ssl client write / server accept seems broken

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl client write / server accept seems broken

Embedded Devel
I have an application previously written for us 10+ years ago that no
longer seems to be happy

and the original dev is no  longer available, so who can i pay to bang
this out and make it happy, or who can guide me through getting it
functional... basic info below.

I have a client process which is supposed to speak to a server via ssl,
and then send data

Ive created a "CA" and generated the CSR / and certs for both the client
and the server.

when i run the client - i get an error on the client side

Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error
SSL_ERROR_SSL - return code: -1.
Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error

here is the specific snippt of c thats failing

int ac_ssl_client_write(ac_ssl_conn_t *ssl_con, void *buf, int buf_len)
{
         fd_set write_fds;
         struct timeval tv;
         int rc = -1;

         tv.tv_sec = TIMEOUT_WRITE;
         tv.tv_usec = 0;

         FD_ZERO(&write_fds);
         FD_SET(ssl_con->socket, &write_fds);


         if ((rc = select(ssl_con->socket + 1, NULL, &write_fds, NULL,
&tv)) == 1) {
                 if (FD_ISSET(ssl_con->socket, &write_fds)) {
                         rc = SSL_write(ssl_con->ssl, buf, buf_len);

                         if(ac_ssl_handle_err(ssl_con, rc,
"ac_ssl_client_write()", "") != 0)
                                 return -1;
                 }
         }

         FD_CLR(ssl_con->socket, &write_fds);

         return rc;
}

and like wise i get this error on the server side

Mar 23 03:13:58 optim04 ac_server[597280]: ac_ssl_server_accept(): Error
SSL_ERROR_SYSCALL - return code: -1. SSL_accept()
Mar 23 03:13:58 optim04 ac_server[597280]: ac_ssl_server_accept(): Error
code: -3

which ive located in this snippet of code

/* Accept SSL Connection */
int ac_ssl_server_accept(ac_ssl_conn_t *ssl_con)
{
         int rc = -1;
         /* Load Key and Certficates */
         if ((rc = ac_ssl_server_certs(ssl_con)) != 0) {
                 LOG(LOG_ERR, "ac_ssl_server_certs(): Error code %d\n", rc);
                 return -1;
         }

         if ((ssl_con->ssl = SSL_new(ssl_con->ctx)) == NULL) {
                 LOG(LOG_ERR, "SSL_new(): Error\n");
                 close(ssl_con->socket);
                 if (ssl_con->ctx != NULL)
                         SSL_CTX_free(ssl_con->ctx);
                 return -2;
         }

         SSL_set_fd(ssl_con->ssl, ssl_con->socket);
         SSL_set_accept_state(ssl_con->ssl);

         rc = SSL_accept(ssl_con->ssl);
         if(ac_ssl_handle_err(ssl_con, rc, "ac_ssl_server_accept()",
"SSL_accept()") == 1)
                 return -3;


         return 0;
}






Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Matt Caswell-2


On 23/03/2021 02:37, Embedded Devel wrote:
> I have an application previously written for us 10+ years ago that no
> longer seems to be happy

Has something happened that might have caused this? Did you upgrade
OpenSSL, or do some other kind of update to your code?

Which version of OpenSSL are you using?


>
> and the original dev is no  longer available, so who can i pay to bang
> this out and make it happy, or who can guide me through getting it
> functional... basic info below.
>
> I have a client process which is supposed to speak to a server via ssl,
> and then send data
>
> Ive created a "CA" and generated the CSR / and certs for both the client
> and the server.

What kind of certs did you generate? How big are the keys? Are you able
to share the certs (not the keys)?

