[openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
On Thu Jan 15 17:21:35 2015, matt wrote: > In response to your previous documentation question it is > (unfortunately) > undocumented. :-( > The best I can offer you is the source code: > int read_ahead; /* Read as many input bytes as possible * (for non- > blocking > reads) */ > With regards to your second point, I consider it a bug that this is > not the > default for DTLS. Unfortunately that bug has remained dormant until > the fix for > CVE-2014-0206 exposed it. > > I'm keeping this ticket open, until we have a proper fix. For now > though the > workaround is to use the SSL_CTX_set_read_ahead function directly. A slight correction to the notes above. The reference should be to CVE-2014-3571 (not CVE-2014-0206 as stated). I have now committed the fix for this problem. See commit 8dd4ad0ff in master (for 1.0.1 see 1895583). This fix makes read_ahead the default for DTLS...and in fact you can't turn it off now for DTLS either (calls to the read_ahead functions are ignored). I've also added some documentation for the read_ahead functions in commit 85074745. These are now irrelevant for DTLS (since you can't turn read_ahead off), but still relevant for TLS. Closing this ticket. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Matt, Thank you for the support. This was lucrative and good response time! Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Matt, Thank you for the support. This was lucrative and good response time! Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
On Thu Jan 15 17:01:51 2015, shir...@gmail.com wrote: > Hi all, > > Also, just for completeness, I want to point out I'm a fortunate case > where I can actually touch the code and recompile it to fix the > issue. I'm sure that other cases are not so fortunate. IMHO, when > DTLS method is used, that call should be made by default in the > internals of OpenSSL In response to your previous documentation question it is (unfortunately) undocumented. :-( The best I can offer you is the source code: int read_ahead; /* Read as many input bytes as possible * (for non-blocking reads) */ With regards to your second point, I consider it a bug that this is not the default for DTLS. Unfortunately that bug has remained dormant until the fix for CVE-2014-0206 exposed it. I'm keeping this ticket open, until we have a proper fix. For now though the workaround is to use the SSL_CTX_set_read_ahead function directly. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Hi all, Also, just for completeness, I want to point out I'm a fortunate case where I can actually touch the code and recompile it to fix the issue. I'm sure that other cases are not so fortunate. IMHO, when DTLS method is used, that call should be made by default in the internals of OpenSSL Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Hi all, Also, just for completeness, I want to point out I'm a fortunate case where I can actually touch the code and recompile it to fix the issue. I'm sure that other cases are not so fortunate. IMHO, when DTLS method is used, that call should be made by default in the internals of OpenSSL Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Hi, Adding "SSL_CTX_set_read_ahead(pSslContext, 1);" fixed both the test app and the real app I'm working on. May I ask where should I read more about this function? I'm grateful that it now works, but is kind of a tough thing to just swallow this info without chewing on it a bit :) Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Hi, Adding "SSL_CTX_set_read_ahead(pSslContext, 1);" fixed both the test app and the real app I'm working on. May I ask where should I read more about this function? I'm grateful that it now works, but is kind of a tough thing to just swallow this info without chewing on it a bit :) Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Please could you try making the following call: SSL_CTX_set_read_ahead(ctx, 1); Insert it immediately after these lines in your test code: pSslContext = SSL_CTX_new(DTLSv1_server_method()); assert(pSslContext != NULL); assert(SSL_CTX_use_certificate(pSslContext, pX509) == 1); assert(SSL_CTX_use_PrivateKey(pSslContext, pX509Key) == 1); assert(SSL_CTX_check_private_key(pSslContext) == 1); Thanks Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
The openssl s_server/s_client -dtls1 works I now suspect a special edge case of dtls1_get_record function. That buffer I'm feeding into OpenSSL is taken from Chrome WebRTC DTLS handshake, and as we saw, is perfectly valid in older OpenSSL versions. Still digging... > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
