are trying to do MSG_PEEK to
> > peek to the message at SCTP layer, in this case the size of the message
> > waiting in the lower layer is 15 which size is exactly the size of
> > "Handshake Alert" that is received from the server and waiting to be
> > read. Dry event is never read from the lower layer that causes the
> > SUB_STATE_ERROR and intern causes the SSL_Connect to loop in application.
> >
> > Current version of openssl we are using is 01.01.00g.
> >
> > We have tested and able to reproduce this issue with the OPENSSL
> > 01.00.02k version that is packaged with RHEL 7.4 as well.
> >
> >
> > Thanks,
> > Mahesh G S
> >
> > On Mon, Nov 20, 2017 at 4:42 PM, mahesh gs <mahesh116 at gmail.com
> > <mailto:mahesh116 at gmail.com>> wrote:
> >
> >     Hi Matt,
> >
> >     Thanks for the response.
> >
> >     We debugged through openssl code to get to know the reason why
> >     client is not reading "SSL Alert".
> >
> >     Once the "ClientKeyExchange" is sent openssl trying to send out the
> >     "ChangeCipherSpec"  message which is creating the problem.
> >
> >     The pre-work function for "ChangeCipherSpec" enables SCTP dry event
> >     and wait for dry event notification.
> >
> >     Inline image 1
> >
> >
> >     In this scenario, dry notification is never sent from SCTP.
> >     "dtls_wait_for_dry" always returns "WORK_MORE_A". Hereafter flow
> >     never enters "read_state_machine" where alert is to be red.This
> >     causes SSL_Connect to be in infinite loop.
> >
> >
> >     Thanks,
> >     Mahesh G S
> >
> >     On Fri, Nov 17, 2017 at 3:36 PM, Matt Caswell <matt at openssl.org
> >     <mailto:matt at openssl.org>> wrote:
> >
> >
> >
> >         On 17/11/17 06:42, mahesh gs wrote:
> >         >  Why
> >         > does client respond with "Client key exchange" even if the the
> handshake
> >         > failure alert is sent from server?
> >
> >         The client will send its entire flight of messages before it
> >         attempts to
> >         read anything from the server. So, in this case, the
> >         ClientKeyExchange
> >         message is still sent because the client hasn't read the alert
> yet.
> >
> >         Matt
> >
> >         --
> >         openssl-users mailing list
> >         To unsubscribe:
> >         https://mta.openssl.org/mailman/listinfo/openssl-users
> >         <https://mta.openssl.org/mailman/listinfo/openssl-users>
> >
> >
> >
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171121/c11e35f0/attachment.html>


More information about the openssl-users mailing list