Question about SSL_key_update

Andreas Müller a.mueller at in-chemnitz.de
Thu Jul 9 18:07:41 UTC 2020 

Hi,

I "inherited" our project to support/use TLSv1.3 from a late  
colleague. We have a server written in C++ (Windows, Linux)
and clients (Windows, Linux, also written in C++ and also a Java  
client). With Java, we use the native SSLSocket implementation, in  
Windows we use Schannel and in Linux we use OpenSSL 1.1.1g. It seems  
to work and even interoperability
did not show issues on some initial testing.

I was curious about SSL_key_update. I read that other implementations  
use it automatically, but with OpenSSL I have to
do it manually. So I added a

         int rc = SSL_key_update(ssl, SSL_KEY_UPDATE_REQUESTED);

after 1000 I/O operations and looked what happened.

I started with the Java client and it gets wrong application data in  
such a situation.

I tested with our Windows implementation (I know it may have  
interoperability issues) and here I can see the
data I get from the server side and it is the same that I see on  
server side in the callback, but the Windows
DecryptMessage function fails with SEC_E_INVALID_TOKEN. (I had  
expected something like SEC_I_RENEGOTIATE to
get the information to put this record into InitializeSecurityContext.)

The Linux client also aborts the connection, but here I have not yet  
more details, but either the decryption fails
or the decrypted application data is wrong. Hopefully I can dig in  
there next week.

Here is what happens on server side:

1. I call SSL_key_update (see above)
2. I call SSL_write with application data
3. The write callback is invoked with this data:
    DATA: 17 03 03 00 16 b6 02 b1 06 87 f2 30 0d 77 35 31 7a 5b 6d 3c  
c2 aa 11 2c 32 95 a9
4. The write callback is invoked again with application data provided  
to SSL_write:
    DATA: 17 03 03 00 45 12 24 e5 66 36 2f 28 ea 62 2e 17 4c 62 f0 38  
07 7f 72 70 87 25 ba 45 ff cf f7 9f 0d 7d 48 ...

I see these data arrive at the client side (Windows):
    DATA: 17 03 03 00 16 b6 02 b1 06 87 f2 30 0d 77 35 31 7a 5b 6d 3c  
c2 aa 11 2c 32 95 a9
but get the error described above. In Java I get wrong application  
data, so it seems to decrypt this as application
data?!

I saw an additional call to SSL_do_handshake in the apps/s_server.c  
and tried this, but it did not change anything.

Is there anything else (except calling SSL_key_update) I have to take care of?

Did anyone use this successfully with a Java SSLSocket? (We currently  
use Azul 8 which has a backport of TLSv1.3, and Azul 11).

Has anyone experience with Windows Schannel against OpenSSL?

I still believe that I do something wrong, because the Linux client  
also fails.

Any hints are appreciated.


Regards,
Andreas

More information about the openssl-users mailing list