[openssl-dev] [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect function

Tiantian Liu via RT rt at openssl.org
Tue Sep 29 13:56:06 UTC 2015 

Hi Matt & Vi

I tried the SSLv23_method(), and precluded/excluded all SSLv2, SSLv3, TLSv1. I only enabled the TLSv1.2 by SSL_CTX_set_option().
You can see my previous code:  

/*setup up by SSLv23_method*/
meth = SSLv23_method();
ctx = SSL_CTX_new(meth);
............
............
/*Only allow TLSv1.2 protocol*/
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);


While the above code didn't work. I couldn't reach the server. Though the SSL_connect() didn't crash, it returned as:

17:49:12.939 [5499]- SSL_connect res : -1

17:49:12.939 [5499]- Going to call SSL_connect(): 15

17:49:12.939 [5499]- SSL_connect res : -1

17:49:12.939 [5499]- Going to call SSL_connect(): 15

17:49:12.939 [5499]- SSL_connect res : -1

17:49:12.939 [5499]- Going to call SSL_connect(): 15

17:49:12.940 [5499]- SSL_connect res : -1

17:49:12.940 [5499]- Going to call SSL_connect(): 15

17:49:12.940 [5499]- SSL_connect res : -1

17:49:12.940 [5499]- Going to call SSL_connect(): 15

17:49:12.940 [5499]- SSL_connect res : -1

17:49:12.940 [5499]- Going to call SSL_connect(): 15

17:49:12.940 [5499]- SSL_connect res : -1

17:49:12.940 [5499]- Going to call SSL_connect(): 15

17:49:12.940 [5499]- SSL_connect res : -1

17:49:12.941 [5499]- Going to call SSL_connect(): 15

17:49:12.941 [5499]- SSL_connect res : -1

17:49:12.941 [5499]- Going to call SSL_connect(): 15

17:49:12.941 [5499]- SSL_connect res : -1

17:49:12.941 [5499]- Going to call SSL_connect(): 15

I will continue to investigate, and keep updating the ticket. I will adopt your idea to see if I can obtain more information during crash.
Thanks,
Tyler 

-----Original Message-----
From: Matt Caswell via RT [mailto:rt at openssl.org] 
Sent: September-29-15 4:25 AM
To: Tiantian Liu
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-dev] [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect function

I agree with everything Viktor said. In particular that you should continue to use SSLv23_method. Some additional comments below:

On 28/09/15 16:31, Tiantian Liu via RT wrote:

> 			sslerror = SSL_get_error(ssl, res);
> 			if (sslerror == SSL_ERROR_WANT_READ) {
> 				isexp = is_expired(exptime);
> 				if (isexp == 1) {
> 					strcpy(error, "SSL connect error");
> 					return 0;
> 				}
> 				continue;
> 			}
> 			strcpy(error, "SSL connect error");
> 			return 0;

You need to handle more that just SSL_ERROR_WANT_READ here. You should also handle SSL_ERROR_WANT_WRITE. You could get either returned from a call to SSL_connect.

Please can you supply a backtrace from your crash? Also a packet capture between your application and the server would be useful.

Matt

More information about the openssl-dev mailing list