>
> when i run the client - i get an error on the client side
>
> Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error
> SSL_ERROR_SSL - return code: -1.
> Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error


It would be useful to see any errors on the OpenSSL error stack which
might provide more details about specifically what has failed. For
example you can call the `ERR_print_errors_fp` function to dump the
error stack to a `FILE *`. Or alternatively use the `ERR_*` functions to
examine the stack and print it to your log:

https://www.openssl.org/docs/man1.1.1/man3/

Matt
Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Embedded Devel

On 3/23/21 9:31 PM, Matt Caswell wrote:

>
>
> On 23/03/2021 02:37, Embedded Devel wrote:
>> I have an application previously written for us 10+ years ago that no
>> longer seems to be happy
>
> Has something happened that might have caused this? Did you upgrade
> OpenSSL, or do some other kind of update to your code?
>
> Which version of OpenSSL are you using?

surely an openssl upgrade, this code is maybe 7-8 years old

OpenSSL 1.1.1g FIPS  21 Apr 2020 Centos 7


>
>
>>
>> and the original dev is no  longer available, so who can i pay to
>> bang this out and make it happy, or who can guide me through getting
>> it functional... basic info below.
>>
>> I have a client process which is supposed to speak to a server via
>> ssl, and then send data
>>
>> Ive created a "CA" and generated the CSR / and certs for both the
>> client and the server.
>
> What kind of certs did you generate? How big are the keys? Are you
> able to share the certs (not the keys)?

original expired certs

-rw-r--r-- 1 root root 1424 Mar 22 16:59 ac_ca_cert.pem
-rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_ca_key.pem
-rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_client_cert.pem
-rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_client_key.pem
-rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_server_cert.pem
-rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_server_key.pem
-rw------- 1 root root 1204 Mar 22 18:24 ca.crt
-rw------- 1 root root 1766 Mar 22 18:23 ca.key

new certs

-rw-r--r-- 1 root root 1529 Mar 22 17:45 myCA.pem
-rw-r--r-- 1 root root 1566 Mar 22 18:04 portaladmin.domain.com.crt
-rw-r--r-- 1 root root 1115 Mar 22 18:04 portaladmin.domain.com.csr
-rw-r--r-- 1 root root  216 Mar 22 18:04 portaladmin.domain.com.ext
-rw------- 1 root root 1675 Mar 22 18:04 portaladmin.domain.com.key

i can share the certs

-----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgIUUfHyC4C5rTOHqYIC2WAmV7t06jowDQYJKoZIhvcNAQEL
BQAwga0xCzAJBgNVBAYTAk5MMRUwEwYDVQQIDAxTJ0dyYXZlbmhhZ2UxFDASBgNV
BAcMC1NHcmF2ZW5oYWdlMR0wGwYDVQQKDBRPcHRpbSBFbnRlcnByaXNlcyBCVjER
MA8GA1UECwwIV2lyZWxlc3MxGjAYBgNVBAMMEWNhLm9wdGltY2xvdWQuY29tMSMw
IQYJKoZIhvcNAQkBFhRhZG1pbkBvcHRpbWNsb3VkLmNvbTAeFw0yMTAzMjIxNzA0
MDlaFw0yMzA2MjUxNzA0MDlaMIG3MQswCQYDVQQGEwJOTDEVMBMGA1UECAwMUydH
cmF2ZW5oYWdlMRUwEwYDVQQHDAxTJ0dyYXZlbmhhZ2UxHTAbBgNVBAoMFE9wdGlt
IEVudGVycHJpc2VzIEJWMREwDwYDVQQLDAhXaXJlbGVzczEjMCEGA1UEAwwacG9y
dGFsYWRtaW4ub3B0aW1jbG91ZC5jb20xIzAhBgkqhkiG9w0BCQEWFGFkbWluQG9w
dGltY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUqI
0sHGKXuSMuEVOvJzPDmMX8HLhIA1qXlBbanEMfdMMTwXelZrQYMYj0D9eiuXfWLE
ddawppFbhFgLpVBG4sG0G9Asm92Knk/9XCONqblvTSIWL1b24LiGQ45At/IeQE7j
UVXoCsivZds2rUQFIWa6ctXZBBCDxBp/RmHZYvaNKuP21mapRh7//eWmzrA5kSgG
4YhGUys38bqsuTJu7I5lDxT1FcJKpYlQn6EZyGPlplYI6JindGUNZVbvHKQlaQ/a
Mom+nJDcbl01G4+AukKcu+AXBCFAA0FDax64bu3EX5phmSSPZymX+RcmJUEU/kxb
/sRUcCwHxtgLXOGwrQIDAQABo2IwYDAfBgNVHSMEGDAWgBSyC0km1cK4ENeQhkI5
VN/hEFcBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAlBgNVHREEHjAcghpwb3J0
YWxhZG1pbi5vcHRpbWNsb3VkLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEto6D/Gt
rTR6Qf3cCrwosI9PpnIRD+Sp3QceMTevuajdCKGU58dTG0MNvqAmr/CmJ4ih9UBi
IBAyR+QxT47PC8bZFSJMI6a3FesTEpAkQnmwkEr3dZ1zns0+651HwsUMuOkAKnYr
4JId48f8NAuSnDKUZeUytAr7lJ+DN32Qa8HQXb78bXuElMjYzUwapMNwJ9NrQjIQ
bUbvByGHFq67maP+/UuxnIJB7vIs9W1Krxx9ewXdKdDpHCyWynnxnWvefVx6aBFR
eIOySv/Wf2rjFvRRS/kdYKXbzj5eUzdRVrka21AfpBqB/ZHFCHCy47PyUYurln30
hd/EInnSdA1pmg==
-----END CERTIFICATE-----


