Handshake fails on HPUX IA64 Release bits
hi, Openssl Veriosn :: openssl 0.9.8g Platform :: HP-UX 11 23 IA64 SSL Handshake fails with Release variants , works fine with the Debug variants. Any Comments ? Can this be related to optimization ? Any thoughts why it works for Debug and fails with release ? Handshake fails with Release variants .. > ./ssltest -v -d Available compression methods: NONE client waiting in SSL_connect - before/connect initialization server waiting in SSL_accept - before/accept initialization ERROR in SERVER 6698:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:142: 1 handshakes of 256 bytes done Handshake Succeeds with Debug variants .. > ./ssltest -d Available compression methods: NONE client waiting in SSL_connect - before/connect initialization server waiting in SSL_accept - before/accept initialization client waiting in SSL_connect - SSLv2/v3 read server hello A server waiting in SSL_accept - SSLv3 read client certificate A client waiting in SSL_connect - SSLv3 read finished A client wrote 256 server read 256 server wrote 256 client read 256 TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA 1 handshakes of 256 bytes done Thanks Anil
Re: Handshake fails on HPUX IA64 Release bits
More investigation shows that the issue is seen with ssl3 and tls1 , ssl2 works fine ... > ../util/shlib_wrap.sh ./ssltest -ssl2 Available compression methods: NONE SSLv2, cipher SSLv2 DES-CBC3-MD5, 512 bit RSA 1 handshakes of 256 bytes done > ../util/shlib_wrap.sh ./ssltest -ssl3 Available compression methods: NONE ERROR in SERVER 14472:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:845: SSLv3, cipher (NONE) (NONE) 1 handshakes of 256 bytes done > ../util/shlib_wrap.sh ./ssltest -tls1 Available compression methods: NONE ERROR in SERVER 14480:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:845: TLSv1, cipher (NONE) (NONE) 1 handshakes of 256 bytes done Thanks Anil On Tue, May 26, 2009 at 4:11 PM, Anil Tambe wrote: > > hi, > > Openssl Veriosn :: openssl 0.9.8g > Platform :: HP-UX 11 23 IA64 > > SSL Handshake fails with Release variants , works fine with the Debug > variants. Any Comments ? Can this be related to optimization ? Any thoughts > why it works for Debug and fails with release ? > > Handshake fails with Release variants .. > > ./ssltest -v -d > Available compression methods: > NONE > client waiting in SSL_connect - before/connect initialization > server waiting in SSL_accept - before/accept initialization > ERROR in SERVER > 6698:error:140780E5:SSL routines:SSL23_READ:ssl handshake > failure:s23_lib.c:142: > 1 handshakes of 256 bytes done > > Handshake Succeeds with Debug variants .. > > ./ssltest -d > Available compression methods: > NONE > client waiting in SSL_connect - before/connect initialization > server waiting in SSL_accept - before/accept initialization > client waiting in SSL_connect - SSLv2/v3 read server hello A > server waiting in SSL_accept - SSLv3 read client certificate A > client waiting in SSL_connect - SSLv3 read finished A > client wrote 256 > server read 256 > server wrote 256 > client read 256 > TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA > 1 handshakes of 256 bytes done > > > > Thanks > Anil >
Re: nonblocking implementation question
On Tue, May 26, 2009 at 10:33:11AM -0400, Aaron Wiebe wrote: > Greetings All, > > I've gone through various levels of documentation to see if there is a > method available to implement SSL as I have envisioned, but I haven't > been able to find what I'm looking for. Perhaps someone here could > point me in a good direction... > > I'm developing a nonblocking application (backed by several > edge-trigger methods, such as epoll/kqueue/etc). I'd like to > integrate SSL into the flow, but I'm not fond of pushing the buffering > and socket interaction routines into the SSL library. What I would > prefer to do is to perform callouts to the ssl library, while > maintaining the buffering and socket handling within my application. > > Ideally, I'd like to perform the recv() calls, buffer the data myself, > and pass it to a function that would be capable of decrypting the data > (if a complete encryption block is received) - and provide me > appropriate returns to let me know if additional steps are required > (such as a renegotiation). I'd also prefer to be able to encrypt the > data through a function call, and be able to buffer and deliver that > data at