<div dir="ltr">Hi Matt,<div><br></div><div>I have raised bug.</div><div><br></div><div><a href="https://github.com/openssl/openssl/issues/4763">https://github.com/openssl/openssl/issues/4763</a><br></div><div><br></div><div>Thanks,</div><div>Mahesh G S</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 21, 2017 at 3:26 PM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sounds like a bug. Can you raise this as an issue on github?<br>
<br>
<a href="https://github.com/openssl/openssl/issues" rel="noreferrer" target="_blank">https://github.com/openssl/<wbr>openssl/issues</a><br>
<br>
Thanks<br>
<br>
Matt<br>
<span class=""><br>
<br>
On 21/11/17 08:53, mahesh gs wrote:<br>
> Hi,<br>
><br>
> We were able to further localize this problem and found the problem is<br>
> with the function "BIO_dgram_sctp_wait_for_dry". In this function after<br>
> enabling the "sctp_sender_dry_event" we are trying to do MSG_PEEK to<br>
> peek to the message at SCTP layer, in this case the size of the message<br>
> waiting in the lower layer is 15 which size is exactly the size of<br>
> "Handshake Alert" that is received from the server and waiting to be<br>
> read. Dry event is never read from the lower layer that causes the<br>
> SUB_STATE_ERROR and intern causes the SSL_Connect to loop in application.<br>
><br>
> Current version of openssl we are using is 01.01.00g.<br>
><br>
> We have tested and able to reproduce this issue with the OPENSSL<br>
> 01.00.02k version that is packaged with RHEL 7.4 as well.<br>
><br>
><br>
> Thanks,<br>
> Mahesh G S<br>
><br>
> On Mon, Nov 20, 2017 at 4:42 PM, mahesh gs <<a href="mailto:mahesh116@gmail.com">mahesh116@gmail.com</a><br>
</span><span class="">> <mailto:<a href="mailto:mahesh116@gmail.com">mahesh116@gmail.com</a>>> wrote:<br>
><br>
> Hi Matt,<br>
><br>
> Thanks for the response.<br>
><br>
> We debugged through openssl code to get to know the reason why<br>
> client is not reading "SSL Alert".<br>
><br>
> Once the "ClientKeyExchange" is sent openssl trying to send out the<br>
> "ChangeCipherSpec" message which is creating the problem. <br>
><br>
> The pre-work function for "ChangeCipherSpec" enables SCTP dry event<br>
> and wait for dry event notification.<br>
><br>
</span><span class="">> Inline image 1<br>
><br>
><br>
> In this scenario, dry notification is never sent from SCTP.<br>
> "dtls_wait_for_dry" always returns "WORK_MORE_A". Hereafter flow<br>
> never enters "read_state_machine" where alert is to be red.This<br>
> causes SSL_Connect to be in infinite loop.<br>
><br>
><br>
> Thanks,<br>
> Mahesh G S<br>
><br>
> On Fri, Nov 17, 2017 at 3:36 PM, Matt Caswell <<a href="mailto:matt@openssl.org">matt@openssl.org</a><br>
</span><span class="">> <mailto:<a href="mailto:matt@openssl.org">matt@openssl.org</a>>> wrote:<br>
><br>
><br>
><br>
> On 17/11/17 06:42, mahesh gs wrote:<br>
> > Why<br>
> > does client respond with "Client key exchange" even if the the handshake<br>
> > failure alert is sent from server?<br>
><br>
> The client will send its entire flight of messages before it<br>
> attempts to<br>
> read anything from the server. So, in this case, the<br>
> ClientKeyExchange<br>
> message is still sent because the client hasn't read the alert yet.<br>
><br>
> Matt<br>
><br>
> --<br>
> openssl-users mailing list<br>
> To unsubscribe:<br>
> <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</span>> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><wbr>><br>
<div class="HOEnZb"><div class="h5">><br>
><br>
><br>
><br>
><br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div>