Hello, > I first do SSL_connect. Tshark shows following: > > 0.004727 193.53.0.56 -> 130.59.10.95 SSLv2 Client Hello > 0.007715 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [ACK] Seq=1 > Ack=143 Win=6864 Len=0 TSV=2682067880 TSER=1368743865 > 0.042333 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a > reassembled PDU] > 0.042432 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a > reassembled PDU] > 0.042478 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK] > Seq=143 Ack=2897 Win=63712 [TCP CHECKSUM INCORRECT] Len=0 > TSV=1368743865 TSER=2682067912 > 0.087649 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a > reassembled PDU] > 0.088289 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a > reassembled PDU] > 0.088408 130.59.10.95 -> 193.53.0.56 TLSv1 Server Hello, > Certificate, Server Key Exchange, Server Hello Done > 0.089515 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK] > Seq=143 Ack=6914 Win=65535 [TCP CHECKSUM INCORRECT] Len=0 > TSV=1368743865 TSER=2682067958 > 0.195570 193.53.0.56 -> 130.59.10.95 TLSv1 Client Key Exchange, > Change Cipher Spec, Encrypted Handshake Message Here we have end of client handshake packets: - Client Key Exchange - Change Cipher Spec (from now, all comunication to server will be encrypted) - Encrypted Handshake Message - probably client Finished packet, but this packet is encrypted and we know only that this packet belongs to handshake protocol
> 0.225875 130.59.10.95 -> 193.53.0.56 TLSv1 Change Cipher Spec > 0.246038 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK] > Seq=333 Ack=6920 Win=65535 [TCP CHECKSUM INCORRECT] Len=0 > TSV=1368743865 TSER=2682068098 > 0.249246 130.59.10.95 -> 193.53.0.56 TLSv1 Encrypted Handshake > Message Here we have end of server handshake packets: - Change Cipher Spec (from now, all comunication to client will be encrypted) - Encrypted Handshake Message - probably server Finished packet, but this packet is encrypted and we know only that this packet belongs to handshake protocol > 0.446155 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK] > Seq=333 Ack=6965 Win=65535 [TCP CHECKSUM INCORRECT] Len=0 > TSV=1368743866 TSER=2682068121 > 0.777072 130.59.10.95 -> 193.53.0.56 TLSv1 Application Data > 0.846349 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK] > Seq=333 Ack=7002 Win=65535 [TCP CHECKSUM INCORRECT] Len=0 > TSV=1368743866 TSER=2682068649 > 0.852923 130.59.10.95 -> 193.53.0.56 TLSv1 Application Data > 1.046481 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK] > Seq=333 Ack=8359 Win=65214 [TCP CHECKSUM INCORRECT] Len=0 > TSV=1368743867 TSER=2682068721 Two encrypted application data packets from server. > It is, the per is sending application data after I connect. When I > try, following happens: > > 1.777630 193.53.0.56 -> 130.59.10.95 TLSv1 Client Hello > 1.781125 130.59.10.95 -> 193.53.0.56 TLSv1 Encrypted Alert > 1.781129 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [FIN, ACK] > Seq=8388 Ack=465 Win=9008 Len=0 TSV=2682069653 TSER=1368743868 > 1.781221 193.53.0.56 -> 130.59.10.95 TLSv1 Alert (Level: Fatal, > Description: Unexpected Message), Alert (Level: Fatal, Description: > Unexpected Message) This looks like your client tries to do second handshake, this is not re-handshake (renegotiation) because when renegotiation is performed packets are encrypted and we may see only something like "Encrypted Handshake Message", not "Client Hello". For me this looks like you are using one context for SSL_connect() and other for SSL_read(). When SSL_read() is performed on SSL object created from SSL_CTX which is created with "client" method, auto-SSL_connect() is performed on unconnected SSL object when SSL_read()/SSL_write() is called. Check this. > > This happens multiple times. Then > > 1.781245 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK] > Seq=1144 Ack=8389 Win=65222 [TCP CHECKSUM INCORRECT] Len=0 > TSV=1368743868 TSER=2682069653 > 1.784479 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [RST] > Seq=8388 Len=0 > 1.784483 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [RST] > Seq=8389 Len=0 Server reset connection. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]