IM inclined top think the code for the certs is ok, but  can really say,
and im not an openssl programmer by any means... just need someone to
put eyes on the code and fix it really.


>>
>> when i run the client - i get an error on the client side
>>
>> Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error
>> SSL_ERROR_SSL - return code: -1.
>> Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error
>
>
> It would be useful to see any errors on the OpenSSL error stack which
> might provide more details about specifically what has failed. For
> example you can call the `ERR_print_errors_fp` function to dump the
> error stack to a `FILE *`. Or alternatively use the `ERR_*` functions
> to examine the stack and print it to your log:

Yupp above my head.... :(

and lastly if it helps

❯ openssl s_client -connect 46.23.86.244:3490
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim
Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress =
[hidden email]
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim
Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress =
[hidden email]
verify return:1
depth=0 C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim
Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com,
emailAddress = [hidden email]
verify return:1
---
Certificate chain
  0 s:C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim Enterprises
BV, OU = Wireless, CN = portaladmin.optimcloud.com, emailAddress =
[hidden email]
    i:C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress =
[hidden email]
  1 s:C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress =
[hidden email]
    i:C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress =
[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgIUUfHyC4C5rTOHqYIC2WAmV7t06jowDQYJKoZIhvcNAQEL
BQAwga0xCzAJBgNVBAYTAk5MMRUwEwYDVQQIDAxTJ0dyYXZlbmhhZ2UxFDASBgNV
BAcMC1NHcmF2ZW5oYWdlMR0wGwYDVQQKDBRPcHRpbSBFbnRlcnByaXNlcyBCVjER
MA8GA1UECwwIV2lyZWxlc3MxGjAYBgNVBAMMEWNhLm9wdGltY2xvdWQuY29tMSMw
IQYJKoZIhvcNAQkBFhRhZG1pbkBvcHRpbWNsb3VkLmNvbTAeFw0yMTAzMjIxNzA0
MDlaFw0yMzA2MjUxNzA0MDlaMIG3MQswCQYDVQQGEwJOTDEVMBMGA1UECAwMUydH
cmF2ZW5oYWdlMRUwEwYDVQQHDAxTJ0dyYXZlbmhhZ2UxHTAbBgNVBAoMFE9wdGlt
IEVudGVycHJpc2VzIEJWMREwDwYDVQQLDAhXaXJlbGVzczEjMCEGA1UEAwwacG9y
dGFsYWRtaW4ub3B0aW1jbG91ZC5jb20xIzAhBgkqhkiG9w0BCQEWFGFkbWluQG9w
dGltY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUqI
0sHGKXuSMuEVOvJzPDmMX8HLhIA1qXlBbanEMfdMMTwXelZrQYMYj0D9eiuXfWLE
ddawppFbhFgLpVBG4sG0G9Asm92Knk/9XCONqblvTSIWL1b24LiGQ45At/IeQE7j
