On 02/06/2013 12:30 PM, Brad House wrote:
...<snip>...
> I should also note that currently I am using
OpenSSL 1.0.1d-fips 5 Feb 2013
On an Intel(R) Core(TM) i7-3770S CPU @ 3.10GHz running Ubuntu 12.04 64bit
(so presumably I'm using AES-NI ... noticed changes to that in the
changelog).
I have not yet tried to compile it in non-FIPS mode to rule
that out, but I am not running it in an active FIPS mode. I
have reproduced this issue on Linux x64 and Windows x86 thus far,
I haven't tested it on any other system.
...<snip>...
I have reproduced the issue with a stock build as well following
the procedure below. The stock build does seem to have a couple
of behavioral differences. First, I can reproduce the issue
now on the server side without specifying the cipher as long as
the client side does specify the cipher suite. Next, I can only
get the actual error message to be reported when running under
valgrind... however, the corruption is ALWAYS there when not
running under valgrind.
I can see it exhibited by a random character before the word
"DONE" on the server side after my "Hello World" is printed out
that was sent from the client side. Using older versions did not
exhibit this behavior.
Perhaps the issue is in the ECDHE-RSA-AES256-SHA cipher suite
which is being chosen... when it uses ECDHE-RSA-AES256-GCM-SHA384
when no cipher suite is specified, everything is OK (e.g. no
valgrind errors and no random character).
Here are examples of that random corruption character I see
before the word "DONE":
=====
Secure Renegotiation IS supported
Hello World
JDONE
shutting down SSL
=====
Secure Renegotiation IS supported
Hello World
�DONE
shutting down SSL
=====
Secure Renegotiation IS supported
Hello World
2DONE
shutting down SSL
=====
Secure Renegotiation IS supported
Hello World
PDONE
shutting down SSL
=====
Here's how the binary was built:
cd /tmp && \
wget http://www.openssl.org/source/openssl-1.0.1d.tar.gz && \
tar -zxvpf openssl-1.0.1d.tar.gz && \
cd openssl-1.0.1d && \
./config threads shared --prefix=/usr/local/ssl-1.0.1d && \
make && \
make test && \
sudo make install && \
rm -rf openssl-1.0.1d openssl-1.0.1d.tar.gz
$ ldd /usr/local/ssl-1.0.1d/bin/openssl
linux-vdso.so.1 => (0x00007fffec5ff000)
libssl.so.1.0.0 => /usr/local/ssl-1.0.1d/lib/libssl.so.1.0.0
(0x00007f79cdf97000)
libcrypto.so.1.0.0 => /usr/local/ssl-1.0.1d/lib/libcrypto.so.1.0.0
(0x00007f79cdbbc000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f79cd7dd000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f79cd5d9000)
/lib64/ld-linux-x86-64.so.2 (0x00007f79ce203000)
$ /usr/local/ssl-1.0.1d/bin/openssl version
OpenSSL 1.0.1d 5 Feb 2013
Thanks.
-Brad
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
