<div dir="auto">Matt,<div dir="auto">If you have any way to enable some kind of logging it will be useful to find what is the issue.</div><div dir="auto">Why do we get error 2 for ssl_accept. We have seen this for connect but not sure why we get it for accept.</div><div dir="auto"><br></div><div dir="auto">Thanks,</div><div dir="auto">Grace</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 31-Oct-2017 6:56 PM, "Grace Priscilla Jero" <<a href="mailto:grace.priscilla@gmail.com">grace.priscilla@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Matt,<div>Here is more info on the process backtrace where it is stuck.</div><div><br></div><div><div>cat /proc/15602/stack</div><div>[<ffffffff812ab64d>] inet_csk_accept+0xc1/0x1f0</div><div>[<ffffffff812cc3b5>] inet_accept+0x28/0xf5</div><div>[<ffffffff81267362>] sys_accept4+0x11b/0x1b8</div><div>[<ffffffff8126740a>] sys_accept+0xb/0xd</div><div>[<ffffffff81312152>] system_call_fastpath+0x16/0x1b</div><div>[<ffffffffffffffff>] 0xffffffffffffffff</div></div><div><br></div><div>Thanks,</div><div>Grace</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 31, 2017 at 4:22 PM, Grace Priscilla Jero <span dir="ltr"><<a href="mailto:grace.priscilla@gmail.com" target="_blank">grace.priscilla@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Please find attached the pcap. It only has Client Hello.<div>While debugging SSL_accept, I see it stuck in s->method->ssl_read_bytes</div><div><br></div><div>Thanks,</div><div>Grace<div><div class="m_-3077854818570081502h5"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 31, 2017 at 4:16 PM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="m_-3077854818570081502m_-752940523419733577gmail-"><br>
<br>
On 31/10/17 10:40, Grace Priscilla Jero wrote:<br>
> Hi Matt,<br>
> yes, we have found that later and have add the call backs. But we never<br>
> get the Client Hello with cookie. The Hello verify request is sent from<br>
> the server.<br>
><br>
> Thanks for pointing out that listen was for cookies. Now without that<br>
> providing the SSL_accept, it hangs. We are unable to figure out why it<br>
> hangs. Only client hello is sent. Is there any way to spot what is going<br>
> wrong.<br>
<br>
</span>I suggest you use Wireshark to take a look what is happening on the wire.<br>
<br>
Matt<br>
<br>
<br>
><br>
> Thanks,<br>
> Grace<br>
><br>
<span class="m_-3077854818570081502m_-752940523419733577gmail-">> On Tue, Oct 31, 2017 at 3:50 PM, Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
</span><span class="m_-3077854818570081502m_-752940523419733577gmail-">> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>> wrote:<br>
><br>
><br>
><br>
> On 31/10/17 06:06, Grace Priscilla Jero wrote:<br>
> > Thankyou for the suggestions. After correcting few options the<br>
> > "ClientHello" goes successfully but we have failure in "DTLSv1_listen".<br>
> > There are'nt any cookies in the Client Hello request.<br>
> > But DTLSv1_listen return error and the failure in see is in<br>
> > "SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAIL<wbr>URE);"<br>
><br>
> This is most likely because you haven't called<br>
> SSL_CTX_set_cookie_generate_c<wbr>b() first.<br>
><br>
> > We are using 1.1.0f version. Is there a way we can disable cookies?<br>
><br>
> Well the whole *point* of calling DTLSv1_listen() is to generate those<br>
> cookies. If you don't want cookies, don't call it.<br>
><br>
> Matt<br>
><br>
> ><br>
> > Thanks,<br>
> > Grace<br>
> ><br>
> > On Fri, Oct 27, 2017 at 12:39 PM, Grace Priscilla Jero<br>
> > <<a href="mailto:grace.priscilla@gmail.com" target="_blank">grace.priscilla@gmail.com</a> <mailto:<a href="mailto:grace.priscilla@gmail.com" target="_blank">grace.priscilla@gmail.<wbr>com</a>><br>
</span>> <mailto:<a href="mailto:grace.priscilla@gmail.com" target="_blank">grace.priscilla@gmail<wbr>.com</a><br>
<span class="m_-3077854818570081502m_-752940523419733577gmail-im m_-3077854818570081502m_-752940523419733577gmail-HOEnZb">> <mailto:<a href="mailto:grace.priscilla@gmail.com" target="_blank">grace.priscilla@gmail<wbr>.com</a>>>> wrote:<br>