UVXoCsivZds2rUQFIWa6ctXZBBCDxBp/RmHZYvaNKuP21mapRh7//eWmzrA5kSgG
4YhGUys38bqsuTJu7I5lDxT1FcJKpYlQn6EZyGPlplYI6JindGUNZVbvHKQlaQ/a
Mom+nJDcbl01G4+AukKcu+AXBCFAA0FDax64bu3EX5phmSSPZymX+RcmJUEU/kxb
/sRUcCwHxtgLXOGwrQIDAQABo2IwYDAfBgNVHSMEGDAWgBSyC0km1cK4ENeQhkI5
VN/hEFcBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAlBgNVHREEHjAcghpwb3J0
YWxhZG1pbi5vcHRpbWNsb3VkLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEto6D/Gt
rTR6Qf3cCrwosI9PpnIRD+Sp3QceMTevuajdCKGU58dTG0MNvqAmr/CmJ4ih9UBi
IBAyR+QxT47PC8bZFSJMI6a3FesTEpAkQnmwkEr3dZ1zns0+651HwsUMuOkAKnYr
4JId48f8NAuSnDKUZeUytAr7lJ+DN32Qa8HQXb78bXuElMjYzUwapMNwJ9NrQjIQ
bUbvByGHFq67maP+/UuxnIJB7vIs9W1Krxx9ewXdKdDpHCyWynnxnWvefVx6aBFR
eIOySv/Wf2rjFvRRS/kdYKXbzj5eUzdRVrka21AfpBqB/ZHFCHCy47PyUYurln30
hd/EInnSdA1pmg==
-----END CERTIFICATE-----
subject=C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim
Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com,
emailAddress = [hidden email]

issuer=C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises
BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress =
[hidden email]

---
No client certificate CA names sent
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2835 bytes and written 395 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
     Session-ID:
DD66A51F2DFECA0871494BC94CA8208FE65C188491878CA035FE88D8961F18F6
     Session-ID-ctx:
     Resumption PSK:
87400DD8AA4AB035B526CA3C938E76E3E38694A2B3D710FB13215EF20B993F01787C96480C433DB24C435CB4EB4D902B
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
     0000 - 6b be a1 84 a0 c7 b0 04-6c ef 5b a6 ec a3 63 08 k.......l.[...c.
     0010 - da e0 d4 6d 0a 5e 55 6e-c7 aa 97 87 60 57 58 18 ...m.^Un....`WX.
     0020 - 57 5b 35 1a 7f 85 93 e6-c7 85 ac d7 1c ca ba 7b W[5............{
     0030 - 9d 91 ca b8 e6 af 46 86-04 c2 ef 47 f1 03 46 30 ......F....G..F0
     0040 - be b1 6f b2 43 59 51 07-cb ca da 41 99 85 38 a0 ..o.CYQ....A..8.
     0050 - 16 e2 ed ed 5e ad 03 2f-60 2e 34 df d3 7b c0 09 ....^../`.4..{..
     0060 - cb f6 ef ec 82 82 da 3d-b5 ed d4 7d 7a a1 16 e6 .......=...}z...
     0070 - d9 71 03 74 72 bb a2 2a-29 fd e8 23 10 f8 32 fa .q.tr..*)..#..2.
     0080 - 9d e9 d8 01 c4 0b d7 12-43 7d 2a 8b 7e fa b6 51 ........C}*.~..Q
     0090 - f4 35 64 42 41 08 39 ef-3e a0 1e 48 db 92 11 c7 .5dBA.9.>..H....
     00a0 - 0d 99 d9 0c 66 fa dd ba-ec f3 b2 d3 de 77 cf 9e ....f........w..
     00b0 - 44 77 14 be 76 9a 9b cb-23 20 1d a4 d7 f9 92 ee Dw..v...# ......

