[openssl-users] Issue with DTLS for UDP
Matt Caswell
matt at openssl.org
Tue Oct 31 15:19:08 UTC 2017
I did not get the pcap file? Perhaps it got blocked due to message size.
Try sending it direct to me.
Matt
On 31/10/17 13:26, Grace Priscilla Jero wrote:
> Matt,
> Here is more info on the process backtrace where it is stuck.
>
> cat /proc/15602/stack
> [<ffffffff812ab64d>] inet_csk_accept+0xc1/0x1f0
> [<ffffffff812cc3b5>] inet_accept+0x28/0xf5
> [<ffffffff81267362>] sys_accept4+0x11b/0x1b8
> [<ffffffff8126740a>] sys_accept+0xb/0xd
> [<ffffffff81312152>] system_call_fastpath+0x16/0x1b
> [<ffffffffffffffff>] 0xffffffffffffffff
>
> Thanks,
> Grace
>
> On Tue, Oct 31, 2017 at 4:22 PM, Grace Priscilla Jero
> <grace.priscilla at gmail.com <mailto:grace.priscilla at gmail.com>> wrote:
>
> Please find attached the pcap. It only has Client Hello.
> While debugging SSL_accept, I see it stuck in s->method->ssl_read_bytes
>
> Thanks,
> Grace
>
>
> On Tue, Oct 31, 2017 at 4:16 PM, Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
>
>
>
> On 31/10/17 10:40, Grace Priscilla Jero wrote:
> > Hi Matt,
> > yes, we have found that later and have add the call backs. But we never
> > get the Client Hello with cookie. The Hello verify request is sent from
> > the server.
> >
> > Thanks for pointing out that listen was for cookies. Now without that
> > providing the SSL_accept, it hangs. We are unable to figure out why it
> > hangs. Only client hello is sent. Is there any way to spot what is going
> > wrong.
>
> I suggest you use Wireshark to take a look what is happening on
> the wire.
>
> Matt
>
>
> >
> > Thanks,
> > Grace
> >
> > On Tue, Oct 31, 2017 at 3:50 PM, Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>>> wrote:
> >
> >
> >
> > On 31/10/17 06:06, Grace Priscilla Jero wrote:
> > > Thankyou for the suggestions. After correcting few options the
> > > "ClientHello" goes successfully but we have failure in "DTLSv1_listen".
> > > There are'nt any cookies in the Client Hello request.
> > > But DTLSv1_listen return error and the failure in see is in
> > > "SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);"
> >
> > This is most likely because you haven't called
> > SSL_CTX_set_cookie_generate_cb() first.
> >
> > > We are using 1.1.0f version. Is there a way we can disable cookies?
> >
> > Well the whole *point* of calling DTLSv1_listen() is to generate those
> > cookies. If you don't want cookies, don't call it.
> >
> > Matt
> >
> > >
> > > Thanks,
> > > Grace
> > >
> > > On Fri, Oct 27, 2017 at 12:39 PM, Grace Priscilla Jero
> > > <grace.priscilla at gmail.com <mailto:grace.priscilla at gmail.com>
> <mailto:grace.priscilla at gmail.com
> <mailto:grace.priscilla at gmail.com>>
> > <mailto:grace.priscilla at gmail.com
> <mailto:grace.priscilla at gmail.com>
> > <mailto:grace.priscilla at gmail.com <mailto:grace.priscilla at gmail.com>>>>
> wrote:
> > >
> > > Hi Matt,
> > >
> > > SSL_get_error() returns 5.
> > > It is the same socket using which the UDP connection is established.
> > > Could you suggest some logging that can be done for OPENSSL.
> > >
> > > Thanks,
> > > Grace
> > >
> > >
> > > On Thu, Oct 26, 2017 at 9:23 PM, Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> > > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>> wrote:
> > >
> > >
> > >
> > > On 26/10/17 16:43, Grace Priscilla Jero wrote:
> > > > Thankyou for the responses.
> > > > We figured the issue. But now we are getting
> error -5
> > from "SSL_connect"
> > > > and the errno is set to 22 which means invalid
> argument.
> > > > Is there a easy way to debug or get logs for
> SSL_connect.
> > > >
> > > > Below is the sequence for the dtls udp connect
> that we
> > are trying.
> > > > ssl = SSL_new(ctx)
> > > > bio = BIO_new_dgram(sock_id,BIO_NOCLOSE)
> > > > SSL_set_bio(ssl, bio, bio);
> > > > VI_res = SSL_connect(ssl)
> > >
> > > Do you really mean SSL_connect() returns -5? Or
> do you
> > mean that
> > > after a
> > > negative return value from SSL_connect() you call
> > > SSL_get_error() and
> > > that return 5 (SSL_ERROR_SYSCALL)?
> > >
> > > If you really mean SSL_connect() returns -5 then
> you need
> > to call
> > > SSL_get_error() as a next step.
> > >
> > > If you are getting SSL_ERROR_SYSCALL then my
> guess is that
> > there
> > > is a
> > > problem with sock_id. How do create it?
> > >
> > > Matt
> > >
> > >
> > > >
> > > >
> > > >
> > > > Thanks,
> > > > Grace
> > > >
> > > > On Tue, Oct 24, 2017 at 4:07 PM, Matt Caswell
> > <matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>>>
> > > > <mailto:matt at openssl.org
> <mailto:matt at openssl.org> <mailto:matt at openssl.org
> <mailto:matt at openssl.org>>
> > <mailto:matt at openssl.org <mailto:matt at openssl.org>
> <mailto:matt at openssl.org <mailto:matt at openssl.org>>>>> wrote:
> > > >
> > > >
> > > >
> > > > On 24/10/17 11:25, Grace Priscilla Jero wrote:
> > > > > We are using SSL_accept to accept the
> connection
> > for which we see the
> > > > > failure. Please let know if you have any
> thoughts.
> > > >
> > > > Have you set the wbio correctly? Does
> SSL_get_wbio()
> > return your wbio
> > > > object if you call it immediately before
> > SSL_do_handshake()?
> > > >
> > > > Matt
> > > >
> > > > --
> > > > openssl-users mailing list
> > > > To unsubscribe:
> > > >
> > https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>>
> > >
> <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>>>
> > > >
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>>
> > >
> <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>>>>
> > > >
> > > >
> > > >
> > > >
> > > --
> > > openssl-users mailing list
> > > To unsubscribe:
> > >
> https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>>
> > >
> <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>>>
> > >
> > >
> > >
> > >
> > >
> > --
> > openssl-users mailing list
> > To unsubscribe:
> > https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
> > <https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>>
> >
> >
> >
> >
> --
> openssl-users mailing list
> To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
> <https://mta.openssl.org/mailman/listinfo/openssl-users>
>
>
>
>
>
More information about the openssl-users
mailing list