[openssl-dev] [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect function
Tiantian Liu via RT
rt at openssl.org
Mon Sep 28 15:31:40 UTC 2015
Hi,
I updated the ticket [openssl.org #4060] with some code and log file.
I have to tell you, the previous SSLv23_method, I commented it out this time, worked fine with me and SSL server. I just changed that line to TLSv1_2_method. Now my application always crash when I call SSL_connect().
At first, I created the SSL context by the function below (the function looked returned successfully, because it returned the SSL_CTX boject):
SSL_CTX *initialize_ctx_ex(char *keyfile, char *password, char *ca_list,
char *random, char *error, char *diag, char isDiag) {
SSL_METHOD *meth;
SSL_CTX *ctx;
/* Create our context*/
//meth = SSLv3_method(); /*I previously applied the SSLv23 method, and it worked fine for me.*/
meth = TLSv1_2_method(); /*Now I switch to TLSv1.2, I just changed this one line in my code*/
if (isDiag && meth) {
SerialWriteTestLine_Time("initialize_ctx_ex Call TLSv1_2_method(meth) done.", diag);
}
ctx = SSL_CTX_new(meth);
/* Load the CAs we trust*/
if(!(SSL_CTX_load_verify_locations(ctx, ca_list, 0))) {
sprintf(error, "Couldn't read CA list: %s", ca_list);
if (isDiag) {
SerialWriteTestLine_Time(error, diag);
}
return NULL;
}
SSL_CTX_set_verify_depth(ctx, 1);
/* Load randomness */
if (random && *random)
{
if(!(RAND_load_file(random, 1024*1024))) {
strcpy(error, "Couldn't load randomness");
if (isDiag) {
SerialWriteTestLine_Time(error, diag);
}
return NULL;
}
}
if (isDiag) {
SerialWriteTestLine_Time("Exit initialize_ctx_ex", diag);
}
return ctx;
}
/*The above initialize_ctx_ex () is invoked inside the following function SSL_connect_tr_ex ()*/
int SSL_connect_tr_ex(pTSSL_connect sslc, char *msg, pTSSL_params pssl,
char *diag, char isDiag) {
BIO *sbio;
int res;
/* Build our SSL context*/
memset(sslc, 0, sizeof(TSSL_connect));
if (isDiag) {
SerialWriteTestLine_Time("initialize_ctx", diag);
SerialWriteTestLine_string_Time("initialize_ctx ipADdress ", pssl->ipaddress, diag);
SerialWriteTestLine_int_Time("initialize_ctx ipADdress ", pssl->ipport, diag);
}
/* the function initialize_ctx_ex () looked returned successfully, because it returned the SSL_CTX boject */
sslc->ctx = initialize_ctx_ex(pssl->keyfile, pssl->password, pssl->ca_list,
pssl->random, msg, diag, isDiag);
if (!sslc->ctx) {
if (isDiag) {
SerialWriteTestLine_Time("tcp_connect !ssl->ctx", diag);
}
return 0;
}
/*Then I continue to setup TCP socket to server*/
/* Connect the TCP socket*/
if (isDiag) {
SerialWriteTestLine_Time("tcp_connect", diag);
}
sslc->sock = tcp_connect_timeout_ex(pssl->ipaddress, pssl->ipport, pssl->timeout,
msg, diag, isDiag);
if (sslc->sock == -1) return 0;
/* Connect the SSL socket */
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket [SSL_new(ctx)]", diag);
}
sslc->ssl = SSL_new(sslc->ctx);
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket [BIO_new_socket(sock, BIO_NOCLOSE)]", diag);
}
sbio = BIO_new_socket(sslc->sock, BIO_NOCLOSE);
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket [SSL_set_bio(ssl, sbio, sbio)]", diag);
}
SSL_set_bio(sslc->ssl, sbio, sbio);
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket [ConnectSSL(ssl, sock, msg)]", diag);
}
/*Now I am going to connect, and I got crash in the following function*/
res = ConnectSSL_ex(sslc->ssl, sslc->sock, msg, diag, isDiag, pssl->timeout);
if (!res) {
return 0;
}
return 1;
}
/*My ConnectSSL_ex () is defined*/
int ConnectSSL_ex(SSL *ssl, int sock, char *error, char *diag, char isDiag, int timeout) {
int flag;
int res;
int sslerror;
time_t exptime;
int isexp;
if (isDiag) {
SerialWriteTestLine_Time("ConnectSSL [ioctlsocket(socket, FIONBIO, &flags)]", diag);
}
if (timeout > 15) {
timeout -= 5;
}
exptime = set_expire_time(timeout);
while (TRUE) {
/*!!!!!! I crashed HERE!!!!, the SSL_connect is standard SSL library function!*/
res = SSL_connect(ssl);
/*My application terminated at the SSL_connect() due to crash, because if it returned there should be log message as below*/
if (isDiag) {
SerialWriteTestLine_int_Time("SSL_connect returned and return value is ", res, diag);
}
if (res <= 0) {
sslerror = SSL_get_error(ssl, res);
if (sslerror == SSL_ERROR_WANT_READ) {
isexp = is_expired(exptime);
if (isexp == 1) {
strcpy(error, "SSL connect error");
return 0;
}
continue;
}
strcpy(error, "SSL connect error");
return 0;
}
break;
}
strcpy(error, "SSL connect OK");
return 1;
}
It's there any setup about BIO, or SSL context, should be changed? Or any special compiler flag should be used when I compile my application if I want to use TLSv1.2?
