Openssl 1.0.2o issue with FIPS mode set.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl 1.0.2o issue with FIPS mode set.

Ajay Nalawade
Hello,

I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.
With Openssl 1.0.1u version, everything was running fine.
Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error.
"SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"

If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.

Thanks a lot in advance,
Ajay

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2o issue with FIPS mode set.

Ajay Nalawade
I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.
Is there any known issue, or any workaround available for this issue.

Thanks,
Ajay

On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <[hidden email]> wrote:
Hello,

I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.
With Openssl 1.0.1u version, everything was running fine.
Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error.
"SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"

If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.

Thanks a lot in advance,
Ajay

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

test_server.go (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2o issue with FIPS mode set.

Ajay Nalawade
package main

import (
    "log"
    "net"
    "net/http"
    "fmt"
    "os"
    "bufio"
    "io"
    "strconv"
)

func init_fips() {
        err := openssl.FIPSModeSet(true)
        if err != nil {
                panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err))
        }
        log.Print("OpenSSL FIPS mode is set to: True\n")
}

func main() {
    init_fips()
    
    laddr := "0.0.0.0:443"
    var ln net.Listener
    var err error

    // Init SSL shared context used across connections
    ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt", "/etc/certs/sslcert.key")
    if err != nil {
        log.Fatalf("Failed to read ssl certificate. Error: %v", err)
    }

    // Set options and do not allow SSLv2 and SSLv3 communication
    _ = ctx.SetOptions(openssl.CipherServerPreference |
        openssl.NoSSLv2 | openssl.NoSSLv3)

    // Read certificate
    // Listen on bind address
    ln, err = openssl.Listen("tcp", laddr, ctx)

    if err != nil {
        log.Fatalf("Failed to start server. Error: %v",
            err)
        os.Exit(1)
    } else {
            log.Println("Started secure server")
    }
    if err != nil {
        log.Fatalf("server: listen: %s", err)
    }
    log.Print("server: listening")
    for {
        accepted, err := ln.Accept()

        if err != nil {
            log.Println("Got errored while accepting connection. %v", err)
            return
        }

        go handleClient(accepted)
    }
}

func handleClient(conn net.Conn) {
    defer conn.Close()
    reader := bufio.NewReader(conn)
    for {
        //log.Print("server: conn: waiting")
        var err error
        httpreq, err := http.ReadRequest(reader)
        if err != nil {
                log.Print("Errored while reading request. Error: %v", err)
                break
        }
        buf := make([]byte, httpreq.ContentLength)
        toread := int(httpreq.ContentLength)
        rbytes := 0
        n := 0
        for toread > 0 {
                n, err = httpreq.Body.Read(buf[rbytes:])
                if err != nil && err != io.EOF {
                        log.Print("Errored while reading request body. Error: %v", err)
                        break
                }
                rbytes += n
                toread = toread - n
        }

        resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+
                strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)
        _, err = conn.Write(resp)
        if err != nil {
                log.Print("Errored while writing response. Error: %v", err)
                break
        }

        log.Printf("server: conn: wrote %d bytes", n)

    }
    log.Println("server: conn: closed")
}

On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <[hidden email]> wrote:
I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.
Is there any known issue, or any workaround available for this issue.

Thanks,
Ajay

On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <[hidden email]> wrote:
Hello,

I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.
With Openssl 1.0.1u version, everything was running fine.
Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error.
"SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"

If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.

Thanks a lot in advance,
Ajay

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2o issue with FIPS mode set.

Ajay Nalawade
Here are some more observations.
1. It did not take much load to cause this error(Creating even 2 connections in parallel gives this issue). 
2. While a client is sending data, another client connecting does not error. The error seems to be only when two clients try to handshake together. If we serialise ssl wrap even thousands of clients do not give this issue.
3. There comes a time(after 40 iterations in case of 3 parallel handshaking clients) after which the server kind of gives up and keeps on giving the same error no matter how much we slow down the clients(I stopped my client script for 5 minutes before trying again).

On Thu, Jul 5, 2018 at 6:29 PM Ajay Nalawade <[hidden email]> wrote:
package main

import (
    "log"
    "net"
    "net/http"
    "fmt"
    "os"
    "bufio"
    "io"
    "strconv"
)

func init_fips() {
        err := openssl.FIPSModeSet(true)
        if err != nil {
                panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err))
        }
        log.Print("OpenSSL FIPS mode is set to: True\n")
}

func main() {
    init_fips()
    
    laddr := "0.0.0.0:443"
    var ln net.Listener
    var err error

    // Init SSL shared context used across connections
    ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt", "/etc/certs/sslcert.key")
    if err != nil {
        log.Fatalf("Failed to read ssl certificate. Error: %v", err)
    }

    // Set options and do not allow SSLv2 and SSLv3 communication
    _ = ctx.SetOptions(openssl.CipherServerPreference |
        openssl.NoSSLv2 | openssl.NoSSLv3)