     Start Time: 1616511716
     Timeout   : 7200 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
     Session-ID:
1330829E9B218CE0A1DA23896CBE83F117A9A79DFECE0D1F0D37B4DD7010DE9A
     Session-ID-ctx:
     Resumption PSK:
DDE3C443AE436A6AD1C3DE7D9F18D4D28BAF0920E199CCF3B44715897E7A1FA375C087FF2BF23F7C85750297F513234A
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
     0000 - 6b be a1 84 a0 c7 b0 04-6c ef 5b a6 ec a3 63 08 k.......l.[...c.
     0010 - 97 08 a5 e3 40 05 dc 94-21 61 3a 8c cb 55 81 62 ....@...!a:..U.b
     0020 - 0d 3a 3f 95 4a 23 8e ee-6a f2 a4 b1 61 27 d8 2a .:?.J#..j...a'.*
     0030 - 64 19 16 b6 ae 61 9c 92-0b c3 f0 0a d2 31 8d bb d....a.......1..
     0040 - 2a c6 8c 8b fc a2 ff ab-f4 85 9f 22 ac b6 9b 89 *.........."....
     0050 - b9 76 e5 c5 b1 3c 76 3e-8e 36 c7 22 f9 91 a6 fa .v...<v>.6."....
     0060 - ea 47 38 62 87 cd ff 92-db c4 77 97 10 03 63 7f .G8b......w...c.
     0070 - e1 f3 e3 c0 99 4d fe 0b-0c 1c 74 3f 84 ce 77 b8 .....M....t?..w.
     0080 - 73 04 ae 84 a0 88 6a f1-27 2f 08 e3 2c 32 fb 12 s.....j.'/..,2..
     0090 - 33 c0 4d 54 e1 d1 ee 6e-23 a6 56 79 60 3b 71 6a 3.MT...n#.Vy`;qj
     00a0 - 49 b4 d1 7d 99 6b 77 1f-96 30 20 26 e4 ba f1 5f I..}.kw..0 &..._
     00b0 - 2c 20 00 15 5a 9e 61 d1-5e f9 14 75 69 7d e2 b1   ,
..Z.a.^..ui}..

     Start Time: 1616511717
     Timeout   : 7200 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK
ACP/1.0

Method: IGNORE

closed




> https://www.openssl.org/docs/man1.1.1/man3/
>
> Matt
Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Matt Caswell-2


On 23/03/2021 15:02, Embedded Devel wrote:

>
>
> IM inclined top think the code for the certs is ok, but  can really say,
> and im not an openssl programmer by any means... just need someone to
> put eyes on the code and fix it really.

The cert looks ok - at least nothing obviously wrong. 2048 bit RSA key.


>
>
>>>
>>> when i run the client - i get an error on the client side
>>>
>>> Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error
>>> SSL_ERROR_SSL - return code: -1.
>>> Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error
>>
>>
>> It would be useful to see any errors on the OpenSSL error stack which
>> might provide more details about specifically what has failed. For
>> example you can call the `ERR_print_errors_fp` function to dump the
>> error stack to a `FILE *`. Or alternatively use the `ERR_*` functions
>> to examine the stack and print it to your log:
>
> Yupp above my head.... :(

Ah. That's a shame - we could really use understanding the real error
behind this. "SSL_ERROR_SSL" just means "libssl encountered an error".
You have to modify your code to print more detailed error information

There doesn't look to be anything obviously wrong from the snippets of
code that you have shared. I suspect some kind of config issue - but
without more detailed error information its difficult to say for sure.

Would you be able to get a packet capture of a failing connection? That
might give us some kind of clue.

Do you know if your application is statically linked or dynamically
linked to OpenSSL?