> ><br>
> > Hi Matt,<br>
> ><br>
> > SSL_get_error() returns 5. <br>
> > It is the same socket using which the UDP connection is established.<br>
> > Could you suggest some logging that can be done for OPENSSL.<br>
> ><br>
> > Thanks,<br>
> > Grace<br>
> ><br>
> ><br>
> > On Thu, Oct 26, 2017 at 9:23 PM, Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
</span><div class="m_-3077854818570081502m_-752940523419733577gmail-HOEnZb"><div class="m_-3077854818570081502m_-752940523419733577gmail-h5">> > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>> wrote:<br>
> ><br>
> ><br>
> ><br>
> > On 26/10/17 16:43, Grace Priscilla Jero wrote:<br>
> > > Thankyou for the responses.<br>
> > > We figured the issue. But now we are getting error -5<br>
> from "SSL_connect"<br>
> > > and the errno is set to 22 which means invalid argument.<br>
> > > Is there a easy way to debug or get logs for SSL_connect.<br>
> > ><br>
> > > Below is the sequence for the dtls udp connect that we<br>
> are trying.<br>
> > > ssl = SSL_new(ctx)<br>
> > > bio = BIO_new_dgram(sock_id,BIO_NOCL<wbr>OSE)<br>
> > > SSL_set_bio(ssl, bio, bio);<br>
> > > VI_res = SSL_connect(ssl)<br>
> ><br>
> > Do you really mean SSL_connect() returns -5? Or do you<br>
> mean that<br>
> > after a<br>
> > negative return value from SSL_connect() you call<br>
> > SSL_get_error() and<br>
> > that return 5 (SSL_ERROR_SYSCALL)?<br>
> ><br>
> > If you really mean SSL_connect() returns -5 then you need<br>
> to call<br>
> > SSL_get_error() as a next step.<br>
> ><br>
> > If you are getting SSL_ERROR_SYSCALL then my guess is that<br>
> there<br>
> > is a<br>
> > problem with sock_id. How do create it?<br>
> ><br>
> > Matt<br>
> ><br>
> ><br>
> > ><br>
> > ><br>
> > ><br>
> > > Thanks,<br>
> > > Grace<br>
> > ><br>
> > > On Tue, Oct 24, 2017 at 4:07 PM, Matt Caswell<br>
> <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>><br>
> > > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>>> wrote:<br>
> > ><br>
> > ><br>
> > ><br>
> > > On 24/10/17 11:25, Grace Priscilla Jero wrote:<br>
> > > > We are using SSL_accept to accept the connection<br>
> for which we see the<br>
> > > > failure. Please let know if you have any thoughts.<br>
> > ><br>
> > > Have you set the wbio correctly? Does SSL_get_wbio()<br>
> return your wbio<br>
> > > object if you call it immediately before<br>
> SSL_do_handshake()?<br>
> > ><br>
> > > Matt<br>
> > ><br>
> > > --<br>
> > > openssl-users mailing list<br>
> > > To unsubscribe:<br>
> > > <br>
> <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a><br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a>><br>
> > <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a><br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a>>><br>
> > > <br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mai<wbr>lman/listinfo/openssl-users</a><br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a>><br>
> > <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a><br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a>>>><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > --<br>
> > openssl-users mailing list<br>
> > To unsubscribe:<br>
> > <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailm<wbr>an/listinfo/openssl-users</a><br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a>><br>
> > <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a><br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a>>><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> --<br>
> openssl-users mailing list<br>
> To unsubscribe:<br>
> <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailm<wbr>an/listinfo/openssl-users</a><br>
> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mail<wbr>man/listinfo/openssl-users</a>><br>
><br>
><br>
><br>
><br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailma<wbr>n/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div>
</blockquote></div></div>