my leisure. The "biopair" abstraction allows you do exactly this. The TLS layer to network interface is realized with a BIO pair: Application | TLS layer | Your Code| /\||| ||\/| Application buffer <===> TLS read/write/etc | /\|| | ||\/ | BIO pair (internal_bio) | BIO pair (network_bio) | /\|| | ||\/ socket read/write <===> BIO read/write /\||| ||\/| network | All SSL calls that need to write/read data to/from the network "fail" with SSL_WANT_WRITE or SSL_WANT_READ, it is then up to you send as much pending data as possible out of the network bio to the peer, and then read data from the peed and write it to the network bio if a read was requested. > In short, I don't really want SSL doing my writing or buffering. I > just want the library to do my negotiation and encryption - but by > providing me the data I need rather than by writing to the socket. See the biopair docs. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
nonblocking implementation question
Greetings All, I've gone through various levels of documentation to see if there is a method available to implement SSL as I have envisioned, but I haven't been able to find what I'm looking for. Perhaps someone here could point me in a good direction... I'm developing a nonblocking application (backed by several edge-trigger methods, such as epoll/kqueue/etc). I'd like to integrate SSL into the flow, but I'm not fond of pushing the buffering and socket interaction routines into the SSL library. What I would prefer to do is to perform callouts to the ssl library, while maintaining the buffering and socket handling within my application. Ideally, I'd like to perform the recv() calls, buffer the data myself, and pass it to a function that would be capable of decrypting the data (if a complete encryption block is received) - and provide me appropriate returns to let me know if additional steps are required (such as a renegotiation). I'd also prefer to be able to encrypt the data through a function call, and be able to buffer and deliver that data at my leisure. In short, I don't really want SSL doing my writing or buffering. I just want the library to do my negotiation and encryption - but by providing me the data I need rather than by writing to the socket. Does the ability to do this exist? I'm not too fond of fully reverse-engineering SSL itself and using the pure encryption calls, so I'm hoping there exists API's that will let me take this route. If anyone knows of an implementation out there like this, I'd love to see it. Thanks! -Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS compatibility problem -- can connect to server with NSS but not OpenSSL.
On Mon, May 25, 2009 at 08:41:29PM -0400, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of David Woodhouse > > Sent: Friday, 22 May, 2009 05:49 > > To: openssl-users@openssl.org > > Subject: Re: TLS compatibility problem -- can connect to > > server with NSS but not OpenSSL. > > > > On Thu, 2009-05-21 at 22:44 +0100, David Woodhouse wrote: > > > I'm trying to connect to an HTTPS server, and my connection > > is being > > > rejected when I use a client certificate: > > > [dw...@macbook ~]$ openssl s_client -cert $CERT -connect > > $SERVER:443 > > > -crlf -tls1 > > > CONNECTED(0003) > > > depth=1 /C=US/O=Foo Corporation/CN=Foo Intranet Basic Issuing CA 2A > > > verify error:num=20:unable to get local issuer certificate verify > > > return:0 24620:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > > > handshake failure:s3_pkt.c:530: > > > Those errors are run together; there should be different line breaks. > > > I've discovered that it works if I also use the '-CAfile' > > option and give it the appropriate certificate chain. If I > > use an empty CAfile or one with the wrong certificates in it, > > the server still hates me. > > > I don't understand why you got verify return 0 above. In at least > all 098* that I've used, s_client logs verify errors on the server > cert (like no-issuer or self-signed) but ignores them and continues. > However, since s3_pkt:530 is a failure on our end of the handshake, > maybe it is indeed failing for verification. Or maybe something else, > since according to your wireshark it certainly does seem the client > sends the rest of the sequence (cert, keyxch, verify, change, finished?). > I suggest running the client with -state and -msg or probably better > -debug to get (much) more detailed information about what it's doing. > And check (or ask) if the server logs any helpful error messages. The server is unhappy with the client certificate chain, and drops the connection if the client certificate trust chain does not verify. The same server is willing to accept clients with no certificates at all. The server is lame. Don't use it with client certificates that don't have a complete trust chain. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
