[openssl-users] Authentication over ECDHE

Matt Caswell matt at openssl.org
Fri Dec 28 17:17:39 UTC 2018



On 28/12/2018 10:22, Christian wrote:
> Thank you for the suggestions thus far. I've been working on a simple SSL
> client/server system in the last couple days. Unfortunately the SSL
> documentation is a right mess, so I don't know what is allowed and what is not,
> which leads to some problems that I don't know exactly how to tackle on.
> 
> First of all, I opted out for the cipher "ECDHE-PSK-AES128-CBC-SHA256". As Matt
> suggested, using PSKs does reduce a lot of complexity in this scenario - if I've
> been understanding him correctly, this cipher should give us forward secrecy
> while still relying on a pre-shared key, which also authenticates both sides to
> each other.

Yes, this is correct.

> When I run my server, and then run my client, it receives the data
> the server sends without any problems.
> 
> However, things start to get messy once the keys mismatch, as would in any
> attacker scenario. The client initiates the handshake, but on the server side
> SSL_accept() returns -1, the client receives no data (as should). Then I start
> the client *again*. On the server side SSL_accept() returns -1 again, but this
> time the client blocks in SSL_read() (I haven't not implemented timeout handling
> yet, as this still all runs on my testing environments). It's almost as if
> SSL_shutdown on the server side does not notify the client that the connection
> is to be closed.

Which version of OpenSSL is this? (I don't remember if you said this already).

Note that SSL_shutdown is intended for orderly shutdown of a successful, active
SSL/TLS connection. It is not supposed to be called if the connection has failed
for some reason. If the server decides to abort the connection it should have
already sent a fatal alert.

>> LABEL_NEXT_CLIENT:
>>         fprintf(stderr,"SSL_shutdown\n");
>>         SSL_shutdown(ssl);
>>         fprintf(stderr,"SSL_clear\n");
>>         SSL_clear(ssl);

Please check the return code of this SSL_clear function. It can fail, and if it
does it means the SSL object has not been cleared properly, and that will cause
all sorts of weird, difficult to debug failures later on.

Matt



More information about the openssl-users mailing list