The openssl s_server/s_client -dtls1 works I now suspect a special edge case of dtls1_get_record function. That buffer I'm feeding into OpenSSL is taken from Chrome WebRTC DTLS handshake, and as we saw, is perfectly valid in older OpenSSL versions. Still digging... > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Looks like dtls1_get_record is always returning -1 Still digging... > On Jan 15, 2015, at 00:01, Eugen-Andrei Gavriloaie wrote: > > >> On Jan 14, 2015, at 23:39, Viktor Dukhovni >> wrote: >> >> On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei Gavriloaie wrote: >> >>> Dynamic: >>> $ ls -Al /tmp/ssl/lib/ >>> total 11336 >>> drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines >>> -r-xr-xr-x 1 shiretu wheel 1602352 Jan 14 23:27 libcrypto.1.0.0.dylib >>> -rw-r--r-- 1 shiretu wheel 3196880 Jan 14 23:27 libcrypto.a >>> lrwxr-xr-x 1 shiretu wheel 21 Jan 14 23:27 libcrypto.dylib -> >>> libcrypto.1.0.0.dylib >>> -r-xr-xr-x 1 shiretu wheel 382440 Jan 14 23:27 libssl.1.0.0.dylib >>> -rw-r--r-- 1 shiretu wheel 605504 Jan 14 23:27 libssl.a >>> lrwxr-xr-x 1 shiretu wheel 18 Jan 14 23:27 libssl.dylib -> >>> libssl.1.0.0.dylib >>> drwxr-xr-x 5 shiretu wheel 170 Jan 14 23:27 pkgconfig >> >> And you have the 1.0.1k include files (/tmp/ssl/include/openssl/*.h)? >> And "/tmp/ssl/bin/openssl version -a" output is what? >> >>> $ gcc ~/Dropbox/Public/dtls_bug.c -I/tmp/ssl/include -L/tmp/ssl/lib -lssl >>> -lcrypto -o /tmp/dtls_bug >>> >>> $ otool -L /tmp/dtls_bug >>> /tmp/dtls_bug: >>> /tmp/ssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current >>> version 1.0.0) >>> /tmp/ssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, >>> current version 1.0.0) >>> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current >>> version 1213.0.0) >> >>> $ /tmp/dtls_bug >>> Assertion failed: (pSSLBuffer->length != 0), function main, file >>> /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. >>> Abort trap: 6 >> >> You should also update your code to report error return values from >> SSL_accept() and print the contents of error stack. > $ /tmp/dtls_bug > ret: -1 > sslErrorCode: 2 > Assertion failed: (pSSLBuffer->length != 0), function main, file > /Users/shiretu/Dropbox/Public/dtls_bug.c, line 114. > Abort trap: 6 > > errorCode 2 means SSL_ERROR_WANT_READ, which is consistent with the rejection > of the input packet. > > And the updated source: > https://dl.dropboxusercontent.com/u/2918563/dtls_bug.c > >> >> -- >> Viktor. >> ___ >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
> On Jan 14, 2015, at 23:39, Viktor Dukhovni wrote: > > On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei Gavriloaie wrote: > >> Dynamic: >> $ ls -Al /tmp/ssl/lib/ >> total 11336 >> drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines >> -r-xr-xr-x 1 shiretu wheel 1602352 Jan 14 23:27 libcrypto.1.0.0.dylib >> -rw-r--r-- 1 shiretu wheel 3196880 Jan 14 23:27 libcrypto.a >> lrwxr-xr-x 1 shiretu wheel 21 Jan 14 23:27 libcrypto.dylib -> >> libcrypto.1.0.0.dylib >> -r-xr-xr-x 1 shiretu wheel 382440 Jan 14 23:27 libssl.1.0.0.dylib >> -rw-r--r-- 1 shiretu wheel 605504 Jan 14 23:27 libssl.a >> lrwxr-xr-x 1 shiretu wheel 18 Jan 14 23:27 libssl.dylib -> >> libssl.1.0.0.dylib >> drwxr-xr-x 5 shiretu wheel 170 Jan 14 23:27 pkgconfig > > And you have the 1.0.1k include files (/tmp/ssl/include/openssl/*.h)? > And "/tmp/ssl/bin/openssl version -a" output is what? > >> $ gcc ~/Dropbox/Public/dtls_bug.c -I/tmp/ssl/include -L/tmp/ssl/lib -lssl >> -lcrypto -o /tmp/dtls_bug >> >> $ otool -L /tmp/dtls_bug >> /tmp/dtls_bug: >> /tmp/ssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current >> version 1.0.0) >> /tmp/ssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, >> current version 1.0.0) >> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current >> version 1213.0.0) > >> $ /tmp/dtls_bug >> Assertion failed: (pSSLBuffer->length != 0), function main, file >> /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. >> Abort trap: 6 > > You should also update your code to report error return values from > SSL_accept() and print the contents of error stack. $ /tmp/dtls_bug ret: -1 sslErrorCode: 2 Assertion failed: (pSSLBuffer->length != 0), function main, file /Users/shiretu/Dropbox/Public/dtls_bug.c, line 114. Abort trap: 6 errorCode 2 means SSL_ERROR_WANT_READ, which is consistent with the rejection of the input packet. And the updated source: https://dl.dropboxusercontent.com/u/2918563/dtls_bug.c > > -- > Viktor. > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
