Hi,
I updated the ticket [openssl.org #4060] with some code and log file.
I have to tell you, the previous SSLv23_method, I commented it out this time,
worked fine with me and SSL server. I just changed that line to TLSv1_2_method.
Now my application always crash when I call SSL_connect().
At first, I created the SSL context by the function below (the function looked
returned successfully, because it returned the SSL_CTX boject):
SSL_CTX *initialize_ctx_ex(char *keyfile, char *password, char *ca_list,
char *random, char *error, char *diag, char
isDiag) {
SSL_METHOD *meth;
SSL_CTX *ctx;
/* Create our context*/
//meth = SSLv3_method(); /*I previously applied
the SSLv23 method, and it worked fine for me.*/
meth = TLSv1_2_method(); /*Now I switch to TLSv1.2, I
just changed this one line in my code*/
if (isDiag && meth) {
SerialWriteTestLine_Time("initialize_ctx_ex Call
TLSv1_2_method(meth) done.", diag);
}
ctx = SSL_CTX_new(meth);
/* Load the CAs we trust*/
if(!(SSL_CTX_load_verify_locations(ctx, ca_list, 0))) {
sprintf(error, "Couldn't read CA list: %s", ca_list);
if (isDiag) {
SerialWriteTestLine_Time(error, diag);
}
return NULL;
}
SSL_CTX_set_verify_depth(ctx, 1);
/* Load randomness */
if (random && *random)
{
if(!(RAND_load_file(random, 1024*1024))) {
strcpy(error, "Couldn't load randomness");
if (isDiag) {
SerialWriteTestLine_Time(error, diag);
}
return NULL;
}
}
if (isDiag) {
SerialWriteTestLine_Time("Exit initialize_ctx_ex", diag);
}
return ctx;
}
/*The above initialize_ctx_ex () is invoked inside the following function
SSL_connect_tr_ex ()*/
int SSL_connect_tr_ex(pTSSL_connect sslc, char *msg, pTSSL_params pssl,
char *diag, char isDiag) {
BIO *sbio;
int res;
/* Build our SSL context*/
memset(sslc, 0, sizeof(TSSL_connect));
if (isDiag) {
SerialWriteTestLine_Time("initialize_ctx", diag);
SerialWriteTestLine_string_Time("initialize_ctx ipADdress ",
pssl->ipaddress, diag);
SerialWriteTestLine_int_Time("initialize_ctx ipADdress ",
pssl->ipport, diag);
}
/* the function initialize_ctx_ex () looked returned
successfully, because it returned the SSL_CTX boject */
sslc->ctx = initialize_ctx_ex(pssl->keyfile, pssl->password,
pssl->ca_list,
pssl->random, msg, diag, isDiag);
if (!sslc->ctx) {
if (isDiag) {
SerialWriteTestLine_Time("tcp_connect !ssl->ctx", diag);
}
return 0;
}
/*Then I continue to setup TCP socket to server*/
/* Connect the TCP socket*/
if (isDiag) {
SerialWriteTestLine_Time("tcp_connect", diag);
}
sslc->sock = tcp_connect_timeout_ex(pssl->ipaddress, pssl->ipport,
pssl->timeout,
msg, diag, isDiag);
if (sslc->sock == -1) return 0;
/* Connect the SSL socket */
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket
[SSL_new(ctx)]", diag);
}
sslc->ssl = SSL_new(sslc->ctx);
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket
[BIO_new_socket(sock, BIO_NOCLOSE)]", diag);
}
sbio = BIO_new_socket(sslc->sock, BIO_NOCLOSE);
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket
[SSL_set_bio(ssl, sbio, sbio)]", diag);
}
SSL_set_bio(sslc->ssl, sbio, sbio);
if (isDiag) {
SerialWriteTestLine_Time("Connect the SSL socket
[ConnectSSL(ssl, sock, msg)]", diag);
}
/*Now I am going to connect, and I got crash in the following
function*/
res = ConnectSSL_ex(sslc->ssl, sslc->sock, msg, diag, isDiag,
pssl->timeout);
if (!res) {
return 0;
}
return 1;
}
/*My ConnectSSL_ex () is defined*/
int ConnectSSL_ex(SSL *ssl, int sock, char *error, char *diag, char isDiag, int
timeout) {
int flag;
int res;
int sslerror;
time_t exptime;
int isexp;
if (isDiag) {
SerialWriteTestLine_Time("ConnectSSL [ioctlsocket(socket,
FIONBIO, &flags)]", diag);
}
if (timeout > 15) {
timeout -= 5;
}
exptime = set_expire_time(timeout);
while (TRUE) {
/*!!!!!! I crashed HERE!!!!, the SSL_connect is standard SSL
library function!*/
res = SSL_connect(ssl);
/*My application terminated at the SSL_connect() due to crash,
because if it returned there should be log message as below*/
if (isDiag) {
SerialWriteTestLine_int_Time("SSL_connect
returned and return value is ", res, diag);
}
if (res <= 0) {
sslerror = SSL_get_error(ssl, res);
if (sslerror == SSL_ERROR_WANT_READ) {
isexp = is_expired(exptime);
if (isexp == 1) {
strcpy(error, "SSL connect error");
return 0;
}
continue;
}
strcpy(error, "SSL connect error");
return 0;
}
break;
}
strcpy(error, "SSL connect OK");
return 1;
}
It's there any setup about BIO, or SSL context, should be changed? Or any
special compiler flag should be used when I compile my application if I want to
use TLSv1.2?
