SSL_connect() failing on SSL3_MT_NEWSESSION_TICKET on Raspberry Pi

Helde, Paavo Paavo.Helde at PERKINELMER.COM
Wed Mar 23 07:39:25 UTC 2022 

Hi,

We are in a process of porting our software to aarch64 (Raspberry Pi). One problem what we have is with openssl, it appears that our build of it always fails in SSL_connect(). I have debugged it a bit and it seems the problem appears in the function ossl_statem_client13_read_transition(), where after receiving SSL3_MT_SERVER_HELLO and SSL3_MT_ENCRYPTED_EXTENSIONS it receives SSL3_MT_NEWSESSION_TICKET, but there is no handling of  SSL3_MT_NEWSESSION_TICKET in ' case TLS_ST_CR_ENCRYPTED_EXTENSIONS' in statem_clnt.c around line 121.

I am no expert in SSL, so not sure where the problem might be, most probably we build the openssl somehow in the wrong way. We also have corporate firewall protected by ZScaler, but other tools like wget work fine with external URL-s, so it ought to be possible to get it working.

We build openssl like that:
    # EGD needed for libIce
    ./config -d no-shared enable-egd --prefix=$INSTALL_ROOT/$PROJECT
    # Hide the symbols to avoid that undesired .so-s will find them (there is a zoo of binary incompatible openssl versions out there).
    make CFLAGS="-g -O0 -fvisibility=hidden" CXXFLAGS="-g -O0 -fvisibility=hidden"
    make install

bin> ./openssl version
OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )

The error (unexpected message) is visible also with the openssl command line. In our code SSL_connect() fails.
bin> ./openssl s_client www.google.com:443<http://www.google.com:443>
Connecting to 172.217.169.36
CONNECTED(00000003)
4080C5B57F000000:error:0A0000F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:399:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4296 bytes and written 333 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Any advice appreciated
TIA
Paavo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220323/3f6ad2f8/attachment.htm>

More information about the openssl-users mailing list