Re: Version compatibility issues - Re: openssl development work / paid
I was that second developer and even though 'Embedded Devel' listed this as "paid" work and even though he made repeated promises about following up on payment, I never did receive payment. I checked the email address and IP addresses used for this job and found nothing terribly wrong. My conclusion is that either someone hijacked an email address - meaning that Optimcloud is not a very *safe* company to do business with - or that 'Embedded Devel' at Optimcloud simply thinks he can get away with this - meaning that Optimcloud is not a very *trustworthy* company to do business with. no actually, neither is the case. I submitted the work for payment, accounting inquired of the developer if it was all working and he stated it wasnt. So where it is, and its more i think we dont understand is when the client registers and is authorized it should generate a new xml config for the client, and right now there appears to be some mismatch, basically we have no idea how you had this working. so we are a month in from the work you did and i submitted payment for, and still have had 0 reproducability. Ive even reviewed the document you sent, as has he, and we are missing something. This is the first time I hear of this. To get a few things straight (and I have the full email exchange at hand to back this up): Wow so lets just make the whole thing public. - 'embedded devel' originally asked for a developer to port old OpenSSL code to openssl 1.1+ - I offered to do this and ported the application to work with openssl 1.1.1 within a few hours. 'embedded devel' agreed with me in email that I had achieved the original goal. This is in fact true, and i dont dispute it. - after that, I offered to help in debugging the rest of the client/server application workflow, which was poorly documented but which had little to do with openssl specifics. I never offered or promised to get the entire client/server application framework working again. - 'embedded devel' accepted my offer and said he had a fixed maximum amount that he could spend. Also true. - I worked for the remainder of the time on analyzing and debugging the application workflow, even though it turned out that I was not given all source code. 'embedded devel' confirmed that a part was missing. The missing part was the UI, which itself was also in the process of a rewrite, also of which isnt completed and the developer has been compensated already. - I wrote a report with my findings and suggestions on how to proceed. 'embedded devel' was satisfied with the report and told me he would ask accounting to pay me. I am and was satisfied, and I did submit it to billing. However that being said, we still cannot reproduce how you made this work because it is unclear, it doesnt apper clearly in the document, that also didnt prevent me from paying the bill. - after several reminders about payment he did not respond to my emails until I made my post yesterday, claiming for the first time that what I had done was not reproducible. This is untrue, and heres the proof. "ive already processed this for payment, ill push the accountant to get it remitted though the tone is a bit stern... nothing to worry about, itll post to you. Thanks On 3/31/21 10:11 PM, Jan Just Keijser wrote: Hello there, On 30/03/21 14:47, Jan Just Keijser wrote: just as a check/reminder: I have not yet seen my payment. Please let me know when the payment is made. this is my second and last reminder: I expect payment for my services, € 1000 as agreed and promised, before the end of this week. kind regards, Jan Just Keijser " Now so we can not consume everyone elses time with trivial bits of banter and this spins out of hand emailing the list, and outing these facts doesnt get you paid either. It seems yopur just upset because you believe we are trying to rip you off and we arent. Plainly said it doesnt appear to work, we cannot reproduce it, however i know that when you did it, it did work, so whats the secret. To me its simple. work is obviously done, more then happy to pay, matter of fact ill remit $500 Euros in good faith right now. Out of my personal account. Now proof of payment is sent, simply tell us how you made this work. And leave everyone else out of it, We are all busy, I did what i said i would do, and never intended not to pay you. Jan Just Keijser -€500.00 Tuesday, May 4, 2021, 2:54 PM Id attache the receipt, but its been blocked by the mailing list due to size Reviewing this, I see no reason to change my viewpoint on the trustworthiness of either 'embedded devel' or the company Optimcloud. Personally, I would have used a different tone in your last 3 emails. Its not very professional. And I did submit the payment information, I even signed for it to be remitted. My Accountants have a process, they followed the process. Sometimes thing take time of get thrown a curve
Re: Version compatibility issues - Re: openssl development work / paid
On 5/3/21 2:20 PM, Jan Just Keijser wrote: Just for the record: On 26/03/21 09:51, Embedded Devel wrote: i now have a second developer looking at this, so hoping he can sort it all out. [...] I was that second developer and even though 'Embedded Devel' listed this as "paid" work and even though he made repeated promises about following up on payment, I never did receive payment. I checked the email address and IP addresses used for this job and found nothing terribly wrong. My conclusion is that either someone hijacked an email address - meaning that Optimcloud is not a very *safe* company to do business with - or that 'Embedded Devel' at Optimcloud simply thinks he can get away with this - meaning that Optimcloud is not a very *trustworthy* company to do business with. no actually, neither is the case. I submitted the work for payment, accounting inquired of the developer if it was all working and he stated it wasnt. So where it is, and its more i think we dont understand is when the client registers and is authorized it should generate a new xml config for the client, and right now there appears to be some mismatch, basically we have no idea how you had this working. so we are a month in from the work you did and i submitted payment for, and still have had 0 reproducability. Ive even reviewed the document you sent, as has he, and we are missing something. the database says (6,'archer.optimcloud.com','0.0.0.0','60:32:b1:f8:9b:3a','mips','12345678','19.07.2','1.0.3','/etc/apconfig/CA/ac_ca_cert.pem','/etc/apconfig/CA/ac_client_cert.pem','/etc/apconfig/CA/ac_client_key.pem','none','2021-04-29 07:28:53',1,1) the ac_server logs says. so is it a mismatched certificate ? 5]: DEBUG: generic blocked db query: SELECT * FROM blocked_systems WHERE mac="60:32:b1:f8:9b:3a"; May 4 07:07:22 portaladmin ac_server[24675]: DEBUG: generic new systems db query: SELECT * FROM new_systems WHERE mac="60:32:b1:f8:9b:3a"; May 4 07:07:22 portaladmin ac_server[24675]: DEBUG: generic systems db query: SELECT * FROM systems WHERE mac="60:32:b1:f8:9b:3a"; May 4 07:07:22 portaladmin ac_server[24675]: INFO: Device Registration Process May 4 07:07:22 portaladmin ac_server[24675]: DEBUG: db query: SELECT id FROM systems WHERE hostname="client.xi-group.com" and active='1' ORDER BY ID DESC LIMIT 1; May 4 07:07:22 portaladmin ac_server[24675]: ac_gen_db_generate_conf_xml(): No such hostname: client.xi-group.com May 4 07:07:22 portaladmin ac_server[24675]: DEBUG: Sending ACK reply (INIT+XML config) May 4 07:07:22 portaladmin ac_server[24675]: DEBUG: generic update last seen db query: UPDATE systems SET last_seen=NOW() WHERE hostname="client.xi-group.com"; May 4 07:07:22 portaladmin ac_server[24675]: DEBUG: generic update log db query: INSERT INTO logs(time, actor, action) VALUES (NOW(), 'ac_server', 'AC_INIT from client: client.xi-group.com; XML Reply.'); the db says your hostname is archer (6,'archer.optimcloud.com','0.0.0.0','60:32:b1:f8:9b:3a','mips','12345678','19.07.2','1.0.3','/etc/apconfig/CA/ac_ca_cert.pem','/etc/apconfig/CA/ac_client_cert.pem','/etc/apconfig/CA/ac_client_key.pem','none','2021-04-29 07:28:53',1,1) You have been warned. JJK On 26/03/21 09:51, Embedded Devel wrote: i believe this was all from back in the 0.9x days, the code in question is close to 10+/- years old if everyone would look at the email thread re: "ssl client write / server accept seems broken" some might see more of the issue i am facing, i have has 1 person look at this and he believes quote " This looks like using *very* outdated OpenSSL API. Hence the SSL client (and server) code needs to ported to work with more recent versions OpenSSL and make use of TLS methods instead of SSL methods. For testing you could try to build OpenSSL with the old SSL3 support enabled (we don't even support that at all in OpenWrt any longer, but should work to build manually). Because ssl_undefined_function is most likely a result of: Disabled features: ... ssl3 [default] OPENSSL_NO_SSL3 ssl3-method [default] OPENSSL_NO_SSL3_METHOD ... If you find someone very familiar with OpenSSLs API (I've used it, more than once, but it's not what I'm doing every day), this can be done in a few days. I'd probably need a week for this and I'm not particularly keen on it, there are things I'm better with which are waiting as well." i now have a second developer looking at this, so hoping he can sort it all out.