    // Read certificate
    // Listen on bind address
    ln, err = openssl.Listen("tcp", laddr, ctx)

    if err != nil {
        log.Fatalf("Failed to start server. Error: %v",
            err)
        os.Exit(1)
    } else {
            log.Println("Started secure server")
    }
    if err != nil {
        log.Fatalf("server: listen: %s", err)
    }
    log.Print("server: listening")
    for {
        accepted, err := ln.Accept()

        if err != nil {
            log.Println("Got errored while accepting connection. %v", err)
            return
        }

        go handleClient(accepted)
    }
}

func handleClient(conn net.Conn) {
    defer conn.Close()
    reader := bufio.NewReader(conn)
    for {
        //log.Print("server: conn: waiting")
        var err error
        httpreq, err := http.ReadRequest(reader)
        if err != nil {
                log.Print("Errored while reading request. Error: %v", err)
                break
        }
        buf := make([]byte, httpreq.ContentLength)
        toread := int(httpreq.ContentLength)
        rbytes := 0
        n := 0
        for toread > 0 {
                n, err = httpreq.Body.Read(buf[rbytes:])
                if err != nil && err != io.EOF {
                        log.Print("Errored while reading request body. Error: %v", err)
                        break
                }
                rbytes += n
                toread = toread - n
        }

        resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+
                strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)
        _, err = conn.Write(resp)
        if err != nil {
                log.Print("Errored while writing response. Error: %v", err)
                break
        }

        log.Printf("server: conn: wrote %d bytes", n)

    }
    log.Println("server: conn: closed")
}

On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <[hidden email]> wrote:
I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.
Is there any known issue, or any workaround available for this issue.

Thanks,
Ajay

On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <[hidden email]> wrote:
Hello,

I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.
With Openssl 1.0.1u version, everything was running fine.
Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error.
"SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"

If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.

Thanks a lot in advance,
Ajay

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 1.0.2o issue with FIPS mode set.

Ajay Nalawade
Issue is not seen for Openssl version 1.0.2g. Issue is present for all versions post 1.0.2g.

Thanks,
Ajay

On Fri, Jul 6, 2018 at 11:33 AM Ajay Nalawade <[hidden email]> wrote:
Here are some more observations.
1. It did not take much load to cause this error(Creating even 2 connections in parallel gives this issue). 
2. While a client is sending data, another client connecting does not error. The error seems to be only when two clients try to handshake together. If we serialise ssl wrap even thousands of clients do not give this issue.
3. There comes a time(after 40 iterations in case of 3 parallel handshaking clients) after which the server kind of gives up and keeps on giving the same error no matter how much we slow down the clients(I stopped my client script for 5 minutes before trying again).

On Thu, Jul 5, 2018 at 6:29 PM Ajay Nalawade <[hidden email]> wrote:
package main

import (
    "log"
    "net"
    "net/http"
    "fmt"
    "os"
    "bufio"
    "io"
    "strconv"
)

func init_fips() {
        err := openssl.FIPSModeSet(true)
        if err != nil {
                panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set fips mode.", err))
        }
        log.Print("OpenSSL FIPS mode is set to: True\n")
}

func main() {
    init_fips()
    
    laddr := "0.0.0.0:443"
    var ln net.Listener
    var err error

    // Init SSL shared context used across connections
    ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt", "/etc/certs/sslcert.key")
    if err != nil {
        log.Fatalf("Failed to read ssl certificate. Error: %v", err)
    }

    // Set options and do not allow SSLv2 and SSLv3 communication
    _ = ctx.SetOptions(openssl.CipherServerPreference |
        openssl.NoSSLv2 | openssl.NoSSLv3)

    // Read certificate
    // Listen on bind address
    ln, err = openssl.Listen("tcp", laddr, ctx)

    if err != nil {
        log.Fatalf("Failed to start server. Error: %v",
            err)
        os.Exit(1)
    } else {
            log.Println("Started secure server")
    }
    if err != nil {
        log.Fatalf("server: listen: %s", err)
    }
    log.Print("server: listening")
    for {
        accepted, err := ln.Accept()

        if err != nil {
            log.Println("Got errored while accepting connection. %v", err)
            return
        }

        go handleClient(accepted)
    }
}

func handleClient(conn net.Conn) {
    defer conn.Close()
    reader := bufio.NewReader(conn)
    for {
        //log.Print("server: conn: waiting")
        var err error
        httpreq, err := http.ReadRequest(reader)
        if err != nil {
                log.Print("Errored while reading request. Error: %v", err)
                break
        }
        buf := make([]byte, httpreq.ContentLength)
        toread := int(httpreq.ContentLength)
        rbytes := 0
        n := 0
        for toread > 0 {
                n, err = httpreq.Body.Read(buf[rbytes:])
                if err != nil && err != io.EOF {
                        log.Print("Errored while reading request body. Error: %v", err)
                        break
                }
                rbytes += n
                toread = toread - n
        }

        resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+
                strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)
        _, err = conn.Write(resp)
        if err != nil {
                log.Print("Errored while writing response. Error: %v", err)
                break
        }

        log.Printf("server: conn: wrote %d bytes", n)

    }
    log.Println("server: conn: closed")
}

On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <[hidden email]> wrote:
I am able to reproduce this issue with attached go lang based server. Am I doing anything wrong here.
Is there any known issue, or any workaround available for this issue.

Thanks,
Ajay

On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <[hidden email]> wrote:
Hello,

I have golang based openssl server with FIPS mode set. I am using Openssl library build with fips module 2.0.
With Openssl 1.0.1u version, everything was running fine.
Recently I upgraded to version 1.0.2o. With this version, under high traffic condition (more than 4k requests per minute), read request fails with following error.
"SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac"

If I disable FIPS mode, every thing runs fine. Is there any known issue with version 1.0.2o with FIPS mode set.

Thanks a lot in advance,
Ajay

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users