I am suspecting some setup of my OpenSSL library is wrong (wrong configuration
when I compiled and installed the openssl-1.0.1p?). Because my application
crashed when I
If my code doesn't help you, could you please give some instructions/technical
doc to tell me how to use TLSv1.2 for SSL communication. If you can offer me
some simple code to setup SSL communication channel with TLSv1.2, that's
helpful! Thanks!
Tyler
-----Original Message-----
From: The default queue via RT [mailto:[email protected]]
Sent: September-24-15 12:08 PM
To: Tiantian Liu
Subject: [openssl.org #4060] AutoReply: a crash happened inside SSL_Connect
function
Greetings,
This message has been automatically generated in response to the creation of a
trouble ticket regarding:
"a crash happened inside SSL_Connect function", a summary of which
appears below.
There is no need to reply to this message right now. Your ticket has been
assigned an ID of [openssl.org #4060].
Please include the string:
[openssl.org #4060]
in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.
Thank you,
[email protected]
-------------------------------------------------------------------------
Hi,
I am a software developer who is struggling on an application development based
on OpenSSL 1.0.1 (released on 2012-03-14) under Linux (32-bit Redhat).
I used to use the SSL functions from OpenSSL 0.9.8, and my application worked
fine. I applied the SSLv23_method() to setup the SSL context and communicate
with customer's server over various SSL/TLS protocols.
While, recently my customer required me to upgrade my OpenSSL library, because
their server only support TLS1.2. So I downloaded OpenSSL 1.0.1 source package,
then complied and installed successfully.
I configured the OpenSSL as:
#./config -prefix=/usr shared //I have to generate the
shared library like libssl.so, libcrypto.so
Then I found my SSL context, setup by SSLv23_method(), stopped working, I can't
reach their server anymore. It looked like they didn't understand my handshake
message when I called SSL_Connect().
So I switched to the TLSv1_2_method() to build SSL context. However, my
program crashed every time when I called SSL_Connect(), I mean crash happened
inside the SSL_Connect(), and it didn't return at all.
Now I have tried 2 methods:
1. SSLv23_method() to build SSL context
SSL_METHOD *meth;
SSL_CTX *ctx;
......
meth = SSLv23_method();
ctx = SSL_CTX_new(meth);
//Only allow TLSv1_1 or higher
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1);
......
The SSL_Connect() resulted in:
ConnectSSL [SSL_connect(ssl)] failed: 5
SSL_ERROR_SYSCALL: 5
2. TLSv1_2_method() to build SSL context
SSL_METHOD *meth;
SSL_CTX *ctx;
......
meth = TLSv1_2_method();
ctx = SSL_CTX_new(meth);
then, the SSL_connect() crashed when I invoked it.
Currently, I don't know how to attack this issue, all the code worked fine
before. I just changed the SSLv23_method to TLSv1_2_method. Is there any
difference between that 2 functions? What I should do if I want to use the
TLSv1_2_method?
I am very pleased if anyone of you have any idea to help me.
Thanks,
Tyler
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
