SSL-Connection

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SSL-Connection

Konstantinos Schoinas
Hello,

I αμ encountering a problem in ending a SSL-Connection properly, and i
wonder if there is a problem of my application or a problem of openSSL.

My setup is:

Host Computer: ovs-dpdk (virtual switch)
vm1 : openssl
vm2 : dpdk-application (role of a virtual switch that connect vm1 and
vm3)
vm3 : apache2 server

Role of each component:

vm1 : Just trying to connect to apache2 server through openssl
vm2 : Dpdk-applcation that is a learning switch.Its purpose is to block
the traffic if openssl (or some client) is trying to connect to a
forbidden Server)
vm3 : Just the Server

So what I am actually doing is blocking the connection by responding
with a TLS-alert (fatal , unrecognized name)
When I do that it take some time for open ssl to end the connection .But
after 2 or 3 seconds I see that open ssl in VM1 has read my response
even in the actual Desktop.I see that it has read 7 bytes and the
correct ssl-alert message that I send.(I check these on Wireshark as
well).

But that's a problem cause it take a lots of time.So the other thing I
tried was to also send a TCP PACKET with a RST value in order to end the
TCP session as well.That solved the problem from the perspective of
speed because It now close the connection really fast but the problem is
that now openssl don’t read my alert packet and the reason I closed the
connection.I wanna mention also that when I receive the Client-Hello I
response immediately with 2 packets .The one is the TLS-alert and the
other one is TCP-RST packet.

So my questions are these:
1)Is TCP reset the correct way to end the TLS-session(Handshake) after
TLS alert message?If yes shall I send these 2 packets together as I do
now?(forgive me, for my lack of knowledge on TCP)
2)Is there another way to end the connection except TCP(Reset)?
3)Is there a possibility that openssl read only TCP reset and not my
alert packet, so for that reason the I only see connection closed but
not the actual reason?
4)Is there a better way to do this?

My end goal is to end the connection properly and openssl reads my
SSl-alert message, so I will get in Vm1( with openssl) connection closed
with unrecognized name as the actual reason.

Thanks for your time,

Konstantinos Schoinas
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users