<div dir="ltr"><div><div>I patched s_server to send a fake OCSP content (4 bytes).<br>I suppose the server will just push that to the client and the client should fail complaining it's not a correct OCSP response.<br>But the server crash with:<br>ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed: s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH<br><br></div><div>Command line used:<br></div><div><br>./openssl s_server -dtls1_2 -port 5684 -cipher ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8 -CAfile ca.pem -cert server.pem -key server.key -chainCAfile bundle.pem -status -status_verbose -mtu 1200<br><br></div>and<br>./openssl s_client -dtls1_2 -port 5684 -psk 73656372657450534b -host localhost -cipher ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:PSK-AES256-CCM8:PSK-AES128-CCM8 -CAfile ca.pem -verify_hostname "IMEI:1234567890" -cert client.pem -key client.key -chainCAfile bundle-client.pem -status<br><br><br></div><div>I attached also the test certificate and keys.<br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>--<br>Julien Vermillard</div></div></div></div>
<br><div class="gmail_quote">On Mon, Aug 29, 2016 at 6:17 PM, Julien Vermillard <span dir="ltr"><<a href="mailto:jvermillard@gmail.com" target="_blank">jvermillard@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It's a mix of C and Go, so it's really not minimal, but I'll try to modify s_server to see if I can reproduce it.<br></div><div class="gmail_extra"><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div>--<br>Julien Vermillard</div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On Mon, Aug 29, 2016 at 6:13 PM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><br>
<br>
On 29/08/16 17:08, Julien Vermillard wrote:<br>
> I have a DTLS 1.2 server based on last master (commit<br>
> d196305aa0de1fc38837c27cb1ea6e<wbr>60af9dd98d)<br>
> I try to add ocsp stapling support (based on code in s_server.c).<br>
><br>
> Basicaly in my callback I set the OCSP response by:<br>
><br>
><br>
> if (SSL_set_tlsext_status_ocsp_re<wbr>sp(s,dataPtr,respLen) == 0) {<br>
> return SSL_TLSEXT_ERR_NOACK;<br>
> } else {<br>
> return SSL_TLSEXT_ERR_OK;<br>
> }<br>
><br>
> but if my server manage to get an OCSP response it crash with this message:<br>
><br>
> ssl/statem/statem_dtls.c:127: OpenSSL internal error: assertion failed:<br>
> s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH<br>
><br>
> Any clue?<br>
<br>
</span>Do you have some minimal reproducer?<br>
<span><font color="#888888"><br>
Matt<br>
<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailma<wbr>n/listinfo/openssl-users</a><br>
</font></span></blockquote></div><br></div></div></div>
</blockquote></div><br></div>