[openssl-users] Multiple reconnection in OpenSSL 1.1.0

Huy Cong Vu huy-cong.vu at wandercraft.eu
Tue Jan 16 15:15:14 UTC 2018


----- Mail original -----
> De: "Matt Caswell" <matt at openssl.org>
> À: "openssl-users" <openssl-users at openssl.org>
> Envoyé: Mardi 16 Janvier 2018 14:57:28
> Objet: Re: [openssl-users] Multiple reconnection in OpenSSL 1.1.0

> On 16/01/18 13:35, Huy Cong Vu wrote:
>> Thanks for the advice, I got these as error:
>> 1408F10B:SSL routines:ssl3_get_record:wrong version
>> number:ssl/record/ssl3_record.c:210
>> 1408F119:SSL routines:ssl3_get_record:decryption failed or bad record
>> mac:ssl/record/ssl3_record.c:375
>> 
>> Does it means my configuration is not correct, or not synchronized between
>> client and server?
> 
> It means the data OpenSSL is trying to read looks incorrectly formatted.
> This should never normally happen with two correctly working endpoints.
> The first error will normally immediately result in an alert being sent
> and the function call failing - meaning that you'd never get to hit the
> second error. I can't see a way of getting both those errors in a single
> function call - which might suggest some earlier function call has
> failed and the error message is still on the error queue when you call
> SSL_read().

They are not generated in a single function call. Sorry, I wans't clear.
Like I said, I have a main loop of server that receive requests (once at a time) from the same client. The 1st connection is correct, as always, and all the later connections give one of these 2 errors.

> 
> A couple of things to try:
> 
> - Try calling ERR_print_errors_fp() *before* the call to SSL_read() as
> well, to verify there are no errors already in the queue
> - A wireshark trace of the communication between the two endpoints might
> be helpful to figure out what is going wrong

ERR_print_errors_fp() before call of SSL_read returns nothing, which should be a good new...
By browsing Wireshark, I jump into a suspect packet from client that contains a RST flags after 1st connection:
797	61.057009	192.168.1.4	192.168.1.121	TCP	54	63862 → 8042 [RST, ACK] Seq=3969 Ack=4619 Win=0 Len=0

Does this help?

> 
> Matt
> 
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Huy-Cong VU
Platform hardware member
Network administrator
Wandercraft
09 72 58 77 03


More information about the openssl-users mailing list