<div dir="ltr"><div>package main</div><div><br></div><div>import (</div><div> "log"</div><div> "net"</div><div> "net/http"</div><div> "fmt"</div><div> "os"</div><div> "bufio"</div><div> "io"</div><div> "strconv"</div><div> "<a href="http://github.com/spacemonkeygo/openssl">github.com/spacemonkeygo/openssl</a>"</div><div>)</div><div><br></div><div>func init_fips() {</div><div> err := openssl.FIPSModeSet(true)</div><div> if err != nil {</div><div> panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err))</div><div> }</div><div> log.Print("OpenSSL FIPS mode is set to: True\n")</div><div>}</div><div><br></div><div>func main() {</div><div> init_fips()</div><div> </div><div> laddr := "<a href="http://0.0.0.0:443">0.0.0.0:443</a>"</div><div> var ln net.Listener</div><div> var err error</div><div><br></div><div> // Init SSL shared context used across connections</div><div> ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt", "/etc/certs/sslcert.key")</div><div> if err != nil {</div><div> log.Fatalf("Failed to read ssl certificate. Error: %v", err)</div><div> }</div><div><br></div><div> // Set options and do not allow SSLv2 and SSLv3 communication</div><div> _ = ctx.SetOptions(openssl.CipherServerPreference |</div><div> openssl.NoSSLv2 | openssl.NoSSLv3)</div><div><br></div><div> // Read certificate</div><div> // Listen on bind address</div><div> ln, err = openssl.Listen("tcp", laddr, ctx)</div><div><br></div><div> if err != nil {</div><div> log.Fatalf("Failed to start server. Error: %v",</div><div> err)</div><div> os.Exit(1)</div><div> } else {</div><div> log.Println("Started secure server")</div><div> }</div><div> if err != nil {</div><div> log.Fatalf("server: listen: %s", err)</div><div> }</div><div> log.Print("server: listening")</div><div> for {</div><div> accepted, err := ln.Accept()</div><div><br></div><div> if err != nil {</div><div> log.Println("Got errored while accepting connection. %v", err)</div><div> return</div><div> }</div><div><br></div><div> go handleClient(accepted)</div><div> }</div><div>}</div><div><br></div><div>func handleClient(conn net.Conn) {</div><div> defer conn.Close()</div><div> reader := bufio.NewReader(conn)</div><div> for {</div><div> //log.Print("server: conn: waiting")</div><div> var err error</div><div> httpreq, err := http.ReadRequest(reader)</div><div> if err != nil {</div><div> log.Print("Errored while reading request. Error: %v", err)</div><div> break</div><div> }</div><div> buf := make([]byte, httpreq.ContentLength)</div><div> toread := int(httpreq.ContentLength)</div><div> rbytes := 0</div><div> n := 0</div><div> for toread > 0 {</div><div> n, err = httpreq.Body.Read(buf[rbytes:])</div><div> if err != nil && err != io.EOF {</div><div> log.Print("Errored while reading request body. Error: %v", err)</div><div> break</div><div> }</div><div> rbytes += n</div><div> toread = toread - n</div><div> }</div><div><br></div><div> resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+</div><div> strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)</div><div> _, err = conn.Write(resp)</div><div> if err != nil {</div><div> log.Print("Errored while writing response. Error: %v", err)</div><div> break</div><div> }</div><div><br></div><div> log.Printf("server: conn: wrote %d bytes", n)</div><div><br></div><div> }</div><div> log.Println("server: conn: closed")</div><div>}<span class="sew4jzin0g3e3hy"></span><span class="sewhvqz38jfa6bp"></span></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <<a href="mailto:ajay.nalawade@gmail.com">ajay.nalawade@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.<div>Is there any known issue, or any workaround available for this issue.</div><div><br></div><div>Thanks,</div><div>Ajay</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <<a href="mailto:ajay.nalawade@gmail.com" target="_blank">ajay.nalawade@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.<div>With Openssl 1.0.1u version, everything was running fine.</div><div>Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error.</div><div>"SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"</div><div><br></div><div>If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.</div><div><br></div><div><div>Thanks a lot in advance,</div></div></div><div>Ajay</div></div>
</blockquote></div>
</blockquote></div>