[openssl-users] OpenSSL Dragino Yun Issues

Fri Sep 2 15:50:54 UTC 2016

Matt,

The suggested workaround seems to be working. I say "seems to be" because I
have only tested it a little. it was tested using openssl s_client. Also, I
suppose this doesn't present a security breach?

Of course, if anyone manages to locate the origin of the issue, I would
like to hear from them.

Resent the mail so that everyone else can see it.

Best regards,

Nikola Milev

On Sep 2, 2016 11:31 AM, "Matt Caswell" <matt at openssl.org> wrote:

>
>
> On 02/09/16 10:16, Nikola Milev wrote:
> > Matt,
> >
> > I am not sure I understand.
> >
> > acc = BIO_new_accept(PORT);
> >
> >
> > BIO_set_bind_mode(acc, BIO_BIND_REUSEADDR_IF_UNUSED);
> > if(!acc)
> > {
> >     server_error_("Error creating server socket");
> > }
> > if (BIO_do_accept(acc) <= 0)
> > {
> >    server_error_("Error binding server socket");
> > }
> >
> > Looking at this chunk of code, I am a bit confused. Is not the socket
> > created with BIO in BIO_new_accept() call?
> >
> > Am I supposed to create acc BIO using the socket(), then
> > BIO_new_socket(), then BIO_set_port() and, afterwards, omit the first
> > BIO_do_accept() call?
>
> I'm suggesting you don't use BIO for that piece of your code. Just do
> regular "socket", "bind", "listen" and "accept" calls like you had in
> your simple server code. In that code you had a variable "connfd" which
> represented the incoming connection file descriptor. You can then wrap
> that "connfd" in a BIO:
>
>     bio = BIO_new(BIO_s_socket());
>
>     if (bio == NULL) {
>         goto err;
>     }
>     BIO_set_fd(bio, connfd, BIO_NOCLOSE);
>
> Now you can just set that BIO on the SSL object:
>
>     SSL_set_bio(ssl, bio, bio);
>
>
> Matt
>
>
> >
> >
> > On Sep 2, 2016 10:32 AM, "Matt Caswell" <matt at openssl.org
> > <mailto:matt at openssl.org>> wrote:
> >
> >
> >
> >     On 02/09/16 09:15, Nikola Milev wrote:
> >     > Matt,
> >     >
> >     > I have not compiled it myself. Compiling simpler applications for
> my
> >     > Dragino Yun shield is complicated enough.
> >     >
> >     > One thing that did come to mind was: could the cross compilation
> for
> >     > Dragino be messing with the program in any way? Also quite new in
> >     all of it.
> >
> >
> >     Possibly, but I'm not familiar with Dragino so I can't really
> comment.
> >
> >     >
> >     > Back to OpenSSL, are there any additional settings that could have
> >     > caused the error?
> >
> >     None that spring to mind.
> >
> >     >
> >     > Also, I have a question about this issue on Stack Overflow. If we
> >     > resolve the issue, I think it would be good to post it there as an
> >     > answer, if you agree.
> >
> >     Sure.
> >
> >     If you are unable to compile OpenSSL and it doesn't have debugging
> >     symbols then its going to be difficult to take the diagnosis of this
> >     problem much further.
> >
> >     An alternative solution for you might be a "workaround". Rather than
> >     calling BIO_do_accept(), you could create the socket yourself
> directly
> >     (i.e. not using the BIO calls). Once you have the have the socket
> file
> >     descriptor you can create a BIO from it using BIO_new_socket().
> >
> >     Matt
> >
> >
> >     > Best regards,
> >     > Nikola
> >     >
> >     >
> >     > On Sep 2, 2016 9:51 AM, "Matt Caswell" <matt at openssl.org
> >     <mailto:matt at openssl.org>
> >     > <mailto:matt at openssl.org <mailto:matt at openssl.org>>> wrote:
> >     >
> >     >
> >     >
> >     >     On 01/09/16 12:36, Nikola Milev wrote:
> >     >     >     listenfd = socket (AF_INET, SOCK_STREAM, PROTOCOL);
> >     >     >     if(listenfd < 0)
> >     >     >     {
> >     >     >         exit_msg("socket() error");
> >     >     >     }
> >     >
> >     >     The fact that this worked suggests that maybe we aren't
> >     sending what we
> >     >     think we are sending as the parameters to the equivalent
> >     socket call in
> >     >     OpenSSL. Either that or something really weird is happening
> >     that causes
> >     >     it to fail when called from OpenSSL, but not from a standalone
> >     program!!
> >     >
> >     >     Did you compile OpenSSL yourself, or are you using pre-built
> >     binaries?
> >     >     If you compiled it yourself then I could provide you with a
> >     small patch
> >     >     to instrument the code to figure out what parameters are being
> >     sent to
> >     >     "socket"...either that or you could take a look at it in a
> >     debugger if
> >     >     it has been compiled with debugging symbols.
> >     >
> >     >     Matt
> >     >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160902/b26984d0/attachment.html>