> On Jan 14, 2015, at 23:39, Viktor Dukhovni wrote: > > On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei Gavriloaie wrote: > >> Dynamic: >> $ ls -Al /tmp/ssl/lib/ >> total 11336 >> drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines >> -r-xr-xr-x 1 shiretu wheel 1602352 Jan 14 23:27 libcrypto.1.0.0.dylib >> -rw-r--r-- 1 shiretu wheel 3196880 Jan 14 23:27 libcrypto.a >> lrwxr-xr-x 1 shiretu wheel 21 Jan 14 23:27 libcrypto.dylib -> >> libcrypto.1.0.0.dylib >> -r-xr-xr-x 1 shiretu wheel 382440 Jan 14 23:27 libssl.1.0.0.dylib >> -rw-r--r-- 1 shiretu wheel 605504 Jan 14 23:27 libssl.a >> lrwxr-xr-x 1 shiretu wheel 18 Jan 14 23:27 libssl.dylib -> >> libssl.1.0.0.dylib >> drwxr-xr-x 5 shiretu wheel 170 Jan 14 23:27 pkgconfig > > And you have the 1.0.1k include files (/tmp/ssl/include/openssl/*.h)? $ ls -Al /tmp/ssl/include/ total 0 drwxr-xr-x 77 shiretu wheel 2618 Jan 14 23:27 openssl > And "/tmp/ssl/bin/openssl version -a" output is what? $ /tmp/ssl/bin/openssl version OpenSSL 1.0.1k 8 Jan 2015 > >> $ gcc ~/Dropbox/Public/dtls_bug.c -I/tmp/ssl/include -L/tmp/ssl/lib -lssl >> -lcrypto -o /tmp/dtls_bug >> >> $ otool -L /tmp/dtls_bug >> /tmp/dtls_bug: >> /tmp/ssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current >> version 1.0.0) >> /tmp/ssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, >> current version 1.0.0) >> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current >> version 1213.0.0) > >> $ /tmp/dtls_bug >> Assertion failed: (pSSLBuffer->length != 0), function main, file >> /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. >> Abort trap: 6 > > You should also update your code to report error return values from > SSL_accept() and print the contents of error stack. > > -- > Viktor. > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei Gavriloaie wrote: > Dynamic: > $ ls -Al /tmp/ssl/lib/ > total 11336 > drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines > -r-xr-xr-x 1 shiretu wheel 1602352 Jan 14 23:27 libcrypto.1.0.0.dylib > -rw-r--r-- 1 shiretu wheel 3196880 Jan 14 23:27 libcrypto.a > lrwxr-xr-x 1 shiretu wheel 21 Jan 14 23:27 libcrypto.dylib -> > libcrypto.1.0.0.dylib > -r-xr-xr-x 1 shiretu wheel 382440 Jan 14 23:27 libssl.1.0.0.dylib > -rw-r--r-- 1 shiretu wheel 605504 Jan 14 23:27 libssl.a > lrwxr-xr-x 1 shiretu wheel 18 Jan 14 23:27 libssl.dylib -> > libssl.1.0.0.dylib > drwxr-xr-x 5 shiretu wheel 170 Jan 14 23:27 pkgconfig And you have the 1.0.1k include files (/tmp/ssl/include/openssl/*.h)? And "/tmp/ssl/bin/openssl version -a" output is what? > $ gcc ~/Dropbox/Public/dtls_bug.c -I/tmp/ssl/include -L/tmp/ssl/lib -lssl > -lcrypto -o /tmp/dtls_bug > > $ otool -L /tmp/dtls_bug > /tmp/dtls_bug: > /tmp/ssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current > version 1.0.0) > /tmp/ssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, > current version 1.0.0) > /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current > version 1213.0.0) > $ /tmp/dtls_bug > Assertion failed: (pSSLBuffer->length != 0), function main, file > /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. > Abort trap: 6 You should also update your code to report error return values from SSL_accept() and print the contents of error stack. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Dynamic: $ ls -Al /tmp/ssl/lib/ total 11336 drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines -r-xr-xr-x 1 shiretu wheel 1602352 Jan 14 23:27 libcrypto.1.0.0.dylib -rw-r--r-- 1 shiretu wheel 3196880 Jan 14 23:27 libcrypto.a lrwxr-xr-x 1 shiretu wheel 21 Jan 14 23:27 libcrypto.dylib -> libcrypto.1.0.0.dylib -r-xr-xr-x 1 shiretu wheel 382440 Jan 14 23:27 libssl.1.0.0.dylib -rw-r--r-- 1 shiretu wheel 605504 Jan 14 23:27 libssl.a lrwxr-xr-x 1 shiretu wheel 18 Jan 14 23:27 libssl.dylib -> libssl.1.0.0.dylib drwxr-xr-x 5 shiretu wheel 170 Jan 14 23:27 pkgconfig $ gcc ~/Dropbox/Public/dtls_bug.c -I/tmp/ssl/include -L/tmp/ssl/lib -lssl -lcrypto -o /tmp/dtls_bug $ otool -L /tmp/dtls_bug /tmp/dtls_bug: /tmp/ssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /tmp/ssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0) $ /tmp/dtls_bug Assertion failed: (pSSLBuffer->length != 0), function main, file /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. Abort trap: 6 Static: $ gcc ~/Dropbox/Public/dtls_bug.c -I/tmp/ssl/include /tmp/ssl/lib/libssl.a /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug $ otool -L /tmp/dtls_bug /tmp/dtls_bug: /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0) $ /tmp/dtls_bug Assertion failed: (pSSLBuffer->length != 0), function main, file /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. Abort trap: 6 $ uname -a Darwin shiretu.local 14.1.0 Darwin Kernel Version 14.1.0: Sun Dec 28 21:20:58 PST 2014; root:xnu-2782.10.72~3/RELEASE_X86_64 x86_64 > On Jan 14, 2015, at 23:00, Viktor Dukhovni wrote: > > On Wed, Jan 14, 2015 at 10:54:57PM +0200, Eugen-Andrei Gavriloaie wrote: > >> On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and installed it >> into /tmp/ssl as a static lib (with shared lib behaves the same) Compiling: >> >> $ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a >> /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug > > This picks up libraries from 1.0.1k and headers from some other > release. Try with -I/tmp/ssl/include or similar making sure the > right headers are used. You should not need "-Wno-deprecated-declarations", > that should only be needed to silence consequences of including > Apple's headers. > > -- > Viktor. > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
On Wed, Jan 14, 2015 at 10:54:57PM +0200, Eugen-Andrei Gavriloaie wrote: > On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and installed it > into /tmp/ssl as a static lib (with shared lib behaves the same) Compiling: > > $ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a > /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug This picks up libraries from 1.0.1k and headers from some other release. Try with -I/tmp/ssl/include or similar making sure the right headers are used. You should not need "-Wno-deprecated-declarations", that should only be needed to silence consequences of including Apple's headers. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
On Wed Jan 14 21:55:17 2015, shir...@gmail.com wrote: > Hi Matt, > > Here are more explanations: > > On my Mac OS X Yosemite, the OS provided OpenSSL version > $ openssl version > OpenSSL 1.0.1j 15 Oct 2014 > > Compiling the test > $ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl > -lcrypto -o /tmp/dtls_bug > > Running the test > $ /tmp/dtls_bug > $ > > As we can see, everything looks good, nothing happens, the app exist > with 0 error code > > On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and > installed it into /tmp/ssl as a static lib (with shared lib behaves > the same) Compiling: > $ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a > /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug > > Running: > $ /tmp/dtls_bug > Assertion failed: (pSSLBuffer->length != 0), function main, file > /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. > Abort trap: 6 > > As we can see, it fails that that line where I expect the output > buffer to be populated with an answer and is not happening. The > pSSLBuffer->length != 0 fails > > Same behavior can be seen on Ubuntu 14.10 64 bit Does it work in s_client/s_server? i.e. Start an s_server (you'll need an appropriate cert/key): openssl s_server -dtls1 Start an s_client: openssl s_client -dtls1 They should complete a handshake successfully. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
And from an Ubuntu box (apparently, it runs 1.0.1f) shiretu@ubuntu:/tmp$ gcc -std=c99 dtls_bug.c -lssl -lcrypto -o dtls_bug shiretu@ubuntu:/tmp$ ./dtls_bug dtls_bug: dtls_bug.c:110: main: Assertion `pSSLBuffer->length != 0' failed. Aborted (core dumped) shiretu@ubuntu:/tmp$ uname -a Linux ubuntu 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:56:17 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux shiretu@ubuntu:/tmp$ openssl version OpenSSL 1.0.1f 6 Jan 2014 shiretu@ubuntu:/tmp$ ldd dtls_bug linux-vdso.so.1 => (0x7fff0fbe7000) libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x7fec11f22000) libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x7fec11b3f000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fec11779000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fec11575000) /lib64/ld-linux-x86-64.so.2 (0x7fec12189000) > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
