Re: Program works with older libssl, but not with newer

[Viktor Dukhovni]

On Tue, Mar 31, 2020 at 04:51:32PM +0200, Christoph Pleger wrote:

> > > I have here a self-written server program and the corresponding
> > > self-written client program. These run well together with libssl 1.1.0l,
> > > but with libssl 1.1.1d, the same programs give errors SSL_ERROR_SYSCALL
> > > in SSL_read(), no matter if I recompile the programs and then run them,
> > > or just replace libssl with the newer version.
> > 
> > OpenSSL 1.1.1 supports TLS 1.3, which OpenSSL 1.1.0 did not.
> > 
> > > So, I want to ask if there are any known incompabilities in the libssl
> > > versions that require me to change the code of the programs, or if there
> > > is
> > > any known bug in libssl1.1.1d that may cause the mentioned errors.
> > 
> > Use of TLS 1.3 changes the communication patterns of the TLS protocol in
> > some non-trivial ways, and, if your application were fragile, it might
> > have gotten by with TLS 1.2, but the latent bugs could show up with TLS
> > 1.3.
> 
> Now, I replaced TLS_server_method() and TLS_client_method() with 
> TLSv1_2_server_method() and TLSv1_2_client_method() respectively, and the 
> same 
> error occurs. 

Well, in that case, you need to provide more detail.  Does the handshake
complete?  If not, at what stage does it fail?

A PCAP file may be needed.  And you need to explain what operation
fails with SSL_ERROR_SYSCALL, and do an "strace" or equivalent to
understand what the relevant socket read calls returned.

-- 
Viktor.

Re: Program works with older libssl, but not with newer

[Christoph Pleger]

Hello,

> > I have here a self-written server program and the corresponding
> > self-written client program. These run well together with libssl 1.1.0l,
> > but with libssl 1.1.1d, the same programs give errors SSL_ERROR_SYSCALL
> > in SSL_read(), no matter if I recompile the programs and then run them,
> > or just replace libssl with the newer version.
> 
> OpenSSL 1.1.1 supports TLS 1.3, which OpenSSL 1.1.0 did not.
> 
> > So, I want to ask if there are any known incompabilities in the libssl
> > versions that require me to change the code of the programs, or if there
> > is
> > any known bug in libssl1.1.1d that may cause the mentioned errors.
> 
> Use of TLS 1.3 changes the communication patterns of the TLS protocol in
> some non-trivial ways, and, if your application were fragile, it might
> have gotten by with TLS 1.2, but the latent bugs could show up with TLS
> 1.3.

Now, I replaced TLS_server_method() and TLS_client_method() with 
TLSv1_2_server_method() and TLSv1_2_client_method() respectively, and the same 
error occurs. 

Regards
  Christoph

Re: Program works with older libssl, but not with newer

[Matt Caswell]

On 31/03/2020 15:21, Salz, Rich via openssl-users wrote:
> Isn't this the SSL EOF thing?

No. In older OpenSSL's SSL_read() would return SSL_ERROR_SYSCALL on EOF
with an errno of 0. This was "fixed" in 1.1.1e to return SSL_ERROR_SSL
with an entry on the error stack. And unfixed in 1.1.1f to revert to the
old behaviour (but 3.0 still does this).

So - if it was due to "the SSL EOF thing" then you would be seeing
SSL_ERROR_SSL.

Matt

Re: Program works with older libssl, but not with newer

[Salz, Rich via openssl-users]

Isn't this the SSL EOF thing?
 

OpenSSL version 1.1.1f published

[OpenSSL]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.1f released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.1f of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.1-notes.html

   OpenSSL 1.1.1f is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.1f.tar.gz
  Size: 9792828
  SHA1 checksum: 238e001ea1fbf19ede43e36209c37c1a636bb51f
  SHA256 checksum: 
186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.1f.tar.gz
openssl sha256 openssl-1.1.1f.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6DNO8ACgkQ2cTSbQ5g
RJFAHAf/c5tRSC8FNTAwXj8pEniovI/XeIHgyJG37mKXt2V5ziXwCaJCTs6Tdvth
b7nGgcqHWmqTdDlYdOzhexWOESfCTEhipmh1E9wHX/fntadHn0LwzfXBIbE6CsW5
ksn2bXXHTLuY3E8GWzmdcDDZ6sjsAYCsfE6rnJqgPKl8+XqZsjlrMBLc1iXa7pvR
CMNmJ5ITo98OlqtFRsmR0G7nXCwm4NLGCv9DojfR5gfyoUWZZXInyZZ3RReZEwoH
fGRObO3/5E80+TxFJda8uDM0dSHUPzXJ7JA+h+uQRG+PGwXe4R8jZ8BJfjfVvmuk
d72zRaRwkGrHvCo93S8xI8W2jBAqHQ==
=TvT8
-END PGP SIGNATURE-

Re: New inlcudes needed for OpenSSL V1.1.1 sockets

[Dr Paul Dale]

