Bug#701868: openssl communication problems with 1.0.1e with AES-NI
Hello, Am Samstag, 9. März 2013, 15:44:38 schrieb Kurt Roeckx: They asked if you use any LD_* environment variables. printenv | grep LD is empty. lsof -p $pid of s_client process would also be nice. See attached file lsof-sclient.txt. If you have a custom /etc/ssl/openssl.cnf, it would also be nice if you could send that. I have the default one created by the Debian package. /proc/cpuinfo would also be nice to have. See attached file proc-cpuinfo.txt. If you know how to use gdb, they ask to print print variables and buffers in e_aes_cbc_hmac_sha1.c If you want to debug it, debugging might not show you source code since you might have the source in a different path. The .deb files can be generated from the source above using: DEB_BUILD_MAINT_OPTIONS=hardening=-all DEB_BUILD_OPTIONS=noopt nostrip dpkg-buildpackage -B -uc If you build it yourself, you can also just run the ./openssl.static binary instead of installing the .deb package. With your instructions I was able to build a static version with debug symbols. Now, I get a more helpful backtrace at the point where s_client errors out (see attached file backtrace.txt). I have set a breakpoint at e_aes_cbc_hmac_sha1.c:450. The function is called multiple times before the error occurs and I do not know for what to look exactly. I have output the parameters of two calls (see attached file gdb- output.txt). Without knowing for what to look exactly, I think it is very difficult to generate helpful information. Maybe somebody here or on the openssl-dev mailing list [1] suggests what might be helpful. Thank you for your support! Kind regards Benjamin [1] http://www.mail-archive.com/openssl-dev@openssl.org/msg32168.html COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME openssl.s 29986 benjamin cwdDIR 254,0 4096 19791896 /home/benjamin/src/openssl-1.0.1e openssl.s 29986 benjamin rtdDIR8,1 40962 / openssl.s 29986 benjamin txtREG 254,0 7723240 19797391 /home/benjamin/src/openssl-1.0.1e/openssl.static openssl.s 29986 benjamin memREG8,184824 5767483 /lib/x86_64-linux-gnu/libresolv-2.17.so openssl.s 29986 benjamin memREG8,122928 5767471 /lib/x86_64-linux-gnu/libnss_dns-2.17.so openssl.s 29986 benjamin memREG8,152136 5767473 /lib/x86_64-linux-gnu/libnss_files-2.17.so openssl.s 29986 benjamin memREG8,1 1741232 5767456 /lib/x86_64-linux-gnu/libc-2.17.so openssl.s 29986 benjamin memREG8,192752 5767258 /lib/x86_64-linux-gnu/libz.so.1.2.7 openssl.s 29986 benjamin memREG8,114640 5767462 /lib/x86_64-linux-gnu/libdl-2.17.so openssl.s 29986 benjamin memREG8,1 145128 5767443 /lib/x86_64-linux-gnu/ld-2.17.so openssl.s 29986 benjamin0u CHR 136,5 0t08 /dev/pts/5 openssl.s 29986 benjamin1u CHR 136,5 0t08 /dev/pts/5 openssl.s 29986 benjamin2u CHR 136,5 0t08 /dev/pts/5 openssl.s 29986 benjamin3u unix 0x8807cc15ce00 0t073526 socket openssl.s 29986 benjamin4u unix 0x8807d3cf5b80 0t073527 socket openssl.s 29986 benjamin5r FIFO0,8 0t073528 pipe openssl.s 29986 benjamin6w FIFO0,8 0t073528 pipe openssl.s 29986 benjamin7u IPv4 73802 0t0 TCP pc-benjamin.cs.uni-paderborn.de:40354-mail.uni-paderborn.de:ssmtp (ESTABLISHED) processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 58 model name : Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz stepping: 9 microcode : 0x17 cpu MHz : 1600.000 cache size : 8192 KB physical id : 0 siblings: 8 core id : 0 cpu cores : 4 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms bogomips: 6800.88 clflush size: 64 cache_alignment : 64 address sizes : 36 bits physical, 48 bits virtual power management: processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 58 model name : Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz stepping: 9 microcode : 0x17 cpu MHz : 1600.000 cache size : 8192 KB physical
Bug#701868: openssl communication problems with 1.0.1e with AES-NI
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2013-03-09 15:44, Kurt Roeckx wrote: If you know how to use gdb, they ask to print print variables and buffers in e_aes_cbc_hmac_sha1.c In all calls? Any specific function or all of them? Cheers, Marcus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlE88KkACgkQXjXn6TzcAQlATwCglbTBT7pFKGunHNrv8nBIw7hJ qpoAoLPpjZp+FGckzeu7bytugNWyu+k5 =vGnb -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701868: openssl communication problems with 1.0.1e with AES-NI
On Sun, Mar 10, 2013 at 09:44:27PM +0100, Marcus Better wrote: On 2013-03-09 15:44, Kurt Roeckx wrote: If you know how to use gdb, they ask to print print variables and buffers in e_aes_cbc_hmac_sha1.c In all calls? Any specific function or all of them? I have no idea, I don't know the code. My guess would be in the aesni_cbc_hmac_sha1_cipher() function. Maybe the call before you get the mac error? Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701868: openssl communication problems with 1.0.1e with AES-NI
On Saturday 09 March 2013 14:44:38 Kurt Roeckx wrote: So what upstream asks is to try and reproduce it with s_client. At least 1 person reported that this fails for him: openssl s_client -connect mail.uni-paderborn.de:465 And then send EHLO test No, that doesn't fail for me. I have been unable to reproduce the problem using either s_client or s_server (or both). I *can* reproduce the problem if I submit a particular email message to exim4 on my client, which then tries to send it to my postfix smarthost (the error occures in the postfix server smtpd receiving the message). The content of the email message does not matter (I replaced all the content and headers with the letter x), but the length is critical. However, I have tried both sending the message using s_client instead of exim4 and receiving it in s_server instead of postfix and the problem does not occur in either case. However, I do notice, from the logs, that these manual tests do not reproduce the same bundling of messages and responses nor, of course, the same timing. And postfix makes heavy use of non-blocking BIO streams which I presume s_client and s_server do not. They asked if you use any LD_* environment variables. No. Graham -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701868: openssl communication problems with 1.0.1e with AES-NI
Hi, On request of openssl upstream I've put a version of the package online which is staticly linked against the openssl libraries and has debug info. There seem to be various people who run into this problem, but we seem to be unable to reproduce it on any of our systems. It's available from: http://people.debian.org/~kroeckx/openssl/static_debug/ You only need the openssl package from there (openssl_1.0.1e-1+test1_amd64.deb), since the shared libraries aren't needed for the test. So what upstream asks is to try and reproduce it with s_client. At least 1 person reported that this fails for him: openssl s_client -connect mail.uni-paderborn.de:465 And then send EHLO test Others might try to reproduce something simular with their own servers. They asked if you use any LD_* environment variables. lsof -p $pid of s_client process would also be nice. If you have a custom /etc/ssl/openssl.cnf, it would also be nice if you could send that. /proc/cpuinfo would also be nice to have. If you know how to use gdb, they ask to print print variables and buffers in e_aes_cbc_hmac_sha1.c If you want to debug it, debugging might not show you source code since you might have the source in a different path. The .deb files can be generated from the source above using: DEB_BUILD_MAINT_OPTIONS=hardening=-all DEB_BUILD_OPTIONS=noopt nostrip dpkg-buildpackage -B -uc If you build it yourself, you can also just run the ./openssl.static binary instead of installing the .deb package. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org