And from an Ubuntu box (apparently, it runs 1.0.1f) shiretu@ubuntu:/tmp$ gcc -std=c99 dtls_bug.c -lssl -lcrypto -o dtls_bug shiretu@ubuntu:/tmp$ ./dtls_bug dtls_bug: dtls_bug.c:110: main: Assertion `pSSLBuffer->length != 0' failed. Aborted (core dumped) shiretu@ubuntu:/tmp$ uname -a Linux ubuntu 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:56:17 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux shiretu@ubuntu:/tmp$ openssl version OpenSSL 1.0.1f 6 Jan 2014 shiretu@ubuntu:/tmp$ ldd dtls_bug linux-vdso.so.1 => (0x7fff0fbe7000) libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x7fec11f22000) libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x7fec11b3f000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fec11779000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fec11575000) /lib64/ld-linux-x86-64.so.2 (0x7fec12189000) > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Forgot to add the 1.0.1k version info: $ /tmp/ssl/bin/openssl version OpenSSL 1.0.1k 8 Jan 2015 > On Jan 14, 2015, at 22:54, Eugen-Andrei Gavriloaie wrote: > > Hi Matt, > > Here are more explanations: > > On my Mac OS X Yosemite, the OS provided OpenSSL version > $ openssl version > OpenSSL 1.0.1j 15 Oct 2014 > > Compiling the test > $ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl -lcrypto > -o /tmp/dtls_bug > > Running the test > $ /tmp/dtls_bug > $ > > As we can see, everything looks good, nothing happens, the app exist with 0 > error code > > On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and installed it > into /tmp/ssl as a static lib (with shared lib behaves the same) Compiling: > $ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a > /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug > > Running: > $ /tmp/dtls_bug > Assertion failed: (pSSLBuffer->length != 0), function main, file > /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. > Abort trap: 6 > > As we can see, it fails that that line where I expect the output buffer to be > populated with an answer and is not happening. The pSSLBuffer->length != 0 > fails > > Same behavior can be seen on Ubuntu 14.10 64 bit > > Best regards, > Andrei > > >> On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT >> wrote: >> >> Hi all, >> >> I believe I have found a bug which is only present in the latest versions >> (1.0.1k) >> >> I have created a simple C test which does the following things in this order: >> >> 1. initialize the SSL library >> 2. creates an X509 key and cert >> 3. creates an DTLS server SSL context >> 4. Setup 2 memory BIO instances on the SSL context >> 5. Feed the input BIO with a hardcoded "Client Hello" packet >> 6. Call SSL_accept >> >> Wanted: >> The output BIO should contain a packet ("Server Hello") to be sent over the >> wire >> >> Observed: >> The output BIO is empty, the handshake never succeeds >> >> Same file test app linked with OpenSSL 1.0.1j works as expected, the output >> is generated. >> >> I have attached the C file. >> >> Best regards, >> Andrei >> >> >> >> >> >> ___ >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Forgot to add the 1.0.1k version info: $ /tmp/ssl/bin/openssl version OpenSSL 1.0.1k 8 Jan 2015 > On Jan 14, 2015, at 22:54, Eugen-Andrei Gavriloaie wrote: > > Hi Matt, > > Here are more explanations: > > On my Mac OS X Yosemite, the OS provided OpenSSL version > $ openssl version > OpenSSL 1.0.1j 15 Oct 2014 > > Compiling the test > $ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl -lcrypto > -o /tmp/dtls_bug > > Running the test > $ /tmp/dtls_bug > $ > > As we can see, everything looks good, nothing happens, the app exist with 0 > error code > > On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and installed it > into /tmp/ssl as a static lib (with shared lib behaves the same) Compiling: > $ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a > /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug > > Running: > $ /tmp/dtls_bug > Assertion failed: (pSSLBuffer->length != 0), function main, file > /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. > Abort trap: 6 > > As we can see, it fails that that line where I expect the output buffer to be > populated with an answer and is not happening. The pSSLBuffer->length != 0 > fails > > Same behavior can be seen on Ubuntu 14.10 64 bit > > Best regards, > Andrei > > >> On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT >> wrote: >> >> Hi all, >> >> I believe I have found a bug which is only present in the latest versions >> (1.0.1k) >> >> I have created a simple C test which does the following things in this order: >> >> 1. initialize the SSL library >> 2. creates an X509 key and cert >> 3. creates an DTLS server SSL context >> 4. Setup 2 memory BIO instances on the SSL context >> 5. Feed the input BIO with a hardcoded "Client Hello" packet >> 6. Call SSL_accept >> >> Wanted: >> The output BIO should contain a packet ("Server Hello") to be sent over the >> wire >> >> Observed: >> The output BIO is