Issue with TLS1.3 and s_time

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with TLS1.3 and s_time

Raj Jain

I’m having an issue with s_time and s_server using the latest OpenSSL (1.1.1-dev) and tls1_3. 

 

When I use tls1_2 connections are established and data is transferred.  However, when I use tls1_3 data is not transferred (connections are established).

 

Below are the commands I use for s_time and s_server.    I provided the output when I used -tls1_2 vs. -tls1_3 on the server.  Notice “bytes read 0” for TLS 1.3.    (I tried this on the loopback as well as 2 separate boxes)

 

Is this a known issue with s_time?

 

 

 

This is the client:

s_time -new -connect localhost:44330 -www /1M.txt -cipher ECDHE-RSA-AES256-GCM-SHA384:TLS13-AES-256-GCM-SHA384

 

This is the server:

openssl s_server -key key.pem -cert cert.pem -accept 44330 -WWW -tls1_3

 

This is what I see with tls1_2:

1086 connections in 0.46s; 2360.87 connections/user sec, bytes read 51042

1086 connections in 2 real seconds, 47 bytes read per connection

 

This is what I see with tls1_3:

17663 connections in 7.67s; 2302.87 connections/user sec, bytes read 0

17663 connections in 31 real seconds, 0 bytes read per connection


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with TLS1.3 and s_time

OpenSSL - User mailing list

In TLS 1.3 the “time” field went away.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with TLS1.3 and s_time

Roelof Du Toit
In reply to this post by Raj Jain

This seems to be a bug in how s_time handles the TLS 1.3 post-handshake NewSessionTicket message; more specifically: not handling the retry when SSL_read() returns -1.

 

The following diff (in tls1.3-draft-19 branch) appears to resolve the issue:

 

$ git diff

diff --git a/apps/s_time.c b/apps/s_time.c

index 998ef72..caa1b22 100644

--- a/apps/s_time.c

+++ b/apps/s_time.c

@@ -234,8 +234,8 @@ int s_time_main(int argc, char **argv)

                                    fmt_http_get_cmd, www_path);

             if (SSL_write(scon, buf, buf_len) <= 0)

                 goto end;

-            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)

-                bytes_read += i;

+            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 || BIO_should_retry(SSL_get_rbio(scon)))

+                if (i > 0) bytes_read += i;

         }

 

 

--Roelof


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with TLS1.3 and s_time

Matt Caswell-2


On 12/07/17 19:43, Roelof Du Toit wrote:
> This seems to be a bug in how s_time handles the TLS 1.3 post-handshake
> NewSessionTicket message; more specifically: not handling the retry when
> SSL_read() returns -1.
>
>  
>
> The following diff (in tls1.3-draft-19 branch) appears to resolve the issue:


Probably you should use SSL_get_error() rather than BIO_should_retry().
The former is a little more complete (checks some conditions that
BIO_should_retry() does not). Could you submit this as a github PR?

Matt


>
>  
>
> $ git diff
>
> diff --git a/apps/s_time.c b/apps/s_time.c
>
> index 998ef72..caa1b22 100644
>
> --- a/apps/s_time.c
>
> +++ b/apps/s_time.c
>
> @@ -234,8 +234,8 @@ int s_time_main(int argc, char **argv)
>
>                                     fmt_http_get_cmd, www_path);
>
>              if (SSL_write(scon, buf, buf_len) <= 0)
>
>                  goto end;
>
> -            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
>
> -                bytes_read += i;
>
> +            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
> BIO_should_retry(SSL_get_rbio(scon)))
>
> +                if (i > 0) bytes_read += i;
>
>          }
>
>  
>
>  
>
> --Roelof
>
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users