using rsa-oaep with encoding parameters
Hello, I am using openssl library for crypto operations in implementation of W3C XML Encryption specifications - http://www.w3.org/TR/xmlenc-core/. The specification requires supporting the RSA-OAEP public-key algorithm with encoding-parameters - http://www.w3.org/TR/xmlenc-core/#sec-RSA-OAEP. I have used RSA_padding_add_PKCS1_OAEP() and RSA_padding_check_PKCS1_OAEP() functions for adding padding using a configurable encoding-parameter, but RSA_padding_check_PKCS1_OAEP() returned with -1 (failure). I tried searching for solutions at this mailing-list and all that I found was a very similar problem here: http://www.mail-archive.com/openssl-users%40openssl.org/msg35663.html, but no solution. I also tried using XMLsec tool (an open-source tool for handling XML Encryption) that uses openssl as well, but found specific encoding-parameter to be problematic in that tool either. Can you please help? Thanks, Henry
Re: nonblocking implementation question
You're looking for a BIO_s_mem. -Kyle H On Tue, May 26, 2009 at 7:33 AM, Aaron Wiebe wrote: > Greetings All, > > I've gone through various levels of documentation to see if there is a > method available to implement SSL as I have envisioned, but I haven't > been able to find what I'm looking for. Perhaps someone here could > point me in a good direction... > > I'm developing a nonblocking application (backed by several > edge-trigger methods, such as epoll/kqueue/etc). I'd like to > integrate SSL into the flow, but I'm not fond of pushing the buffering > and socket interaction routines into the SSL library. What I would > prefer to do is to perform callouts to the ssl library, while > maintaining the buffering and socket handling within my application. > > Ideally, I'd like to perform the recv() calls, buffer the data myself, > and pass it to a function that would be capable of decrypting the data > (if a complete encryption block is received) - and provide me > appropriate returns to let me know if additional steps are required > (such as a renegotiation). I'd also prefer to be able to encrypt the > data through a function call, and be able to buffer and deliver that > data at my leisure. > > In short, I don't really want SSL doing my writing or buffering. I > just want the library to do my negotiation and encryption - but by > providing me the data I need rather than by writing to the socket. > > Does the ability to do this exist? I'm not too fond of fully > reverse-engineering SSL itself and using the pure encryption calls, so > I'm hoping there exists API's that will let me take this route. If > anyone knows of an implementation out there like this, I'd love to see > it. > > Thanks! > -Aaron > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: nonblocking implementation question
On Tue, May 26, 2009 at 01:13:33PM -0700, Kyle Hamilton wrote: > You're looking for a BIO_s_mem. No, he is looking for BIO_new_bio_pair(3) and SSL_set_bio(3). > > In short, I don't really want SSL doing my writing or buffering. ??I > > just want the library to do my negotiation and encryption - but by > > providing me the data I need rather than by writing to the socket. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: nonblocking implementation question
On Tue, May 26, 2009 at 4:46 PM, Victor Duchovni wrote: > On Tue, May 26, 2009 at 01:13:33PM -0700, Kyle Hamilton wrote: > >> You're looking for a BIO_s_mem. > > No, he is looking for BIO_new_bio_pair(3) and SSL_set_bio(3). And this is where I'm running into confusing bits of information. Bluntly, the documentation that I can find is nearly useless. Let me put it this way, in pseudocode of how I would like to interact in my perfect world: readfunc(int fd) { /* entry on a "can read" event from the select/poll/etc call */ len = recv(fd, &buffer, sizeof(buffer)); if(IsSSL(fd)) { if(have_crypted_buffer_already) merge_buffer(buffer, encrypted_buffer); switch(SSL_decrypt(context, buffer, &decr_buf, &dlen)) { case SSL_NOTENOUGHDATA: buffer_encrpyted_read(fd, buffer, len); case SSL_GOTDATA: buffer_decrypted(fd, decr_buf, dlen); if(dlen != len) buffer_encrypted_read(fd, buffer+dlen, len-dlen); case SSL_NEEDRENEG: enqueue(fd, get_ssl_reneg_data(context)); default: break; } } } (or something..) Basically, I don't really want any calls to require more than a context that needs to be maintained - I don't want to hand my data off to the API and have to come back to it at some arbitrary later time, having it buffered and/or queued by mechanisms built into the openssl api. I expect the API to do one thing and one thing only: provide me the necessary information to handle an SSL connection. Not handle it for me. Not sure if I'm asking this well... -Aaron __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: nonblocking implementation question
On Tue, May 26, 2009 at 05:02:59PM -0400, Aaron Wiebe wrote: > >> You're looking for a BIO_s_mem. > > > > No, he is looking for BIO_new_bio_pair(3) and SSL_set_bio(3). > > And this is where I'm running into confusing bits of information. > Bluntly, the documentation that I can find is nearly useless. > > Let me put it this way, in pseudocode of how I would like to interact > in my perfect world: There is no "SSL_decrypt" because SSL is not a packet encryption format it is a complex state-machine that supports multi-step hand-shakes, renegotiation, internal buffering, 2-step shutdown, ... With biopairs, you still call SSL_connect() when a client wants to complete an SSL handshake to a server, SSL_accept() when a server wants to complete an SSL handshake with a client, SSL_read() when your application wants to read data and SSL_write() when you want to write data, ... But, with biopairs, the SSL context has no direct connection to the network and cannot do *any* I/O, when its output buffer is full, or when a response requested or required and the input buffer is empty, the SSL_connect()/SSL_accept()/SSL_read()/SSL_write() calls will fail and the error status from SSL_get_error(TLScontext->con, retval) will be either: SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ. It is *that* point (demand for external I/O) that you'll need to (even with WANT_READ) always first drain as much of the network bio output buffer to the network as possible without blocking, in-case the peer is waiting for your input and then read data from the socket (and write to the network bio, making it available to SSL) also without blocking. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
specific cert extensions needed for smartcards?
Hi there I'm evaluating eTokens for secure cert storage and along with other aspects was looking at the ability for Windows domains to use smartcards to control login access. Aladdin eToken documentation explicitly states you have to use a Microsoft CA to generate certs that can be used for smartcard access. However, we have a OpenSSL based PKI and I want to use that instead. I'm guessing all I need is to insert each users pubkey into their AD accounts "Published Certificates" tab, but when I try to login I get a generic error. So I'm guessing there are cert extensions that AD's "smartcard" control looks for. Any ideas what they are (or am I totally off-track?) Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
problem with client certificate authentication using s_server Verify command
Hello list I have been experimenting on client certificate authentication using openssl s_server command but i have a problem in this case: i am running ssl server using the command: openssl s_server -accept 443 -cert sslcert/cacert.pem -key sslcert/private/cakey.pem -Verify 1 -CAfile ca-bundle.crt -ssl3 -state Here cacert.pem and cakey.pem are self signed ones and ca-bundle.crt is my trusted root CA store and i am using "V" only not "v" for verify. and i connected to this server like this: openssl s_client -ssl3 -cert sslcert/cacert1.pem -key sslcert/private/cakey1.pem -CApath ca-bundle.crt -connect localhost:443 But i am not getting any verify error even though the client certificates which i passed to server is not there in my server's list of trusted root CA store. which means connection is established without any certificate authentication. Please help me out ! Regards Venkat
RE: nonblocking implementation question
> Basically, I don't really want any calls to require more than a > context that needs to be maintained - I don't want to hand my data off > to the API and have to come back to it at some arbitrary later time, > having it buffered and/or queued by mechanisms built into the openssl > api. I expect the API to do one thing and one thing only: provide me > the necessary information to handle an SSL connection. Not handle it > for me. > > Not sure if I'm asking this well... > > -Aaron Unfortunately, that's not really possible. The SSL protocol is not simple enough to be implemented that way, and in any event, OpenSSL doesn't do that. What OpenSSL will give you is a black box with four 'hooks'. When you read encrypted data from the socket, you can put it on one of the four hooks. There is a hook on which you can find encrypted outbound data which you can then write to the socket. There is another hook on which you can find decrypted application data. And lastly, there is a hook on which you can put plaintext to be encrypted and sent. The less you try to look inside the OpenSSL black box, in my experience, the better. Think of these as four independent data streams. You push and pull encrypted data between the socket and the two encrypted hooks to make the SSL engine go, and then you can use the two decrypted hooks much like a TCP connection. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Integration of 0.9.8k into Apache 2.2.10
I've recently upgraded my Apache HTTP Server to Apache 2.2.10 with OpenSSL 0.9.8i bundled in. Because of the 25-Mar-2009 Security Advisory(http://www.openssl.org/news/secadv_20090325.txt) I need to upgrade to OpenSSL 0.9.8k but I am having difficulties finding instructions on integrating this into Apache, specifically on a Windows systems. I have read through the install instructions for Win32 systems and I have installed CYGWIN and run through the GNU C (CYGWIN) install instructions with no success. I am concerned that even if I can get it to build that it won't be integrated into my web server and replace the 0.9.8i module. Will building this yield a mod_ssl.so file in Apache2.2\modules\ and an openssl.exe in Apache2.2\bin\? Could someone point me to a procedure for this process? Most sources seem to be very light on Windows related documentation. There is a reference to including it in future versions but nothing on retrofitting in into 2.2.10 installations: (http://www.nabble.com/Apache-HTTP-Server-2.2.12-or-2.2.11-with-OpenSSL-0.9.8j-or-newer-Windows-installer-to23197644.html#a23197644) Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and kernel __read_nocancel() blocking under heavy network congestion
Hi David, Thanks and yes, these are the conundrums I'm curious about: 1) why does the process get hung on __read_nocancel (), when the connection is set to non-blocking, and only under heavy congestion?, and 2) if the connection did turn blocking, why aren't the added timeouts working? I'll keep looking and any 'what to look at' pointers or confirmation would be appreciated. Cheers, Mark On 5/25/09 9:18 PM, "David Schwartz" wrote: > >> Background: the TR-069 client uses the gSoap system that in turn >> calls OpenSSL. The communications to the server at HTTP/SOAP >> based using SSL or non_SSL. The problems are being experienced in >> Linux 2.6.x systems 32-bit and 64-bit, on MIPS and AMD processors; >> i.e. both embedded Linux systems and normal development systems. >> WANem is configured for T1 link, 100ms delay, 10ms jitter, and >> 40% to 50% packet loss. gSoap uses a select() call with timeout >> prior to calling SSL_read. > > Why? You can't 'select' on the decrypted data stream. The SSL_read function > reads *decrypted* data from the OpenSSL output stream, not encrypted data > from the socket (unless that happens to be necessary). It is a serious > mistake to call 'select' prior to calling SSL_read. For example, suppose the > data has already been read from the socket (SSL_write can result in data > being read from the socket), and an SSL_read would completely immediately. > You will be calling 'select' to wait for data that has already been read. > >> In addition, I added code to set >> SO_RCVTIMEO and SO_SNDTIMEO to 60 seconds on the socket. > > Why? You're using non-blocking operations. Fortunately, this will do nothing > because these timeouts only affect blocking operations, but if they did take > affect, the would destroy the integrity of the connection. (They are > timeouts for the operations themselves, not just for the calls that initiate > them.) > >> Various stack backtraces from entry into gSoap are presented >> below, each one was captured from a core file produced from >> kill -3'ing the hung up client. They are just representative of the >> problem happening from several different entry points into OpenSSL. >> >> (gdb) bt 1 >> #0 0x003b8d40bf7b in __read_nocancel () from /lib64/libpthread.so.0 >> #1 0x003b91499091 in BIO_new_socket () from /lib64/libcrypto.so.6 >> #2 0x003b9149766f in BIO_read () from /lib64/libcrypto.so.6 >> #3 0x003f9642047d in ssl3_read_n () from /lib64/libssl.so.6 >> #4 0x003f964209dd in ssl3_read_bytes () from /lib64/libssl.so.6 >> #5 0x003f9641de64 in ssl3_shutdown () from /lib64/libssl.so.6 >> #6 0x00455961 in tcp_disconnect (soap=0x596960) at >> gsoap/stdsoap2.c:4013 >> #7 0x00455c9c in soap_closesock (soap=0x596960) at >> gsoap/stdsoap2.c:4069 > > How is the connection made non-blocking exactly? > >> #0 0x003b8d40bf7b in __read_nocancel () from /lib64/libpthread.so.0 >> #1 0x004a8e0b in sock_read () >> #2 0x004a7f8b in BIO_read () >> #3 0x0049411d in ssl3_read_n () >> #4 0x00494c60 in ssl3_read_bytes () >> #5 0x00495b44 in ssl3_get_message () >> #6 0x0048fea1 in ssl3_get_server_hello () >> #7 0x00490a66 in ssl3_connect () >> #8 0x004947da in ssl3_write_bytes () >> #9 0x00449194 in fsend (soap=0x6a8de0, >> s=0x6a91c0 "POST /dps/TR069 HTTP/1.1\r\nHost: >> 10.2.2.22:8443\r\nUser-Agent: gSOAP/2.7\r\nContent-Type: text/xml; >> charset=utf-8\r\nContent-Length: \ >> 2393\r\nConnection: keep-alive\r\nSOAPAction: \"\"\r\n\r\n\" >> xmlns:xsi=\"http://www.w3";..., n=174) at gsoap/stdsoap2.c:470 >> #10 0x00449859 in soap_flush_raw (soap=0x6a8de0, >> s=0x6a91c0 "POST /dps/TR069 HTTP/1.1\r\nHost: >> 10.2.2.22:8443\r\nUser-Agent: gSOAP/2.7\r\nContent-Type: text/xml; >> charset=utf-8\r\nContent-Length: \ >> 2393\r\nConnection: keep-alive\r\nSOAPAction: \"\"\r\n\r\n\" >> xmlns:xsi=\"http://www.w3";..., n=174) at gsoap/stdsoap2.c:671 >> #11 0x00449589 in soap_flush (soap=0x6a8de0) at >> gsoap/stdsoap2.c:637 >> #12 0x00458e8c in soap_end_send (soap=0x6a8de0) at >> gsoap/stdsoap2.c:5399 > > Are you sure the connection in non-blocking? Are you absolutely 100% sure? > It looks like you simply have forgetten to set the connection non-blocking. > As a result, you may block in one direction forever even though you could > make forward progress in the other direction. > > DS > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
Re: OpenSSL and kernel __read_nocancel() blocking under heavy network congestion
Hi Mark, Mark Laubach wrote: > Hi David, > > Thanks and yes, these are the conundrums I'm curious about: > 1) why does the process get hung on __read_nocancel (), when the > connection is set to non-blocking, and only under heavy congestion?, > and 2) if the connection did turn blocking, why aren't the added > timeouts working? > > I'll keep looking and any 'what to look at' pointers or confirmation > would be appreciated. If the sockets aren't being set up correctly, it's likely to be the layer above openssl - ie. gSoap. Perhaps run this issue by them? Regards, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL and kernel __read_nocancel() blocking under heavy network congestion
Mark Laubach wrote: > Hi David, > > Thanks and yes, these are the conundrums I'm curious about: > 1) why does the process get hung on __read_nocancel (), when the > connection is set to non-blocking, and only under heavy congestion?, My bet is the connection is not actually being set non-blocking. > and 2) if the connection did turn blocking, why aren't the added > timeouts working? As I explained, those timeouts are fundamentally broken. It's not even clear what it is that they time out. (Do they time out the actual network operation? Do they time out the underlying connection? Do they timeout waiting for the operation to complete? Nobody knows.) > I'll keep looking and any 'what to look at' pointers or confirmation > would be appreciated. Make sure the connections are in fact set non-blocking. Make sure you don't refuse to perform an operation unless the SSL state machine has specifically directed you to do so. Note that you cannot, either with or without SSL, make a connection non-blocking by using 'select' before I/O operations. That has never worked and will never work. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org