empty, the handshake never succeeds >> >> Same file test app linked with OpenSSL 1.0.1j works as expected, the output >> is generated. >> >> I have attached the C file. >> >> Best regards, >> Andrei >> >> >> >> >> >> ___ >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Hi Matt, Here are more explanations: On my Mac OS X Yosemite, the OS provided OpenSSL version $ openssl version OpenSSL 1.0.1j 15 Oct 2014 Compiling the test $ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl -lcrypto -o /tmp/dtls_bug Running the test $ /tmp/dtls_bug $ As we can see, everything looks good, nothing happens, the app exist with 0 error code On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and installed it into /tmp/ssl as a static lib (with shared lib behaves the same) Compiling: $ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug Running: $ /tmp/dtls_bug Assertion failed: (pSSLBuffer->length != 0), function main, file /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. Abort trap: 6 As we can see, it fails that that line where I expect the output buffer to be populated with an answer and is not happening. The pSSLBuffer->length != 0 fails Same behavior can be seen on Ubuntu 14.10 64 bit Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Hi Matt, Here are more explanations: On my Mac OS X Yosemite, the OS provided OpenSSL version $ openssl version OpenSSL 1.0.1j 15 Oct 2014 Compiling the test $ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl -lcrypto -o /tmp/dtls_bug Running the test $ /tmp/dtls_bug $ As we can see, everything looks good, nothing happens, the app exist with 0 error code On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and installed it into /tmp/ssl as a static lib (with shared lib behaves the same) Compiling: $ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a /tmp/ssl/lib/libcrypto.a -o /tmp/dtls_bug Running: $ /tmp/dtls_bug Assertion failed: (pSSLBuffer->length != 0), function main, file /Users/shiretu/Dropbox/Public/dtls_bug.c, line 110. Abort trap: 6 As we can see, it fails that that line where I expect the output buffer to be populated with an answer and is not happening. The pSSLBuffer->length != 0 fails Same behavior can be seen on Ubuntu 14.10 64 bit Best regards, Andrei > On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT > wrote: > > Hi all, > > I believe I have found a bug which is only present in the latest versions > (1.0.1k) > > I have created a simple C test which does the following things in this order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent over the > wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the output > is generated. > > I have attached the C file. > > Best regards, > Andrei > > > > > > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
On Wed Jan 14 21:21:46 2015, shir...@gmail.com wrote: > Hi all, > > I believe I have found a bug which is only present in the latest > versions (1.0.1k) > > I have created a simple C test which does the following things in this > order: > > 1. initialize the SSL library > 2. creates an X509 key and cert > 3. creates an DTLS server SSL context > 4. Setup 2 memory BIO instances on the SSL context > 5. Feed the input BIO with a hardcoded "Client Hello" packet > 6. Call SSL_accept > > Wanted: > The output BIO should contain a packet ("Server Hello") to be sent > over the wire > > Observed: > The output BIO is empty, the handshake never succeeds > > Same file test app linked with OpenSSL 1.0.1j works as expected, the > output is generated. > Not sure what I'm supposed to be seeing here? I get the same result with both 1.01j and 1.0.1k...no errors reported. What platform are you on? Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3657] OpenSSL 1.0.1k DTLS handshake no longer works
Hi all, I believe I have found a bug which is only present in the latest versions (1.0.1k) I have created a simple C test which does the following things in this order: 1. initialize the SSL library 2. creates an X509 key and cert 3. creates an DTLS server SSL context 4. Setup 2 memory BIO instances on the SSL context 5. Feed the input BIO with a hardcoded "Client Hello" packet 6. Call SSL_accept Wanted: The output BIO should contain a packet ("Server Hello") to be sent over the wire Observed: The output BIO is empty, the handshake never succeeds Same file test app linked with OpenSSL 1.0.1j works as expected, the output is generated. I have attached the C file. Best regards, Andrei dtls_bug.c Description: Binary data ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev