ssl client write / server accept seems broken

Embedded Devel lists at optimcloud.com
Tue Mar 23 15:02:55 UTC 2021


On 3/23/21 9:31 PM, Matt Caswell wrote:
>
>
> On 23/03/2021 02:37, Embedded Devel wrote:
>> I have an application previously written for us 10+ years ago that no 
>> longer seems to be happy
>
> Has something happened that might have caused this? Did you upgrade 
> OpenSSL, or do some other kind of update to your code?
>
> Which version of OpenSSL are you using?

surely an openssl upgrade, this code is maybe 7-8 years old

OpenSSL 1.1.1g FIPS  21 Apr 2020 Centos 7


>
>
>>
>> and the original dev is no  longer available, so who can i pay to 
>> bang this out and make it happy, or who can guide me through getting 
>> it functional... basic info below.
>>
>> I have a client process which is supposed to speak to a server via 
>> ssl, and then send data
>>
>> Ive created a "CA" and generated the CSR / and certs for both the 
>> client and the server.
>
> What kind of certs did you generate? How big are the keys? Are you 
> able to share the certs (not the keys)?

original expired certs

-rw-r--r-- 1 root root 1424 Mar 22 16:59 ac_ca_cert.pem
-rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_ca_key.pem
-rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_client_cert.pem
-rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_client_key.pem
-rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_server_cert.pem
-rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_server_key.pem
-rw------- 1 root root 1204 Mar 22 18:24 ca.crt
-rw------- 1 root root 1766 Mar 22 18:23 ca.key

new certs

-rw-r--r-- 1 root root 1529 Mar 22 17:45 myCA.pem
-rw-r--r-- 1 root root 1566 Mar 22 18:04 portaladmin.domain.com.crt
-rw-r--r-- 1 root root 1115 Mar 22 18:04 portaladmin.domain.com.csr
-rw-r--r-- 1 root root  216 Mar 22 18:04 portaladmin.domain.com.ext
-rw------- 1 root root 1675 Mar 22 18:04 portaladmin.domain.com.key

i can share the certs

-----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgIUUfHyC4C5rTOHqYIC2WAmV7t06jowDQYJKoZIhvcNAQEL
BQAwga0xCzAJBgNVBAYTAk5MMRUwEwYDVQQIDAxTJ0dyYXZlbmhhZ2UxFDASBgNV
BAcMC1NHcmF2ZW5oYWdlMR0wGwYDVQQKDBRPcHRpbSBFbnRlcnByaXNlcyBCVjER
MA8GA1UECwwIV2lyZWxlc3MxGjAYBgNVBAMMEWNhLm9wdGltY2xvdWQuY29tMSMw
IQYJKoZIhvcNAQkBFhRhZG1pbkBvcHRpbWNsb3VkLmNvbTAeFw0yMTAzMjIxNzA0
MDlaFw0yMzA2MjUxNzA0MDlaMIG3MQswCQYDVQQGEwJOTDEVMBMGA1UECAwMUydH
cmF2ZW5oYWdlMRUwEwYDVQQHDAxTJ0dyYXZlbmhhZ2UxHTAbBgNVBAoMFE9wdGlt
IEVudGVycHJpc2VzIEJWMREwDwYDVQQLDAhXaXJlbGVzczEjMCEGA1UEAwwacG9y
dGFsYWRtaW4ub3B0aW1jbG91ZC5jb20xIzAhBgkqhkiG9w0BCQEWFGFkbWluQG9w
dGltY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUqI
0sHGKXuSMuEVOvJzPDmMX8HLhIA1qXlBbanEMfdMMTwXelZrQYMYj0D9eiuXfWLE
ddawppFbhFgLpVBG4sG0G9Asm92Knk/9XCONqblvTSIWL1b24LiGQ45At/IeQE7j
UVXoCsivZds2rUQFIWa6ctXZBBCDxBp/RmHZYvaNKuP21mapRh7//eWmzrA5kSgG
4YhGUys38bqsuTJu7I5lDxT1FcJKpYlQn6EZyGPlplYI6JindGUNZVbvHKQlaQ/a
Mom+nJDcbl01G4+AukKcu+AXBCFAA0FDax64bu3EX5phmSSPZymX+RcmJUEU/kxb
/sRUcCwHxtgLXOGwrQIDAQABo2IwYDAfBgNVHSMEGDAWgBSyC0km1cK4ENeQhkI5
VN/hEFcBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAlBgNVHREEHjAcghpwb3J0
YWxhZG1pbi5vcHRpbWNsb3VkLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEto6D/Gt
rTR6Qf3cCrwosI9PpnIRD+Sp3QceMTevuajdCKGU58dTG0MNvqAmr/CmJ4ih9UBi
IBAyR+QxT47PC8bZFSJMI6a3FesTEpAkQnmwkEr3dZ1zns0+651HwsUMuOkAKnYr
4JId48f8NAuSnDKUZeUytAr7lJ+DN32Qa8HQXb78bXuElMjYzUwapMNwJ9NrQjIQ
bUbvByGHFq67maP+/UuxnIJB7vIs9W1Krxx9ewXdKdDpHCyWynnxnWvefVx6aBFR
eIOySv/Wf2rjFvRRS/kdYKXbzj5eUzdRVrka21AfpBqB/ZHFCHCy47PyUYurln30
hd/EInnSdA1pmg==
-----END CERTIFICATE-----


IM inclined top think the code for the certs is ok, but  can really say, 
and im not an openssl programmer by any means... just need someone to 
put eyes on the code and fix it really.


