[openssl-users] Multiple reconnection in OpenSSL 1.1.0
Huy Cong Vu
huy-cong.vu at wandercraft.eu
Tue Jan 16 10:31:09 UTC 2018
Hi everyone,
Recently I have problem when trying to update my OpenSSL library from 1.0.1f to 1.1.0g.
I have a server that runs 24/24 and receive connections from only 1 source, and 1 connection at a time, nothing really fancy, but it worked very well in OpenSSL 1.0.1f version. In 1.1.0g, the connection is establish and runs perfectly the 1st time. And the 2nd time the client try to connect, after the SSL connection is establish, SSL_read cannot return -1, and have no errors (checked with SSL_get_errors...)
My server runs on Linux 14.04, while my client runs on Windows 7, both with OpenSSL 1.1.0.
If anyone have an idea what happened, I would be glad to know, please tell me if you need any details.
Here the principal code snipset (I don't have the certificate verification code snip here, but it was there, and it always works so I guess there no point repost it now):
+ Some initial configurations:
SSL_CTX* ctx_in;
const SSL_METHOD *method;
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
method = TLS_server_method();
ctx_in = SSL_CTX_new(method);
//Setup trusted certs & list of clients CA
SSL_CTX_set_verify(ctx_in, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth(ctx_in, 1); //our certificate chain contain only 1 more root CA
//Load issuer certificate from memory
X509_STORE* store = SSL_CTX_get_cert_store(ctx_in);
X509_STORE_add_cert(store, certinMem(caVerifClientReal);
SSL_CTX_set_client_CA_list(ctx_in, NULL);
SSL_CTX_add_client_CA(ctx_in, certinMem(pubClientReal));
//Setup curves parameters
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh (ctx_in, ecdh);
EC_KEY_free(ecdh);
//Set options
SSL_CTX_set_options(ctx_in, SSL_OP_SINGLE_ECDH_USE && SSL_MODE_AUTO_RETRY);
...
+ Main loop:
char buf[1024];
struct sockaddr_in addr; //client
socklen_t len = sizeof(addr);
while (1)
{
//initialize buffer
buf[0] = '\0';
int client = accept(server, reinterpret_cast<struct sockaddr*>(&addr), &len);
if (-1 != client)
{
//set SSL security
const char* const PREFERRED_CIPHERS = "ECDHE-RSA-AES256-SHA"; //define cipher suite used for SSL connection
SSL_set_cipher_list(ssl, PREFERRED_CIPHERS);
//set SSL socket
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
if (SSL_accept(ssl) == FAIL) //waits for a client to initiate the handshake
{/* do SSL-protocol accept */
ERR_print_errors_fp(stderr);
}
else
{
verifCerts(ssl);
int ret = -1;
ret = SSL_do_handshake(ssl); //check connection
if (ret <= 0)
{
ERR_print_errors_fp(stderr);
}
else
{
//wait on buffer
int bytes = SSL_read(ssl, buf, sizeof(buf));
//here bytes return -1, and there is no error with SSL_get_errors
}
}
sd = SSL_get_fd(ssl); /* get socket connection */
close(sd); /* close connection */
}
Huy-Cong VU
Platform hardware member
Network administrator
Wandercraft
09 72 58 77 03
More information about the openssl-users
mailing list