<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="ET">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ET">We are in a process of porting our software to aarch64 (Raspberry Pi). One problem what we have is with openssl, it appears that our build of it always fails in SSL_connect(). I have debugged it a bit and it seems the problem
appears in the function ossl_statem_client13_read_transition(), where after receiving SSL3_MT_SERVER_HELLO and SSL3_MT_ENCRYPTED_EXTENSIONS it receives SSL3_MT_NEWSESSION_TICKET, but there is no handling of SSL3_MT_NEWSESSION_TICKET in ’</span><span lang="ET">
</span><span lang="ET">case TLS_ST_CR_ENCRYPTED_EXTENSIONS’ in statem_clnt.c around line 121.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ET">I am no expert in SSL, so not sure where the problem might be, most probably we build the openssl somehow in the wrong way. We also have corporate firewall protected by ZScaler, but other tools like wget work fine with external
URL-s, so it ought to be possible to get it working.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ET">We build openssl like that:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"> # EGD needed for libIce<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"> ./config -d no-shared enable-egd --prefix=$INSTALL_ROOT/$PROJECT<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"> # Hide the symbols to avoid that undesired .so-s will find them (there is a zoo of binary incompatible openssl versions out there).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"> make CFLAGS="-g -O0 -fvisibility=hidden" CXXFLAGS="-g -O0 -fvisibility=hidden"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"> make install<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ET">bin> ./openssl version<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ET">The error (unexpected message) is visible also with the openssl command line. In our code SSL_connect() fails.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">bin> ./openssl s_client <a href="http://www.google.com:443">
www.google.com:443</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Connecting to 172.217.169.36<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">CONNECTED(00000003)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">4080C5B57F000000:error:0A0000F4:SSL routines:ossl_statem_client_read_transition:unexpected message:ssl/statem/statem_clnt.c:399:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">---<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">no peer certificate available<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">---<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">No client certificate CA names sent<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Server Temp Key: X25519, 253 bits<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">---<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">SSL handshake has read 4296 bytes and written 333 bytes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Verification: OK<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">---<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">This TLS version forbids renegotiation.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Compression: NONE<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Expansion: NONE<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">No ALPN negotiated<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Early data was not sent<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Verify return code: 0 (ok)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">---<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="ET">Any advice appreciated<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">TIA<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET">Paavo<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="ET"><o:p> </o:p></span></p>
</div>
</body>
</html>