[openssl-dev] [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect function

Mon Sep 28 16:02:18 UTC 2015

On Mon, Sep 28, 2015 at 03:31:40PM +0000, Tiantian Liu via RT wrote:

> I updated the ticket [openssl.org #4060] with some code and log file.
> I have to tell you, the previous SSLv23_method, I commented it out this
> time, worked fine with me and SSL server. I just changed that line to
> TLSv1_2_method. Now my application always crash when I call SSL_connect().

You SHOULD NOT switch to TLSv1_2_method().  Keep using SSLv23_method().  Just
disable SSLv2 and SSLv3 via something like:

    SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);

> SSL_CTX *initialize_ctx_ex(char *keyfile, char *password, char *ca_list,
> 			       char *random, char *error, char *diag, char isDiag) {
> 	SSL_METHOD *meth;
> 	SSL_CTX *ctx;
>
> 
> 
> 	 /* Create our context*/
> 	//meth = SSLv3_method(); 	        	/*I previously applied the SSLv23 method, and it worked fine for me.*/
>        	 meth = TLSv1_2_method();		/*Now I switch to TLSv1.2, I just changed this one line in my code*/

Is the library initialization code elsewhere?

> 	SSL_CTX_set_verify_depth(ctx, 1);

That's much too restrictive, is the peer's certificate always signed
directly by a trusted root?

> 	if (random && *random)
> 	{
> 		if(!(RAND_load_file(random, 1024*1024))) {
> 			strcpy(error, "Couldn't load randomness");
> 			if (isDiag) {
> 				SerialWriteTestLine_Time(error, diag);
> 			}
> 			return NULL;
> 		}
> 	}

This looks bogus.

> If my code doesn't help you, could you please give some
> instructions/technical doc to tell me how to use TLSv1.2 for SSL
> communication. If you can offer me some simple code to setup SSL
> communication channel with TLSv1.2, that's helpful! Thanks!

You don't need to make any changes to your code to use TLS 1.2,
just recompile the same code with OpenSSL 1.0.1 or later.  To
disable SSLv2 and SSLv3, see above.

You have still provided no information as to what you mean by "crash".

-- 
	Viktor.