All of the include files mentioned are standard ones which have always been 
used.
You are building 1.1.1 differently to 1.0.2.  Debug your build environment 
first.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 31 Mar 2020, at 7:56 pm, Balázs Horváth  
> wrote:
> 
> Thanks for Your answer!
>  
> I was not clearly describing our problem, sorry! Our project is for embedded 
> devices running on MIPS processors. The system has a special OS, not Linux.
> The development system is under Linux, and we are compiling OpenSSL with 
> cross compile option for MIPS. We also compile the code for Linux, so that we 
> have a simulation of the embedded system, that can be easily debugged under 
> Linux.
> Our problem is, that the OpenSSL V1.1.1d needs includes, that are nonexistent 
> for MIPS in our development system. These headers were not needed for 1.0.2.
>  
> My question is not a 100% OpenSSL question. But I think, as OpenSSL is widely 
> used on non-Linux/Windows/… systems, the question is legitime to ask, what to 
> use on special systems? Or why are these headers needed now?
> The programmer, who changed the code, probably had an idea about that.
>  
> Best regards,
> Balazs
> 
> Michael Wojcik  > ezt írta (időpont: 2020. márc. 30., 
> H, 20:20):
> From: openssl-users  > on behalf of Balázs Horváth 
> mailto:balazs.horvath.em...@gmail.com>>
> Sent: Monday, March 30, 2020 10:00
> 
> > Following extra includes are needed:
> > arpa/inet.h
> > netinet/tcp.h
> > netinet/in.h
> > strings.h
> > netdb.h
> > sys/socket.h
> > sys/ioctl.h
> > sys/un.h
> 
> These are system headers, not OpenSSL headers. OpenSSL has no control over 
> them.
> 
> > For Linux the includes under /usr/include work, but for MIPS they give 
> > compile errors.
> 
> Then you're using the wrong headers for the MIPS compilation. To be honest, 
> it's not clear to me what you're doing, because Linux is an operating system 
> (or more precisely a kernel), and MIPS is a processor family.
> 
> > What should we use for MIPS?
> 
> This is not an OpenSSL question. It's a cross-compilation question (I think, 
> since I'm not sure what you're actually trying to do), and so depends on your 
> cross-compilation toolchain.
> 
> 
> 

Re: Program works with older libssl, but not with newer

[Viktor Dukhovni]

On Tue, Mar 31, 2020 at 11:27:27AM +0200, Christoph Pleger wrote:

> I have here a self-written server program and the corresponding self-written 
> client program. These run well together with libssl 1.1.0l, but with libssl 
> 1.1.1d, the same programs give errors SSL_ERROR_SYSCALL in SSL_read(), no 
> matter if I recompile the programs and then run them, or just replace libssl 
> with the newer version. 

OpenSSL 1.1.1 supports TLS 1.3, which OpenSSL 1.1.0 did not.

> So, I want to ask if there are any known incompabilities in the libssl 
> versions that require me to change the code of the programs, or if there is 
> any known bug in libssl1.1.1d that may cause the mentioned errors.

Use of TLS 1.3 changes the communication patterns of the TLS protocol in
some non-trivial ways, and, if your application were fragile, it might
have gotten by with TLS 1.2, but the latent bugs could show up with TLS
1.3.

You can test with TLS 1.3 disabled and see whether the makes a
difference.  If it does, you will then need to debug your program and
see where it fails with TLS 1.3.

There are other improvements and bug fixes, but no known fundamental
obstacles to running robustly implemented clients built for 1.1.0
against 1.1.1 libraries.

-- 
Viktor.

Re: New inlcudes needed for OpenSSL V1.1.1 sockets

[Balázs Horváth]

Thanks for Your answer!



I was not clearly describing our problem, sorry! Our project is for
embedded devices running on MIPS processors. The system has a special OS,
not Linux.

The development system is under Linux, and we are compiling OpenSSL with
cross compile option for MIPS. We also compile the code for Linux, so that
we have a simulation of the embedded system, that can be easily debugged
under Linux.

Our problem is, that the OpenSSL V1.1.1d needs includes, that are
nonexistent for MIPS in our development system. These headers were not
needed for 1.0.2.



My question is not a 100% OpenSSL question. But I think, as OpenSSL is
widely used on non-Linux/Windows/… systems, the question is legitime to
ask, what to use on special systems? Or why are these headers needed now?

The programmer, who changed the code, probably had an idea about that.



Best regards,

Balazs

Michael Wojcik  ezt írta (időpont: 2020.
márc. 30., H, 20:20):

> From: openssl-users  on behalf of
> Balázs Horváth 
> Sent: Monday, March 30, 2020 10:00
>
> > Following extra includes are needed:
> > arpa/inet.h
> > netinet/tcp.h
> > netinet/in.h
> > strings.h
> > netdb.h
> > sys/socket.h
> > sys/ioctl.h
> > sys/un.h
>
> These are system headers, not OpenSSL headers. OpenSSL has no control over
> them.
>
> > For Linux the includes under /usr/include work, but for MIPS they
> give compile errors.
>
> Then you're using the wrong headers for the MIPS compilation. To be
> honest, it's not clear to me what you're doing, because Linux is an
> operating system (or more precisely a kernel), and MIPS is a processor
> family.
>
> > What should we use for MIPS?
>
> This is not an OpenSSL question. It's a cross-compilation question (I
> think, since I'm not sure what you're actually trying to do), and so
> depends on your cross-compilation toolchain.
>
>
>
>

Program works with older libssl, but not with newer

[Christoph Pleger]

Hello,

I have here a self-written server program and the corresponding self-written 
client program. These run well together with libssl 1.1.0l, but with libssl 
1.1.1d, the same programs give errors SSL_ERROR_SYSCALL in SSL_read(), no 
matter if I recompile the programs and then run them, or just replace libssl 
with the newer version. 

So, I want to ask if there are any known incompabilities in the libssl 
versions that require me to change the code of the programs, or if there is 
any known bug in libssl1.1.1d that may cause the mentioned errors.

Regards
  Christoph