>>
>> when i run the client - i get an error on the client side
>>
>> Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error 
>> SSL_ERROR_SSL - return code: -1.
>> Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error
>
>
> It would be useful to see any errors on the OpenSSL error stack which 
> might provide more details about specifically what has failed. For 
> example you can call the `ERR_print_errors_fp` function to dump the 
> error stack to a `FILE *`. Or alternatively use the `ERR_*` functions 
> to examine the stack and print it to your log:

Yupp above my head.... :(

and lastly if it helps

❯ openssl s_client -connect 46.23.86.244:3490
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim 
Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = 
admin at optimcloud.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim 
Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = 
admin at optimcloud.com
verify return:1
depth=0 C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim 
Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com, 
emailAddress = admin at optimcloud.com
verify return:1
---
Certificate chain
  0 s:C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim Enterprises 
BV, OU = Wireless, CN = portaladmin.optimcloud.com, emailAddress = 
admin at optimcloud.com
    i:C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises 
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = 
admin at optimcloud.com
  1 s:C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises 
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = 
admin at optimcloud.com
    i:C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises 
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = 
admin at optimcloud.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgIUUfHyC4C5rTOHqYIC2WAmV7t06jowDQYJKoZIhvcNAQEL
BQAwga0xCzAJBgNVBAYTAk5MMRUwEwYDVQQIDAxTJ0dyYXZlbmhhZ2UxFDASBgNV
BAcMC1NHcmF2ZW5oYWdlMR0wGwYDVQQKDBRPcHRpbSBFbnRlcnByaXNlcyBCVjER
MA8GA1UECwwIV2lyZWxlc3MxGjAYBgNVBAMMEWNhLm9wdGltY2xvdWQuY29tMSMw
IQYJKoZIhvcNAQkBFhRhZG1pbkBvcHRpbWNsb3VkLmNvbTAeFw0yMTAzMjIxNzA0
MDlaFw0yMzA2MjUxNzA0MDlaMIG3MQswCQYDVQQGEwJOTDEVMBMGA1UECAwMUydH
cmF2ZW5oYWdlMRUwEwYDVQQHDAxTJ0dyYXZlbmhhZ2UxHTAbBgNVBAoMFE9wdGlt
IEVudGVycHJpc2VzIEJWMREwDwYDVQQLDAhXaXJlbGVzczEjMCEGA1UEAwwacG9y
dGFsYWRtaW4ub3B0aW1jbG91ZC5jb20xIzAhBgkqhkiG9w0BCQEWFGFkbWluQG9w
dGltY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUqI
0sHGKXuSMuEVOvJzPDmMX8HLhIA1qXlBbanEMfdMMTwXelZrQYMYj0D9eiuXfWLE
ddawppFbhFgLpVBG4sG0G9Asm92Knk/9XCONqblvTSIWL1b24LiGQ45At/IeQE7j
UVXoCsivZds2rUQFIWa6ctXZBBCDxBp/RmHZYvaNKuP21mapRh7//eWmzrA5kSgG
4YhGUys38bqsuTJu7I5lDxT1FcJKpYlQn6EZyGPlplYI6JindGUNZVbvHKQlaQ/a
Mom+nJDcbl01G4+AukKcu+AXBCFAA0FDax64bu3EX5phmSSPZymX+RcmJUEU/kxb
/sRUcCwHxtgLXOGwrQIDAQABo2IwYDAfBgNVHSMEGDAWgBSyC0km1cK4ENeQhkI5
VN/hEFcBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAlBgNVHREEHjAcghpwb3J0
YWxhZG1pbi5vcHRpbWNsb3VkLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEto6D/Gt
rTR6Qf3cCrwosI9PpnIRD+Sp3QceMTevuajdCKGU58dTG0MNvqAmr/CmJ4ih9UBi
IBAyR+QxT47PC8bZFSJMI6a3FesTEpAkQnmwkEr3dZ1zns0+651HwsUMuOkAKnYr
4JId48f8NAuSnDKUZeUytAr7lJ+DN32Qa8HQXb78bXuElMjYzUwapMNwJ9NrQjIQ
bUbvByGHFq67maP+/UuxnIJB7vIs9W1Krxx9ewXdKdDpHCyWynnxnWvefVx6aBFR
eIOySv/Wf2rjFvRRS/kdYKXbzj5eUzdRVrka21AfpBqB/ZHFCHCy47PyUYurln30
hd/EInnSdA1pmg==
-----END CERTIFICATE-----
subject=C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim 
Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com, 
emailAddress = admin at optimcloud.com

issuer=C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises 
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = 
admin at optimcloud.com

---
No client certificate CA names sent
Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: 
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2835 bytes and written 395 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
     Session-ID: 
DD66A51F2DFECA0871494BC94CA8208FE65C188491878CA035FE88D8961F18F6
     Session-ID-ctx:
     Resumption PSK: 
87400DD8AA4AB035B526CA3C938E76E3E38694A2B3D710FB13215EF20B993F01787C96480C433DB24C435CB4EB4D902B
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
     0000 - 6b be a1 84 a0 c7 b0 04-6c ef 5b a6 ec a3 63 08 k.......l.[...c.
     0010 - da e0 d4 6d 0a 5e 55 6e-c7 aa 97 87 60 57 58 18 ...m.^Un....`WX.
     0020 - 57 5b 35 1a 7f 85 93 e6-c7 85 ac d7 1c ca ba 7b W[5............{
     0030 - 9d 91 ca b8 e6 af 46 86-04 c2 ef 47 f1 03 46 30 ......F....G..F0
     0040 - be b1 6f b2 43 59 51 07-cb ca da 41 99 85 38 a0 ..o.CYQ....A..8.
     0050 - 16 e2 ed ed 5e ad 03 2f-60 2e 34 df d3 7b c0 09 ....^../`.4..{..
     0060 - cb f6 ef ec 82 82 da 3d-b5 ed d4 7d 7a a1 16 e6 .......=...}z...
     0070 - d9 71 03 74 72 bb a2 2a-29 fd e8 23 10 f8 32 fa .q.tr..*)..#..2.
     0080 - 9d e9 d8 01 c4 0b d7 12-43 7d 2a 8b 7e fa b6 51 ........C}*.~..Q
     0090 - f4 35 64 42 41 08 39 ef-3e a0 1e 48 db 92 11 c7 .5dBA.9.>..H....
     00a0 - 0d 99 d9 0c 66 fa dd ba-ec f3 b2 d3 de 77 cf 9e ....f........w..
     00b0 - 44 77 14 be 76 9a 9b cb-23 20 1d a4 d7 f9 92 ee Dw..v...# ......

     Start Time: 1616511716
     Timeout   : 7200 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
     Session-ID: 
1330829E9B218CE0A1DA23896CBE83F117A9A79DFECE0D1F0D37B4DD7010DE9A
     Session-ID-ctx:
     Resumption PSK: 
DDE3C443AE436A6AD1C3DE7D9F18D4D28BAF0920E199CCF3B44715897E7A1FA375C087FF2BF23F7C85750297F513234A
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
     0000 - 6b be a1 84 a0 c7 b0 04-6c ef 5b a6 ec a3 63 08 k.......l.[...c.
     0010 - 97 08 a5 e3 40 05 dc 94-21 61 3a 8c cb 55 81 62 .... at ...!a:..U.b
     0020 - 0d 3a 3f 95 4a 23 8e ee-6a f2 a4 b1 61 27 d8 2a .:?.J#..j...a'.*
     0030 - 64 19 16 b6 ae 61 9c 92-0b c3 f0 0a d2 31 8d bb d....a.......1..
     0040 - 2a c6 8c 8b fc a2 ff ab-f4 85 9f 22 ac b6 9b 89 *.........."....
     0050 - b9 76 e5 c5 b1 3c 76 3e-8e 36 c7 22 f9 91 a6 fa .v...<v>.6."....
     0060 - ea 47 38 62 87 cd ff 92-db c4 77 97 10 03 63 7f .G8b......w...c.
     0070 - e1 f3 e3 c0 99 4d fe 0b-0c 1c 74 3f 84 ce 77 b8 .....M....t?..w.
     0080 - 73 04 ae 84 a0 88 6a f1-27 2f 08 e3 2c 32 fb 12 s.....j.'/..,2..
     0090 - 33 c0 4d 54 e1 d1 ee 6e-23 a6 56 79 60 3b 71 6a 3.MT...n#.Vy`;qj
     00a0 - 49 b4 d1 7d 99 6b 77 1f-96 30 20 26 e4 ba f1 5f I..}.kw..0 &..._
     00b0 - 2c 20 00 15 5a 9e 61 d1-5e f9 14 75 69 7d e2 b1   , 
..Z.a.^..ui}..

     Start Time: 1616511717
     Timeout   : 7200 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK
ACP/1.0

Method: IGNORE

closed




> https://www.openssl.org/docs/man1.1.1/man3/
>
> Matt


More information about the openssl-users mailing list