[openssl-users] Openssl 1.0.2o issue with FIPS mode set.
Ajay Nalawade
ajay.nalawade at gmail.com
Thu Jul 5 12:59:01 UTC 2018
package main
import (
"log"
"net"
"net/http"
"fmt"
"os"
"bufio"
"io"
"strconv"
"github.com/spacemonkeygo/openssl"
)
func init_fips() {
err := openssl.FIPSModeSet(true)
if err != nil {
panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set
fips mode.", err))
}
log.Print("OpenSSL FIPS mode is set to: True\n")
}
func main() {
init_fips()
laddr := "0.0.0.0:443"
var ln net.Listener
var err error
// Init SSL shared context used across connections
ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt",
"/etc/certs/sslcert.key")
if err != nil {
log.Fatalf("Failed to read ssl certificate. Error: %v", err)
}
// Set options and do not allow SSLv2 and SSLv3 communication
_ = ctx.SetOptions(openssl.CipherServerPreference |
openssl.NoSSLv2 | openssl.NoSSLv3)
// Read certificate
// Listen on bind address
ln, err = openssl.Listen("tcp", laddr, ctx)
if err != nil {
log.Fatalf("Failed to start server. Error: %v",
err)
os.Exit(1)
} else {
log.Println("Started secure server")
}
if err != nil {
log.Fatalf("server: listen: %s", err)
}
log.Print("server: listening")
for {
accepted, err := ln.Accept()
if err != nil {
log.Println("Got errored while accepting connection. %v", err)
return
}
go handleClient(accepted)
}
}
func handleClient(conn net.Conn) {
defer conn.Close()
reader := bufio.NewReader(conn)
for {
//log.Print("server: conn: waiting")
var err error
httpreq, err := http.ReadRequest(reader)
if err != nil {
log.Print("Errored while reading request. Error: %v", err)
break
}
buf := make([]byte, httpreq.ContentLength)
toread := int(httpreq.ContentLength)
rbytes := 0
n := 0
for toread > 0 {
n, err = httpreq.Body.Read(buf[rbytes:])
if err != nil && err != io.EOF {
log.Print("Errored while reading request body.
Error: %v", err)
break
}
rbytes += n
toread = toread - n
}
resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+
strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)
_, err = conn.Write(resp)
if err != nil {
log.Print("Errored while writing response. Error: %v", err)
break
}
log.Printf("server: conn: wrote %d bytes", n)
}
log.Println("server: conn: closed")
}
On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <ajay.nalawade at gmail.com>
wrote:
> I am able to reproduce this issue with attached go lang based server. Am I
> doing anything wrong here.
> Is there any known issue, or any workaround available for this issue.
>
> Thanks,
> Ajay
>
> On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <ajay.nalawade at gmail.com>
> wrote:
>
>> Hello,
>>
>> I have golang based openssl server with FIPS mode set. I am using Openssl
>> library build with fips module 2.0.
>> With Openssl 1.0.1u version, everything was running fine.
>> Recently I upgraded to version 1.0.2o. With this version, under high
>> traffic condition (more than 4k requests per minute), read request fails
>> with following error.
>> "SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record
>> mac"
>>
>> If I disable FIPS mode, every thing runs fine. Is there any known issue
>> with version 1.0.2o with FIPS mode set.
>>
>> Thanks a lot in advance,
>> Ajay
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180705/858edeb7/attachment-0001.html>
More information about the openssl-users
mailing list