[openssl-users] SSL-Connection

Konstantinos Schoinas ece8537 at upnet.gr
Fri Sep 21 15:55:48 UTC 2018 

Hello,

I αμ encountering a problem in ending a SSL-Connection properly, and i 
wonder if there is a problem of my application or a problem of openSSL.

My setup is:

Host Computer: ovs-dpdk (virtual switch)
vm1 : openssl
vm2 : dpdk-application (role of a virtual switch that connect vm1 and 
vm3)
vm3 : apache2 server

Role of each component:

vm1 : Just trying to connect to apache2 server through openssl
vm2 : Dpdk-applcation that is a learning switch.Its purpose is to block 
the traffic if openssl (or some client) is trying to connect to a 
forbidden Server)
vm3 : Just the Server

So what I am actually doing is blocking the connection by responding 
with a TLS-alert (fatal , unrecognized name)
When I do that it take some time for open ssl to end the connection .But 
after 2 or 3 seconds I see that open ssl in VM1 has read my response 
even in the actual Desktop.I see that it has read 7 bytes and the 
correct ssl-alert message that I send.(I check these on Wireshark as 
well).

But that's a problem cause it take a lots of time.So the other thing I 
tried was to also send a TCP PACKET with a RST value in order to end the 
TCP session as well.That solved the problem from the perspective of 
speed because It now close the connection really fast but the problem is 
that now openssl don’t read my alert packet and the reason I closed the 
connection.I wanna mention also that when I receive the Client-Hello I 
response immediately with 2 packets .The one is the TLS-alert and the 
other one is TCP-RST packet.

So my questions are these:
1)Is TCP reset the correct way to end the TLS-session(Handshake) after 
TLS alert message?If yes shall I send these 2 packets together as I do 
now?(forgive me, for my lack of knowledge on TCP)
2)Is there another way to end the connection except TCP(Reset)?
3)Is there a possibility that openssl read only TCP reset and not my 
alert packet, so for that reason the I only see connection closed but 
not the actual reason?
4)Is there a better way to do this?

My end goal is to end the connection properly and openssl reads my 
SSl-alert message, so I will get in Vm1( with openssl) connection closed 
with unrecognized name as the actual reason.

Thanks for your time,

Konstantinos Schoinas

More information about the openssl-users mailing list