[openssl-dev] [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect function

Tiantian Liu via RT rt at openssl.org
Tue Sep 29 14:45:46 UTC 2015 

Hi Matt,
Thanks for prompt response!
While I confirm with you that my application crashed INSIDE the SSL_connect() function. 
So SSL_connect has no chance to return the 'res' value to me for analysis. 
Because I inserted a debug message before and after SSL_connect(). You can see it in the following code.  

       /*
            My debug statement wrote the " Going to call SSL_connect() 15" into my trace file
            And this message string is THE LAST message in my trace file.
      */	
        if (isDiag) {
        	SerialWriteTestLine_int_Time("Going to call SSL_connect()", timeout, diag);
        }
		res = SSL_connect(ssl);
      /*
           Oooop!!! The following statement was not executed! No debug message in my trace file anymore.
      */
        if (isDiag) {
        	SerialWriteTestLine_int_Time("SSL_connect res ", res, diag);
        }
		if (res <= 0) {
			sslerror = SSL_get_error(ssl, res);
			if (sslerror == SSL_ERROR_WANT_READ) {
				isexp = is_expired(exptime);
				if (isexp == 1) {
					if (isDiag) {
						SerialWriteTestLine_int_Time("ConnectSSL [SSL_connect(ssl)] failed Timeout", timeout, diag);
					}
					strcpy(error, "SSL connect error");
					return 0;
				}
				continue;
			}

So, do you have any idea to get more information inside the SSL_connect? Should I re-compile and re-install OpenSSL lib?
I tried to configure OpenSSL with option '-d' to enable the debug feature, while I got compilation error.

Is there any incorrect setup in the BIO, SSL context and socket? I am using all the setup of previous SSLv23_method().
P.S: I can reach the server by the OpenSSL command:

#openssl s_client -connect  <server URL>:PORT -tls1_2

Openssl command returned me the information which looks like I can talk to SSL server over TLS1.2
depth=1 C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = "Trustwave Organization Validation SHA256 CA, Level 1", emailAddress = ca at trustwave.com
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=dev-dataconnect.givex.com/O=Givex Canada Corp/L=Toronto/ST=Ontario/C=CA
   i:/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation SHA256 CA, Level 1/emailAddress=ca at trustwave.com
 1 s:/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation SHA256 CA, Level 1/emailAddress=ca at trustwave.com
   i:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgITBljEycmHCzUZRdr0HJPkGijEDjANBgkqhkiG9w0BAQsF
ADCBtTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD
aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xPTA7BgNV
BAMTNFRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTSEEyNTYgQ0Es
IExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20wHhcNMTQx
MTA3MDkxMjM3WhcNMTcxMTA2MTUxMjM3WjBxMSIwIAYDVQQDDBlkZXYtZGF0YWNv
bm5lY3QuZ2l2ZXguY29tMRowGAYDVQQKDBFHaXZleCBDYW5hZGEgQ29ycDEQMA4G
A1UEBwwHVG9yb250bzEQMA4GA1UECAwHT250YXJpbzELMAkGA1UEBhMCQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4y7f+C3rEeSekQyCs9NCCrpNw
a/RSZX4GROY9HpSdf1o7emBFZ6T6EQaXACU1U4ROFelpKMH/YycGrfXQe3U21eUb
4mCxEfj1N9BK0ZTEQo0j8FmaJdW7kLJIFmjkkK66oUjx9E+KVUamyTOfQLKo/btE
r8/JXS94NjVr4hZpRN0el56zc5IQJbKxYzAzFUydPvzWj5Lc/l9+lKj8ZVXEWyrp
N9/KWZFpwffhXQwR0iasnLm/Fta9XZ0IyiWk8RrV9rrumOqHxhksHl32MMtJ8J/W
m2SmTdOPJaRC3sJbI8hHJoNh3vsxWu8NzmvXmle14nVIcZoMwRHXcrG9ea5TAgMB
AAGjggGLMIIBhzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
AQUFBwMBMB0GA1UdDgQWBBTCphjKWT2B04SXoTB53oE93hyU4zAfBgNVHSMEGDAW
gBTKzh0YA3ceHPN8WLKacKgIgBb0rjBIBgNVHSAEQTA/MD0GDysGAQQBge0YAwMD
AwQEAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3NzbC50cnVzdHdhdmUuY29tL0NB
MCQGA1UdEQQdMBuCGWRldi1kYXRhY29ubmVjdC5naXZleC5jb20wNgYDVR0fBC8w
LTAroCmgJ4YlaHR0cDovL2NybC50cnVzdHdhdmUuY29tL09WQ0EyX0wxLmNybDBx
BggrBgEFBQcBAQRlMGMwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnRydXN0d2F2
ZS5jb20vMDkGCCsGAQUFBzAChi1odHRwOi8vc3NsLnRydXN0d2F2ZS5jb20vaXNz
dWVycy9PVkNBMl9MMS5jcnQwDQYJKoZIhvcNAQELBQADggEBAEzB7/euRUBAfXnr
AR3BG4VsyLYnOMp148yXNhxwpJnZQVxIf6wgWwxNviUvYQ8lE/UiSEQzL+pUrzr7
wFDzafePHITspWuIwPgivtPUXlYkYBjsLRvpnfwS+ml2/uVtzMlIxdMk9kpumznS
aQTW5dLQpn7U70h2ESr2jqVetx9xF/iZxvyPQm+jZ74WkoGYTeDKPzzc5C1JL/4C
DU7L6KRvMy9mEMmAm0Uftp4Oi1LLl02Kg8ISv8L0orJCBaieMyjXzsYF1u/WCRmg
lXFDb4L4G8DFvSArePBt5iwYiNwJpA5HBKk3cDXv4OpVUCNToGZxwCuIfbf4N4cp
P+kPkzY=
-----END CERTIFICATE-----
subject=/CN=dev-dataconnect.givex.com/O=Givex Canada Corp/L=Toronto/ST=Ontario/C=CA
issuer=/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation SHA256 CA, Level 1/emailAddress=ca at trustwave.com
---
No client certificate CA names sent
---
SSL handshake has read 2946 bytes and written 615 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: A6FF6BD6DA9406A8C6148FDDA74E5603FAF8272A5ECFDF1679BA1939F8FC3B25
    Session-ID-ctx:
    Master-Key: 822DCFBFB88F2B4B2BBB9093CE490F8868A0B24BCDAAD0BEB3C717C2EA54DECA4196817E1C5D4C16457B4054C24132C6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 03 c4 85 89 59 05 ee ec-07 ba 65 5d 5c 06 c1 cf   ....Y.....e]\...
    0010 - 11 bc b4 48 3e 8c b1 a8-18 ca 33 57 3e b9 36 c2   ...H>.....3W>.6.
    0020 - 7a 1a 97 d1 54 ec ab 64-51 08 77 9d 5c b1 1a 10   z...T..dQ.w.\...
    0030 - ce 51 a2 12 6b 49 df 32-ec b3 ac d9 dd 54 ba 51   .Q..kI.2.....T.Q
    0040 - 78 ac a8 8d 84 09 3f a6-fe bf 9c 97 21 d9 32 ec   x.....?.....!.2.
    0050 - 4a 55 8f 14 c2 56 d6 0c-26 47 b8 fa fe c5 7f 9d   JU...V..&G......
    0060 - 1d cc 22 ec 43 2c 5e ab-48 52 fd 99 04 11 ba 5c   ..".C,^.HR.....\
    0070 - 20 0a ef ed 18 02 08 97-7e 75 99 88 7d 73 9f d5    .......~u..}s..
    0080 - 9b 96 a1 d5 20 44 02 cc-3e 71 e2 6f b6 41 71 a7   .... D..>q.o.Aq.
    0090 - 8d 82 a4 a8 3e 08 5f 2e-d1 fe c1 44 c4 13 aa 32   ....>._....D...2

    Start Time: 1443544275
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed



Thanks,
Tyler 


-----Original Message-----
From: Matt Caswell via RT [mailto:rt at openssl.org] 
Sent: September-29-15 10:05 AM
To: Tiantian Liu
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-dev] [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect function



On 29/09/15 14:56, Tiantian Liu via RT wrote:
> Hi Matt & Vi
> 
> I tried the SSLv23_method(), and precluded/excluded all SSLv2, SSLv3, TLSv1. I only enabled the TLSv1.2 by SSL_CTX_set_option().
> You can see my previous code:  
> 
> /*setup up by SSLv23_method*/
> meth = SSLv23_method();
> ctx = SSL_CTX_new(meth);
> ............
> ............
> /*Only allow TLSv1.2 protocol*/
> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | 
> SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
> 
> 
> While the above code didn't work. I couldn't reach the server. Though the SSL_connect() didn't crash, it returned as:
> 
> 17:49:12.939 [5499]- SSL_connect res : -1

What is the result of SSL_get_error()? Also check the OpenSSL error queue (see ERR_print_errors or ERR_print_errors_fp).

Matt

More information about the openssl-dev mailing list