OpenSSL sending close_notify right after responding to a heartbeat request

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OpenSSL sending close_notify right after responding to a heartbeat request

R Kaja Mohideen
Hi,

We have a TLS Server (Written in C) and Client (Written in Java using
Netty + OpenSSL).

I see that when Server sends a TLS extension Heartbeat request to
client - OpenSSL responds to it and sends a close_notify alert right
after it - causing the server to close the session with client.

I don't have any callback registered in client (HB request recipient
side - Java/Netty doesn't really have that support) and so I'm sure
that it is OpenSSL by itself is responding to that heartbeat request.
But, who or what is making OpenSSL to send an alert & close the
session upon responding to heartbeat remains a mystery.

Any help / suggestions to investigate this issue is highly appreciated.

Thanks & regards,
R Kaja Mohideen
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSL sending close_notify right after responding to a heartbeat request

R Kaja Mohideen
I have used backtrace function (execinfo.h) as documented here
(http://www.gnu.org/software/libc/manual/html_node/Backtraces.html) in
couple of OpenSSL source files - ssl_lib.c (ssl_shutdown) and s3_pkt.c
(ssl3_send_alert). I have actually used the exact same example from
that page for getting the stack trace printed from those two
functions.

When I reproduce the issue - following is the stacktrace I got

Obtained 3 stack frames.
/OpenSSL/libssl.so.1.0.0(printStackTrace+0x2d) [0x7f13927f482d]
/OpenSSL/libssl.so.1.0.0(SSL_shutdown+0x9) [0x7f13927f74a9]
[0x7f14a901f9e4]
Obtained 4 stack frames.
/OpenSSL/libssl.so.1.0.0(printStackTrace1+0x2d) [0x7f13927da4dd]
/OpenSSL/libssl.so.1.0.0(ssl3_send_alert+0x11) [0x7f13927dbe11]
/OpenSSL/libssl.so.1.0.0(ssl3_shutdown+0xa2) [0x7f13927d8662]
[0x7f14a901f9e4]

I'm surprised to see that I'm not able to get the caller details using
backtrace. Is it due to architecture of OpenSSL or something which
makes OpenSSL to use a new thread for invoking ssl_shutdown?

Any OpenSSL developers?

// Kaja

On Fri, Mar 24, 2017 at 7:10 PM, R Kaja Mohideen <[hidden email]> wrote:

> Hi,
>
> We have a TLS Server (Written in C) and Client (Written in Java using
> Netty + OpenSSL).
>
> I see that when Server sends a TLS extension Heartbeat request to
> client - OpenSSL responds to it and sends a close_notify alert right
> after it - causing the server to close the session with client.
>
> I don't have any callback registered in client (HB request recipient
> side - Java/Netty doesn't really have that support) and so I'm sure
> that it is OpenSSL by itself is responding to that heartbeat request.
> But, who or what is making OpenSSL to send an alert & close the
> session upon responding to heartbeat remains a mystery.
>
> Any help / suggestions to investigate this issue is highly appreciated.
>
> Thanks & regards,
> R Kaja Mohideen
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSL sending close_notify right after responding to a heartbeat request

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of R Kaja Mohideen
> Sent: Monday, March 27, 2017 13:55
>
> I'm surprised to see that I'm not able to get the caller details using
> backtrace. Is it due to architecture of OpenSSL or something which
> makes OpenSSL to use a new thread for invoking ssl_shutdown?

I suspect it's due to compiler optimization, a lack of symbols in the caller, or some other generic obstacle to backtracing, and not anything OpenSSL is doing.

Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSL sending close_notify right afterresponding to a heartbeat request

R Kaja Mohideen
Thanks for the response, Micheal Wojcik. Any idea what is making OpenSSL close the session after responding to Heartbeat request?

From: [hidden email]
Sent: ‎28-‎03-‎2017 07:46 PM
To: [hidden email]
Subject: Re: [openssl-users] OpenSSL sending close_notify right afterresponding to a heartbeat request

> From: openssl-users [mailto:[hidden email]] On Behalf
> Of R Kaja Mohideen
> Sent: Monday, March 27, 2017 13:55
>
> I'm surprised to see that I'm not able to get the caller details using
> backtrace. Is it due to architecture of OpenSSL or something which
> makes OpenSSL to use a new thread for invoking ssl_shutdown?

I suspect it's due to compiler optimization, a lack of symbols in the caller, or some other generic obstacle to backtracing, and not anything OpenSSL is doing.

Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSL sending close_notify right afterresponding to a heartbeat request

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Kaja Mohideen
> Sent: Tuesday, March 28, 2017 10:30

> Any idea what is making OpenSSL close the session after responding to Heartbeat request?

I'm afraid not. I haven't seen that problem myself, and I've not looked at heartbeat processing in the OpenSSL source code (aside from the quick glance I, like many people, took when Heartbleed was disclosed).

Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSL sending close_notify right afterresponding to a heartbeat request

Jakob Bohm-7
In reply to this post by R Kaja Mohideen
Just to clarify: Does it respond to the heartbeat before closing
the session, or does it just close the session when you try to
trigger the heartbeat/bleed code?

On 28/03/2017 16:29, Kaja Mohideen wrote:

> Thanks for the response, Micheal Wojcik. Any idea what is making
> OpenSSL close the session after responding to Heartbeat request?
> ------------------------------------------------------------------------
> From: Michael Wojcik <mailto:[hidden email]>
> Sent: ‎28-‎03-‎2017 07:46 PM
> To: [hidden email] <mailto:[hidden email]>
> Subject: Re: [openssl-users] OpenSSL sending close_notify right
> afterresponding to a heartbeat request
>
> > From: openssl-users [mailto:[hidden email]] On Behalf
> > Of R Kaja Mohideen
> > Sent: Monday, March 27, 2017 13:55
> >
> > I'm surprised to see that I'm not able to get the caller details using
> > backtrace. Is it due to architecture of OpenSSL or something which
> > makes OpenSSL to use a new thread for invoking ssl_shutdown?
>
> I suspect it's due to compiler optimization, a lack of symbols in the
> caller, or some other generic obstacle to backtracing, and not
> anything OpenSSL is doing.
>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSL sending close_notify rightafterresponding to a heartbeat request

R Kaja Mohideen
It responds and then closes.

From: [hidden email]
Sent: ‎29-‎03-‎2017 12:19 AM
To: [hidden email]
Subject: Re: [openssl-users] OpenSSL sending close_notify rightafterresponding to a heartbeat request

Just to clarify: Does it respond to the heartbeat before closing
the session, or does it just close the session when you try to
trigger the heartbeat/bleed code?

On 28/03/2017 16:29, Kaja Mohideen wrote:

> Thanks for the response, Micheal Wojcik. Any idea what is making
> OpenSSL close the session after responding to Heartbeat request?
> ------------------------------------------------------------------------
> From: Michael Wojcik <mailto:[hidden email]>
> Sent: ‎28-‎03-‎2017 07:46 PM
> To: [hidden email] <mailto:[hidden email]>
> Subject: Re: [openssl-users] OpenSSL sending close_notify right
> afterresponding to a heartbeat request
>
> > From: openssl-users [mailto:[hidden email]] On Behalf
> > Of R Kaja Mohideen
> > Sent: Monday, March 27, 2017 13:55
> >
> > I'm surprised to see that I'm not able to get the caller details using
> > backtrace. Is it due to architecture of OpenSSL or something which
> > makes OpenSSL to use a new thread for invoking ssl_shutdown?
>
> I suspect it's due to compiler optimization, a lack of symbols in the
> caller, or some other generic obstacle to backtracing, and not
> anything OpenSSL is doing.
>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSL sending close_notify rightafterresponding to a heartbeat request

R Kaja Mohideen
Still - I couldn't find the root-cause why OpenSSL is closing after
responding. Any pointers about which area of codebase is causing this
will be very helpful. Is there any commercial support available for
OpenSSL?

On Wed, Mar 29, 2017 at 6:47 AM, Kaja Mohideen <[hidden email]> wrote:

> It responds and then closes.
> ________________________________
> From: Jakob Bohm
> Sent: ‎29-‎03-‎2017 12:19 AM
> To: [hidden email]
>
> Subject: Re: [openssl-users] OpenSSL sending close_notify
> rightafterresponding to a heartbeat request
>
> Just to clarify: Does it respond to the heartbeat before closing
> the session, or does it just close the session when you try to
> trigger the heartbeat/bleed code?
>
> On 28/03/2017 16:29, Kaja Mohideen wrote:
>> Thanks for the response, Micheal Wojcik. Any idea what is making
>> OpenSSL close the session after responding to Heartbeat request?
>> ------------------------------------------------------------------------
>> From: Michael Wojcik <mailto:[hidden email]>
>> Sent: ‎28-‎03-‎2017 07:46 PM
>> To: [hidden email] <mailto:[hidden email]>
>> Subject: Re: [openssl-users] OpenSSL sending close_notify right
>> afterresponding to a heartbeat request
>>
>> > From: openssl-users [mailto:[hidden email]] On Behalf
>> > Of R Kaja Mohideen
>> > Sent: Monday, March 27, 2017 13:55
>> >
>> > I'm surprised to see that I'm not able to get the caller details using
>> > backtrace. Is it due to architecture of OpenSSL or something which
>> > makes OpenSSL to use a new thread for invoking ssl_shutdown?
>>
>> I suspect it's due to compiler optimization, a lack of symbols in the
>> caller, or some other generic obstacle to backtracing, and not
>> anything OpenSSL is doing.
>>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...