>
> and lastly if it helps
>

Unfortunately, not really. This appears to show a working TLSv1.3
connection.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Embedded Devel
IM inclined top think the code for the certs is ok, but  can really say,
and im not an openssl programmer by any means... just need someone to
put eyes on the code and fix it really.


The cert looks ok - at least nothing obviously wrong. 2048 bit RSA key.

yes freshly generated

>> when i run the client - i get an error on the client side Tue Mar 23
>> 02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL -
>> return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init():
>> Error

>> It would be useful to see any errors on the OpenSSL error stack which
>> might provide more details about specifically what has failed. For
>> example you can call the `ERR_print_errors_fp` function to dump the
>> error stack to a `FILE *`. Or alternatively use the `ERR_*` functions
>> to examine the stack and print it to your log:
>>
>> Yupp above my head.... :(
>
> Ah. That's a shame - we could really use understanding the real error
> behind this. "SSL_ERROR_SSL" just means "libssl encountered an error".
> You have to modify your code to print more detailed error information
>
> There doesn't look to be anything obviously wrong from the snippets of
> code that you have shared. I suspect some kind of config issue - but
> without more detailed error information its difficult to say for sure.
>
> Would you be able to get a packet capture of a failing connection?
> That might give us some kind of clue.
>
> Do you know if your application is statically linked or dynamically
> linked to OpenSSL?
Ive attached the code in question if it helps

just compiled with gcc, i see no -lstatic in the makefile ... ive
attached the ssl .c and .h files in question if you want to see them

as for a packet capture i can try, they are both remote systems


>
>>
>> and lastly if it helps
>>
>
> Unfortunately, not really. This appears to show a working TLSv1.3
> connection.
>
> Matt
>

ac_ssl.c (1K) Download Attachment
ac_ssl.h (1K) Download Attachment
ac_ssl_client.c (4K) Download Attachment
ac_ssl_server.c (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Matt Caswell-2


On 23/03/2021 15:47, Embedded Devel wrote:
>> Do you know if your application is statically linked or dynamically
>> linked to OpenSSL?
> Ive attached the code in question if it helps
>


Looks like the original developer already tried to print the contents of
the OpenSSL error stack:

                case SSL_ERROR_SSL:
                        LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n",
custom_prefix, ret_val, custom_msg);
                        break;
        }
       
        ERR_print_errors_fp(stderr);fflush(stderr);

The errors seem to be going to "stderr" rather than via your "LOG"
function. You don't show what "LOG" does but if it goes somewhere other
than stderr then the errors are going somewhere different to your log
file. Are you able to show us the stderr output from running your
application?


> just compiled with gcc, i see no -lstatic in the makefile ... ive
> attached the ssl .c and .h files in question if you want to see them

What does "ldd" show you for the application binary? i.e.

ldd name-of-you-binary-here


Matt
Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Embedded Devel

On 3/23/21 11:06 PM, Matt Caswell wrote:

>
>
> On 23/03/2021 15:47, Embedded Devel wrote:
>>> Do you know if your application is statically linked or dynamically
>>> linked to OpenSSL?
>> Ive attached the code in question if it helps
>>
>
>
> Looks like the original developer already tried to print the contents
> of the OpenSSL error stack:
>
>         case SSL_ERROR_SSL:
>             LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d.
> %s\n", custom_prefix, ret_val, custom_msg);
>             break;
>     }
>
>     ERR_print_errors_fp(stderr);fflush(stderr);
>
> The errors seem to be going to "stderr" rather than via your "LOG"
> function. You don't show what "LOG" does but if it goes somewhere
> other than stderr then the errors are going somewhere different to
> your log file. Are you able to show us the stderr output from running
> your application?

