[openssl-users] Openssl 1.0.2o issue with FIPS mode set.

Ajay Nalawade ajay.nalawade at gmail.com
Fri Jul 6 12:25:02 UTC 2018 

Issue is not seen for Openssl version 1.0.2g. Issue is present for all
versions post 1.0.2g.

Thanks,
Ajay

On Fri, Jul 6, 2018 at 11:33 AM Ajay Nalawade <ajay.nalawade at gmail.com>
wrote:

> Here are some more observations.
> 1. It did not take much load to cause this error(Creating even 2
> connections in parallel gives this issue).
> 2. While a client is sending data, another client connecting does not
> error. The error seems to be only when two clients try to handshake
> together. If we serialise ssl wrap even thousands of clients do not give
> this issue.
> 3. There comes a time(after 40 iterations in case of 3 parallel
> handshaking clients) after which the server kind of gives up and keeps on
> giving the same error no matter how much we slow down the clients(I stopped
> my client script for 5 minutes before trying again).
>
> On Thu, Jul 5, 2018 at 6:29 PM Ajay Nalawade <ajay.nalawade at gmail.com>
> wrote:
>
>> package main
>>
>> import (
>>     "log"
>>     "net"
>>     "net/http"
>>     "fmt"
>>     "os"
>>     "bufio"
>>     "io"
>>     "strconv"
>>     "github.com/spacemonkeygo/openssl"
>> )
>>
>> func init_fips() {
>>         err := openssl.FIPSModeSet(true)
>>         if err != nil {
>>                 panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set
>> fips mode.", err))
>>         }
>>         log.Print("OpenSSL FIPS mode is set to: True\n")
>> }
>>
>> func main() {
>>     init_fips()
>>
>>     laddr := "0.0.0.0:443"
>>     var ln net.Listener
>>     var err error
>>
>>     // Init SSL shared context used across connections
>>     ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt",
>> "/etc/certs/sslcert.key")
>>     if err != nil {
>>         log.Fatalf("Failed to read ssl certificate. Error: %v", err)
>>     }
>>
>>     // Set options and do not allow SSLv2 and SSLv3 communication
>>     _ = ctx.SetOptions(openssl.CipherServerPreference |
>>         openssl.NoSSLv2 | openssl.NoSSLv3)
>>
>>     // Read certificate
>>     // Listen on bind address
>>     ln, err = openssl.Listen("tcp", laddr, ctx)
>>
>>     if err != nil {
>>         log.Fatalf("Failed to start server. Error: %v",
>>             err)
>>         os.Exit(1)
>>     } else {
>>             log.Println("Started secure server")
>>     }
>>     if err != nil {
>>         log.Fatalf("server: listen: %s", err)
>>     }
>>     log.Print("server: listening")
>>     for {
>>         accepted, err := ln.Accept()
>>
>>         if err != nil {
>>             log.Println("Got errored while accepting connection. %v", err)
>>             return
>>         }
>>
>>         go handleClient(accepted)
>>     }
>> }
>>
>> func handleClient(conn net.Conn) {
>>     defer conn.Close()
>>     reader := bufio.NewReader(conn)
>>     for {
>>         //log.Print("server: conn: waiting")
>>         var err error
>>         httpreq, err := http.ReadRequest(reader)
>>         if err != nil {
>>                 log.Print("Errored while reading request. Error: %v", err)
>>                 break
>>         }
>>         buf := make([]byte, httpreq.ContentLength)
>>         toread := int(httpreq.ContentLength)
>>         rbytes := 0
>>         n := 0
>>         for toread > 0 {
>>                 n, err = httpreq.Body.Read(buf[rbytes:])
>>                 if err != nil && err != io.EOF {
>>                         log.Print("Errored while reading request body.
>> Error: %v", err)
>>                         break
>>                 }
>>                 rbytes += n
>>                 toread = toread - n
>>         }
>>
>>         resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+
>>                 strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)
>>         _, err = conn.Write(resp)
>>         if err != nil {
>>                 log.Print("Errored while writing response. Error: %v",
>> err)
>>                 break
>>         }
>>
>>         log.Printf("server: conn: wrote %d bytes", n)
>>
>>     }
>>     log.Println("server: conn: closed")
>> }
>>
>> On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <ajay.nalawade at gmail.com>
>> wrote:
>>
>>> I am able to reproduce this issue with attached go lang based server. Am
>>> I doing anything wrong here.
>>> Is there any known issue, or any workaround available for this issue.
>>>
>>> Thanks,
>>> Ajay
>>>
>>> On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <ajay.nalawade at gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I have golang based openssl server with FIPS mode set. I am using
>>>> Openssl library build with fips module 2.0.
>>>> With Openssl 1.0.1u version, everything was running fine.
>>>> Recently I upgraded to version 1.0.2o. With this version, under high
>>>> traffic condition (more than 4k requests per minute), read request fails
>>>> with following error.
>>>> "SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad
>>>> record mac"
>>>>
>>>> If I disable FIPS mode, every thing runs fine. Is there any known issue
>>>> with version 1.0.2o with FIPS mode set.
>>>>
>>>> Thanks a lot in advance,
>>>> Ajay
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180706/dd6e59fa/attachment.html>

More information about the openssl-users mailing list