Openssl seems to inspects application data?

Tomas Mraz tomas at openssl.org
Wed Mar 27 08:25:44 UTC 2024


It is mentioned here:
https://www.openssl.org/docs/manmaster/man3/SSL_get_error.html

In addition to ssl and ret, SSL_get_error() inspects the current
thread's OpenSSL error queue. Thus, SSL_get_error() must be used in the
same thread that performed the TLS/SSL I/O operation, and no other
OpenSSL function calls should appear in between. The current thread's
error queue must be empty before the TLS/SSL I/O operation is
attempted, or SSL_get_error() will not work reliably.

Yeah, it should be probably mentioned also on the SSL_read() and
SSL_write() manpages.

Tomas Mraz, OpenSSL


On Wed, 2024-03-27 at 07:28 +0000, Kreissl, Jochen wrote:
> 
> Okay, I added a err_clear_all before calling ssl_read and now it
> seems to work.
> I am quite baffled.
> Is there anywhere in the docs I can read up on this (when to reset
> the err queue)?
> From: Kreissl, Jochen <Jochen.Kreissl at vector.com>
> Sent: Wednesday, March 27, 2024 7:41:44 AM
> To: Neil Horman <nhorman at openssl.org>
> Cc: openssl-users at openssl.org <openssl-users at openssl.org>
> Subject: Re: Openssl seems to inspects application data?
> 
>  
> 
> 
> 
> 
> 
> 
> I am getting it on ssl_read.
> 
> 
>  
> 
> 
> Still debugging. Right now, it seems that our custom BIO is called
> three times.
> 
> 
> - First ssl reads 5 bytes (header).
> 
> 
> - Second: we fetch some 1600-ish bytes. Still not enough for the
> entire record (the chain is roughly 7 kb long)
> 
> 
> - Last: our BIO is running out of data (network packages not
> available yet) and returns a 0 and sets the BIO flag to retry_send. 
> We have this retry_send behavior in other places too and it works
> (e.g. during handshake with the certificate message). 
> 
> 
>  
> But in this instance, somewhere in the internal of ssl_read, an error
> occurs following the return code 0.
> 
> 
> We get a -1 from ssl_read and then callSSL_get_error – which gives us
> a fatal SSL_ERROR_SSL.
> 
> 
> We then call ERR_get_error and get the beforementioned, weird error
> code.
> I’m still trying to find the exact spot where the internals of
> ssl_read fail.
>  
> 
> 
> 
> 
> 
> From: Neil Horman <nhorman at openssl.org>
> Sent: Tuesday, March 26, 2024 6:55:25 PM
> To: Kreissl, Jochen <Jochen.Kreissl at vector.com>
> Cc: openssl-users at openssl.org <openssl-users at openssl.org>
> Subject: Re: Openssl seems to inspects application data?
> 
> 
>  
> 
> 
>  
> Sie erhalten nicht oft eine E-Mail von nhorman at openssl.org.Erfahren
> Sie, warum dies wichtig ist
> 
> 
> 
> 
> 
> 
> 
> What library call are you getting that error in response to?  If you
> believe that this is coming from some attempt to interpret
> application data (which you are correct, it shouldn't be, unless the
> application auth protocol is somehow getting aliased as a tls control
> message of some sort), then I would, after the handshake, clear the
> error stack, and check it after a call from SSL_read returns.
>  
> 
> 
> 
> 
> On Tue, Mar 26, 2024 at 1:38 PM Kreissl, Jochen
> <Jochen.Kreissl at vector.com> wrote:
> > 
> > 
> > 
> > 
> > 
> > 
> > Hi,
> >  
> > I am using openssl (3.2) in an application.
> > Handshake works just fine but I get a very weird behavior when I
> > receive a big certificate chain inside application data (TLS 1.3
> > but NOT using Post-Handshake Auth, this is some level-7 auth
> > protocol on top of tls).
> > The openssl error I get is error:0308010C:digital envelope
> > routines::unsupported
> > Which … seems to indicate that openssl is trying (and failing) to
> > interpret the certificate chain…?
> >  
> > I really don’t understand what is going on.
> > I thought openssl would treat any application data sent
> > usingSSL_writefollowing a completed handshake would be opaque for
> > openssl – because why would it look inside and try to parse
> > something?
> >  
> > Does anyone have an explanation or have encountered something
> > similar?
> >  
> >  
> > Regards
> > 
> > 
> > Jochen
> >  

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list