logread

Tue Mar 23 16:09:43 2021 user.err : ac_ssl_client_write(): Error
SSL_ERROR_SSL - return code: -1.
Tue Mar 23 16:09:44 2021 user.info : ac_send_init(): Error
Tue Mar 23 16:09:46 2021 user.err : ac_ssl_client_write(): Error
SSL_ERROR_SSL - return code: -1.
Tue Mar 23 16:09:46 2021 user.info : ac_send_init(): Error
Tue Mar 23 16:09:49 2021 user.err : ac_ssl_client_write(): Error
SSL_ERROR_SSL - return code: -1.
Tue Mar 23 16:09:49 2021 user.info : ac_send_init(): Error
Tue Mar 23 16:09:54 2021 user.err : ac_ssl_client_write(): Error
SSL_ERROR_SSL - return code: -1.
Tue Mar 23 16:09:54 2021 user.info : ac_send_init(): Error
Tue Mar 23 16:09:59 2021 user.err : ac_ssl_client_write(): Error
SSL_ERROR_SSL - return code: -1.
Tue Mar 23 16:09:59 2021 user.info : ac_send_init(): Error
Tue Mar 23 16:10:05 2021 user.err : ac_ssl_client_write(): Error
SSL_ERROR_SSL - return code: -1.
Tue Mar 23 16:10:05 2021 user.info : ac_send_init(): Error

client side console

2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:
2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a
function you should not call:ssl/ssl_lib.c:3690:

nothing on console / server side /var/log/message


Mar 23 17:09:54 optim04 ac_server[617182]: ac_ssl_server_accept(): Error
SSL_ERROR_SYSCALL - return code: -1. SSL_accept()
Mar 23 17:09:54 optim04 ac_server[617182]: ac_ssl_server_accept(): Error
code: -3
Mar 23 17:09:59 optim04 ac_server[617182]: ac_ssl_server_accept(): Error
SSL_ERROR_SYSCALL - return code: -1. SSL_accept()
Mar 23 17:09:59 optim04 ac_server[617182]: ac_ssl_server_accept(): Error
code: -3

Mar 23 17:10:05 optim04 ac_server[617182]: ac_ssl_server_accept(): Error
SSL_ERROR_SYSCALL - return code: -1. SSL_accept()
Mar 23 17:10:05 optim04 ac_server[617182]: ac_ssl_server_accept(): Error
code: -3
[root@optim04 ~]#

>> just compiled with gcc, i see no -lstatic in the makefile ... ive
>> attached the ssl .c and .h files in question if you want to see them
>
> What does "ldd" show you for the application binary? i.e.
>
> ldd name-of-you-binary-here

client

root@OpenWrt:~# ldd /usr/sbin/ac_client
     /lib/ld-musl-mips-sf.so.1 (0x77e20000)
     libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x77da0000)
     libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x77bc6000)
     libaxl.so.0 => /usr/lib/libaxl.so.0 (0x77b6e000)
     libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77b4a000)
     libc.so => /lib/ld-musl-mips-sf.so.1 (0x77e20000)

server

ldd /usr/bin/ac_server
     linux-vdso.so.1 (0x00007fff2bd99000)
     libmariadb.so.3 => /lib64/libmariadb.so.3 (0x00007f9e81fbb000)
     libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9e81d9b000)
     libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f9e81b07000)
     libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f9e81621000)
     libaxl.so.0 => /lib64/libaxl.so.0 (0x00007f9e813ef000)
     libc.so.6 => /lib64/libc.so.6 (0x00007f9e8102c000)
     libz.so.1 => /lib64/libz.so.1 (0x00007f9e80e15000)
     libdl.so.2 => /lib64/libdl.so.2 (0x00007f9e80c11000)
     libm.so.6 => /lib64/libm.so.6 (0x00007f9e8088f000)
     /lib64/ld-linux-x86-64.so.2 (0x00007f9e82210000)

>
>
> Matt
Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Embedded Devel
In reply to this post by Matt Caswell-2

