[openssl-users] API SSL_Connect fails and always returns SSL_ERROR_WANT_READ causes infinite loop in application

mahesh gs mahesh116 at gmail.com
Mon Nov 20 11:12:05 UTC 2017

Hi Matt,

Thanks for the response.

We debugged through openssl code to get to know the reason why client is
not reading "SSL Alert".

Once the "ClientKeyExchange" is sent openssl trying to send out the
"ChangeCipherSpec"  message which is creating the problem.

The pre-work function for "ChangeCipherSpec" enables SCTP dry event and
wait for dry event notification.

[image: Inline image 1]

In this scenario, dry notification is never sent from SCTP.
"dtls_wait_for_dry" always returns "WORK_MORE_A". Hereafter flow never
enters "read_state_machine" where alert is to be red.This causes
SSL_Connect to be in infinite loop.

Mahesh G S

On Fri, Nov 17, 2017 at 3:36 PM, Matt Caswell <matt at openssl.org> wrote:

> On 17/11/17 06:42, mahesh gs wrote:
> >  Why
> > does client respond with "Client key exchange" even if the the handshake
> > failure alert is sent from server?
> The client will send its entire flight of messages before it attempts to
> read anything from the server. So, in this case, the ClientKeyExchange
> message is still sent because the client hasn't read the alert yet.
> Matt
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171120/22ab5007/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 52144 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171120/22ab5007/attachment-0001.png>

More information about the openssl-users mailing list