I am suspecting some setup of my OpenSSL library is wrong (wrong configuration when I compiled and installed the openssl-1.0.1p?). Because my application crashed when I
If my code doesn't help you, could you please give some instructions/technical doc to tell me how to use TLSv1.2 for SSL communication. If you can offer me some simple code to setup SSL communication channel with TLSv1.2, that's helpful! Thanks!
Tyler
-----Original Message-----
From: The default queue via RT [mailto:rt at openssl.org]
Sent: September-24-15 12:08 PM
To: Tiantian Liu
Subject: [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect function
Greetings,
This message has been automatically generated in response to the creation of a trouble ticket regarding:
"a crash happened inside SSL_Connect function", a summary of which appears below.
There is no need to reply to this message right now. Your ticket has been assigned an ID of [openssl.org #4060].
Please include the string:
[openssl.org #4060]
in the subject line of all future correspondence about this issue. To do so, you may reply to this message.
Thank you,
rt at openssl.org
-------------------------------------------------------------------------
Hi,
I am a software developer who is struggling on an application development based on OpenSSL 1.0.1 (released on 2012-03-14) under Linux (32-bit Redhat).
I used to use the SSL functions from OpenSSL 0.9.8, and my application worked fine. I applied the SSLv23_method() to setup the SSL context and communicate with customer's server over various SSL/TLS protocols.
While, recently my customer required me to upgrade my OpenSSL library, because their server only support TLS1.2. So I downloaded OpenSSL 1.0.1 source package, then complied and installed successfully.
I configured the OpenSSL as:
#./config -prefix=/usr shared //I have to generate the shared library like libssl.so, libcrypto.so
Then I found my SSL context, setup by SSLv23_method(), stopped working, I can't reach their server anymore. It looked like they didn't understand my handshake message when I called SSL_Connect().
So I switched to the TLSv1_2_method() to build SSL context. However, my program crashed every time when I called SSL_Connect(), I mean crash happened inside the SSL_Connect(), and it didn't return at all.
Now I have tried 2 methods:
1. SSLv23_method() to build SSL context
SSL_METHOD *meth;
SSL_CTX *ctx;
......
meth = SSLv23_method();
ctx = SSL_CTX_new(meth);
//Only allow TLSv1_1 or higher
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
......
The SSL_Connect() resulted in:
ConnectSSL [SSL_connect(ssl)] failed: 5
SSL_ERROR_SYSCALL: 5
2. TLSv1_2_method() to build SSL context
SSL_METHOD *meth;
SSL_CTX *ctx;
......
meth = TLSv1_2_method();
ctx = SSL_CTX_new(meth);
then, the SSL_connect() crashed when I invoked it.
Currently, I don't know how to attack this issue, all the code worked fine before. I just changed the SSLv23_method to TLSv1_2_method. Is there any difference between that 2 functions? What I should do if I want to use the TLSv1_2_method?
I am very pleased if anyone of you have any idea to help me.
Thanks,
Tyler
More information about the openssl-dev
mailing list