On 3/23/21 11:06 PM, Matt Caswell wrote:
>
>
> On 23/03/2021 15:47, Embedded Devel wrote:
>>> Do you know if your application is statically linked or dynamically
>>> linked to OpenSSL?
>> Ive attached the code in question if it helps

original code was deprecated, and changed from

/*      if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) == NULL)
{ */
         if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {

which also got added to the client side yet should have been

client should be

if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) {

not

if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {


>
> Looks like the original developer already tried to print the contents
> of the OpenSSL error stack:
>
>         case SSL_ERROR_SSL:
>             LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d.
> %s\n", custom_prefix, ret_val, custom_msg);
>             break;
>     }
>
>     ERR_print_errors_fp(stderr);fflush(stderr);
>
> The errors seem to be going to "stderr" rather than via your "LOG"
> function. You don't show what "LOG" does but if it goes somewhere
> other than stderr then the errors are going somewhere different to
> your log file. Are you able to show us the stderr output from running
> your application?
>
>
>> just compiled with gcc, i see no -lstatic in the makefile ... ive
>> attached the ssl .c and .h files in question if you want to see them
>
> What does "ldd" show you for the application binary? i.e.
>
> ldd name-of-you-binary-here
>
>
> Matt
Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

JONATHAN PELAEZ

On Wed, Mar 24, 2021, 10:54 PM Embedded Devel <[hidden email]> wrote:

On 3/23/21 11:06 PM, Matt Caswell wrote:
>
>
> On 23/03/2021 15:47, Embedded Devel wrote:
>>> Do you know if your application is statically linked or dynamically
>>> linked to OpenSSL?
>> Ive attached the code in question if it helps

original code was deprecated, and changed from

/*      if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) == NULL)
{ */
         if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {

which also got added to the client side yet should have been

client should be

if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) {

not

if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {


>
> Looks like the original developer already tried to print the contents
> of the OpenSSL error stack:
>
>         case SSL_ERROR_SSL:
>             LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d.
> %s\n", custom_prefix, ret_val, custom_msg);
>             break;
>     }
>
>     ERR_print_errors_fp(stderr);fflush(stderr);
>
> The errors seem to be going to "stderr" rather than via your "LOG"
> function. You don't show what "LOG" does but if it goes somewhere
> other than stderr then the errors are going somewhere different to
> your log file. Are you able to show us the stderr output from running
> your application?
>
>
>> just compiled with gcc, i see no -lstatic in the makefile ... ive
>> attached the ssl .c and .h files in question if you want to see them
>
> What does "ldd" show you for the application binary? i.e.
>
> ldd name-of-you-binary-here
>
>
> Matt
Reply | Threaded
Open this post in threaded view
|

Re: ssl client write / server accept seems broken

Embedded Devel
In reply to this post by Embedded Devel

On 3/24/21 9:53 PM, Embedded Devel wrote:
>
> On 3/23/21 11:06 PM, Matt Caswell wrote:
>>
>>
>> On 23/03/2021 15:47, Embedded Devel wrote:
>>>> Do you know if your application is statically linked or dynamically
>>>> linked to OpenSSL?
>>> Ive attached the code in question if it helps


and nope still have the errors


>
> original code was deprecated, and changed from
>
> /*      if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) ==
> NULL) { */
>         if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
>
> which also got added to the client side yet should have been
>
> client should be
>
> if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
>
> not
>
> if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
>
>
>>
>> Looks like the original developer already tried to print the contents
>> of the OpenSSL error stack:
>>
>>         case SSL_ERROR_SSL:
>>             LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d.
>> %s\n", custom_prefix, ret_val, custom_msg);
>>             break;
>>     }
>>
>>     ERR_print_errors_fp(stderr);fflush(stderr);
>>
>> The errors seem to be going to "stderr" rather than via your "LOG"
>> function. You don't show what "LOG" does but if it goes somewhere
>> other than stderr then the errors are going somewhere different to
>> your log file. Are you able to show us the stderr output from running
>> your application?
>>
>>
>>> just compiled with gcc, i see no -lstatic in the makefile ... ive
>>> attached the ssl .c and .h files in question if you want to see them
>>
>> What does "ldd" show you for the application binary? i.e.
>>
>> ldd name-of-you-binary-here
>>
>>
>> Matt