<div dir="ltr">Issue is not seen for Openssl version 1.0.2g. Issue is present for all versions post 1.0.2g.<div><br></div><div>Thanks,</div><div>Ajay</div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jul 6, 2018 at 11:33 AM Ajay Nalawade <<a href="mailto:ajay.nalawade@gmail.com">ajay.nalawade@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here are some more observations.<div><span>1. It did not take much load to cause this error(Creating even 2 connections in parallel gives this issue). </span><br></div><div><div style="font-variant-ligatures:normal">2. While a client is sending data, another client connecting does not error. The error seems to be only when two clients try to handshake together. If we serialise ssl wrap even thousands of clients do not give this issue.</div><div style="font-variant-ligatures:normal">3. There comes a time(after 40 iterations in case of 3 parallel handshaking clients) after which the server kind of gives up and keeps on giving the same error no matter how much we slow down the clients(I stopped my client script for 5 minutes before trying again).<span class="m_4283781151816195581sewksy0l7gtboay"></span><span class="m_4283781151816195581sewv1elyxgh2kq1"></span></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 5, 2018 at 6:29 PM Ajay Nalawade <<a href="mailto:ajay.nalawade@gmail.com" target="_blank">ajay.nalawade@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>package main</div><div><br></div><div>import (</div><div> "log"</div><div> "net"</div><div> "net/http"</div><div> "fmt"</div><div> "os"</div><div> "bufio"</div><div> "io"</div><div> "strconv"</div><div> "<a href="http://github.com/spacemonkeygo/openssl" target="_blank">github.com/spacemonkeygo/openssl</a>"</div><div>)</div><div><br></div><div>func init_fips() {</div><div> err := openssl.FIPSModeSet(true)</div><div> if err != nil {</div><div> panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err))</div><div> }</div><div> log.Print("OpenSSL FIPS mode is set to: True\n")</div><div>}</div><div><br></div><div>func main() {</div><div> init_fips()</div><div> </div><div> laddr := "<a href="http://0.0.0.0:443" target="_blank">0.0.0.0:443</a>"</div><div> var ln net.Listener</div><div> var err error</div><div><br></div><div> // Init SSL shared context used across connections</div><div> ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt", "/etc/certs/sslcert.key")</div><div> if err != nil {</div><div> log.Fatalf("Failed to read ssl certificate. Error: %v", err)</div><div> }</div><div><br></div><div> // Set options and do not allow SSLv2 and SSLv3 communication</div><div> _ = ctx.SetOptions(openssl.CipherServerPreference |</div><div> openssl.NoSSLv2 | openssl.NoSSLv3)</div><div><br></div><div> // Read certificate</div><div> // Listen on bind address</div><div> ln, err = openssl.Listen("tcp", laddr, ctx)</div><div><br></div><div> if err != nil {</div><div> log.Fatalf("Failed to start server. Error: %v",</div><div> err)</div><div> os.Exit(1)</div><div> } else {</div><div> log.Println("Started secure server")</div><div> }</div><div> if err != nil {</div><div> log.Fatalf("server: listen: %s", err)</div><div> }</div><div> log.Print("server: listening")</div><div> for {</div><div> accepted, err := ln.Accept()</div><div><br></div><div> if err != nil {</div><div> log.Println("Got errored while accepting connection. %v", err)</div><div> return</div><div> }</div><div><br></div><div> go handleClient(accepted)</div><div> }</div><div>}</div><div><br></div><div>func handleClient(conn net.Conn) {</div><div> defer conn.Close()</div><div> reader := bufio.NewReader(conn)</div><div> for {</div><div> //log.Print("server: conn: waiting")</div><div> var err error</div><div> httpreq, err := http.ReadRequest(reader)</div><div> if err != nil {</div><div> log.Print("Errored while reading request. Error: %v", err)</div><div> break</div><div> }</div><div> buf := make([]byte, httpreq.ContentLength)</div><div> toread := int(httpreq.ContentLength)</div><div> rbytes := 0</div><div> n := 0</div><div> for toread > 0 {</div><div> n, err = httpreq.Body.Read(buf[rbytes:])</div><div> if err != nil && err != io.EOF {</div><div> log.Print("Errored while reading request body. Error: %v", err)</div><div> break</div><div> }</div><div> rbytes += n</div><div> toread = toread - n</div><div> }</div><div><br></div><div> resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+</div><div> strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)</div><div> _, err = conn.Write(resp)</div><div> if err != nil {</div><div> log.Print("Errored while writing response. Error: %v", err)</div><div> break</div><div> }</div><div><br></div><div> log.Printf("server: conn: wrote %d bytes", n)</div><div><br></div><div> }</div><div> log.Println("server: conn: closed")</div><div>}<span class="m_4283781151816195581m_-7949456846156831088sew4jzin0g3e3hy"></span><span class="m_4283781151816195581m_-7949456846156831088sewhvqz38jfa6bp"></span></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <<a href="mailto:ajay.nalawade@gmail.com" target="_blank">ajay.nalawade@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.<div>Is there any known issue, or any workaround available for this issue.</div><div><br></div><div>Thanks,</div><div>Ajay</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <<a href="mailto:ajay.nalawade@gmail.com" target="_blank">ajay.nalawade@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.<div>With Openssl 1.0.1u version, everything was running fine.</div><div>Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error.</div><div>"SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"</div><div><br></div><div>If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.</div><div><br></div><div><div>Thanks a lot in advance,</div></div></div><div>Ajay</div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>