<div dir="ltr">Hi,<div><br></div><div>We are using RHEL 7.0</div><div><br></div><div>Linux insvm02 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux<br></div><div><br></div><div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><div style="font-size:12.8px">We built openssl code by enabling debug options and found that in TLS_ST_SR_CERT_VRFY state openssl checks for the following conditions</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">1) If the datagram type is SCTP : : In this case it is DTLS and set to 1.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">2) Value of s->renegotiate : : in this case the value was set to 2. I guess this is set in post processing function of client hello.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">3) If any sctp message is waiting to be received : : In this case this was true (1). When we debug inside the BIO_dgram_sctp_msg_waiting. We observed that the recvmsg system call returning the size (n = 14 bytes) that is exactly size of the next package (Auth Change Cipher Spec) as shown in the below screenshot. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">So this function return "WORK_MORE_A" to the caller "read_state_machine" which intern returns SUB_STATE_ERROR. And this flow keeps repeating.</div><div style="font-size:12.8px">And also we observed that this issue is something to do with the timing of the messages received at SCTP layer. If the post processing message function executed before the next message arrives at SCTP layer, then the SSL negotiation is successful else SSL negotiation hangs at TLS_ST_SR_CERT_VEFY state.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Can someone who is familiar with the openssl code give us some insights about what is the logic behind the if check in TLS_ST_SR_CERT_VRFY state in post processing function ?</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><img src="cid:ii_15b80ab71343a4fe" alt="Inline image 1" width="562" height="468" class="gmail-CToWUd gmail-a6T" tabindex="0"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><img src="cid:ii_15b80b1742b706bb" alt="Inline image 2" width="562" height="315" class="gmail-CToWUd gmail-a6T" tabindex="0"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><img src="cid:ii_15b80b4bc10c3a72" alt="Inline image 3" width="562" height="334" class="gmail-CToWUd gmail-a6T" tabindex="0"></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Thanks,</div><div style="font-size:12.8px">Mahesh G S</div></div><div style="font-size:12.8px"><br></div></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 19, 2017 at 1:47 AM, Michael Tuexen <span dir="ltr"><<a href="mailto:Michael.Tuexen@lurchi.franken.de" target="_blank">Michael.Tuexen@lurchi.franken.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">> On 13. Apr 2017, at 11:11, mahesh gs <<a href="mailto:mahesh116@gmail.com">mahesh116@gmail.com</a>> wrote:<br>
><br>
</span><span class="gmail-">> Hi,<br>
><br>
> We are running SCTP connections with DTLS enabled in our application. We have adapted openssl version (openssl-1.1.0e) to achieve the same.<br>
><br>
> We have generated the self signed root and node certificates for testing. We have a strange problem with the incomplete DTLS handshake if we run the DTLS client and DTLS server is different systems.If we run the DTLS client and server in same system handshake is successful, handshake is not successful if run client and server in different VM's.<br>
><br>
> This strange problem happens only for SCTP/DTLS connection. With the same set of certificates TCP/TLS connection is successful and we are able to exchange the application data.<br>
><br>
> I am attaching the code bits for SSL_accept and SSL_connect and also the wireshark trace of unsuccessful handshake. Please assist me to debug this problem.<br>
><br>
> SSL_accept returns SSL_ERROR_WANT_READ(2) infinite times but SSL_connect is called 4 or 5 times and select system call timeout.<br>
</span>Which OS are you using? With a test program I could reproduce SSL_accept() returning SSL_ERROR_WANT_READ under FreeBSD,<br>
but not under Linux. Haven't figured out what the problem is. So if you are using FreeBSD we might experience the same problem...<br>
<span class="gmail-"><br>
Best regards<br>
Michael<br>
><br>
> Thanks,<br>
> Mahesh G S<br>
><br>
><br>
</span>> <testcode.txt><proxy.cap>--<br>
<div class="gmail-HOEnZb"><div class="gmail-h5">> openssl-users mailing list<br>
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div></div>