Re: Version compatibility issues - Re: openssl development work / paid - SSL now FIXED
This has now been fixed SSL is working On 3/26/21 3:51 PM, Embedded Devel wrote: On 3/26/21 2:46 PM, David von Oheimb wrote: Embedded Devel, my sympathy - I know this can be painful and frustrating. From which old OpenSSL version to which target version do you need to get the code updated? And as info to whoever may be considering picking up this task: which is your timeline for that? Within OpenSSL we are currently discussing how to handle version compatibility issues with the upcoming version 3.0 at https://github.com/openssl/openssl/issues/14628 <https://github.com/openssl/openssl/issues/14628>. Can you give some concrete typical examples which exact issues you are facing? David i believe this was all from back in the 0.9x days, the code in question is close to 10+/- years old if everyone would look at the email thread re: "ssl client write / server accept seems broken" some might see more of the issue i am facing, i have has 1 person look at this and he believes quote " This looks like using *very* outdated OpenSSL API. Hence the SSL client (and server) code needs to ported to work with more recent versions OpenSSL and make use of TLS methods instead of SSL methods. For testing you could try to build OpenSSL with the old SSL3 support enabled (we don't even support that at all in OpenWrt any longer, but should work to build manually). Because ssl_undefined_function is most likely a result of: Disabled features: ... ssl3 [default] OPENSSL_NO_SSL3 ssl3-method [default] OPENSSL_NO_SSL3_METHOD ... If you find someone very familiar with OpenSSLs API (I've used it, more than once, but it's not what I'm doing every day), this can be done in a few days. I'd probably need a week for this and I'm not particularly keen on it, there are things I'm better with which are waiting as well." i now have a second developer looking at this, so hoping he can sort it all out. On 25.03.21 13:58, Floodeenjr, Thomas wrote: If your problem is the migration from 1.0.2 to 1.1.1, I have attached my porting notes, if that helps. -Tom -Original Message- From: openssl-users On Behalf Of Embedded Devel Sent: Wednesday, March 24, 2021 8:02 PM To:openssl-users@openssl.org Subject: openssl development work / paid I tried to get through this on my own, not being a openssl developer, made progress but still no joy so we had an app that was written some 8-10 years ago, which worked fine for client/server tls update to today, no longer functional, deprecations in openssl cause errors it is not a large app, and i believe if someone were to resolve the openssl issues it would work again whos up for making some money ? Thanks
Re: Version compatibility issues - Re: openssl development work / paid
On 3/26/21 2:46 PM, David von Oheimb wrote: Embedded Devel, my sympathy - I know this can be painful and frustrating. From which old OpenSSL version to which target version do you need to get the code updated? And as info to whoever may be considering picking up this task: which is your timeline for that? Within OpenSSL we are currently discussing how to handle version compatibility issues with the upcoming version 3.0 at https://github.com/openssl/openssl/issues/14628 <https://github.com/openssl/openssl/issues/14628>. Can you give some concrete typical examples which exact issues you are facing? David i believe this was all from back in the 0.9x days, the code in question is close to 10+/- years old if everyone would look at the email thread re: "ssl client write / server accept seems broken" some might see more of the issue i am facing, i have has 1 person look at this and he believes quote " This looks like using *very* outdated OpenSSL API. Hence the SSL client (and server) code needs to ported to work with more recent versions OpenSSL and make use of TLS methods instead of SSL methods. For testing you could try to build OpenSSL with the old SSL3 support enabled (we don't even support that at all in OpenWrt any longer, but should work to build manually). Because ssl_undefined_function is most likely a result of: Disabled features: ... ssl3 [default] OPENSSL_NO_SSL3 ssl3-method [default] OPENSSL_NO_SSL3_METHOD ... If you find someone very familiar with OpenSSLs API (I've used it, more than once, but it's not what I'm doing every day), this can be done in a few days. I'd probably need a week for this and I'm not particularly keen on it, there are things I'm better with which are waiting as well." i now have a second developer looking at this, so hoping he can sort it all out. On 25.03.21 13:58, Floodeenjr, Thomas wrote: If your problem is the migration from 1.0.2 to 1.1.1, I have attached my porting notes, if that helps. -Tom -Original Message- From: openssl-users On Behalf Of Embedded Devel Sent: Wednesday, March 24, 2021 8:02 PM To:openssl-users@openssl.org Subject: openssl development work / paid I tried to get through this on my own, not being a openssl developer, made progress but still no joy so we had an app that was written some 8-10 years ago, which worked fine for client/server tls update to today, no longer functional, deprecations in openssl cause errors it is not a large app, and i believe if someone were to resolve the openssl issues it would work again whos up for making some money ? Thanks
openssl development work / paid
I tried to get through this on my own, not being a openssl developer, made progress but still no joy so we had an app that was written some 8-10 years ago, which worked fine for client/server tls update to today, no longer functional, deprecations in openssl cause errors it is not a large app, and i believe if someone were to resolve the openssl issues it would work again whos up for making some money ? Thanks
Re: ssl client write / server accept seems broken
On 3/24/21 9:53 PM, Embedded Devel wrote: On 3/23/21 11:06 PM, Matt Caswell wrote: On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps and nope still have the errors original code was deprecated, and changed from /* if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) == NULL) { */ if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) { which also got added to the client side yet should have been client should be if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) { not if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) { Looks like the original developer already tried to print the contents of the OpenSSL error stack: case SSL_ERROR_SSL: LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; } ERR_print_errors_fp(stderr);fflush(stderr); The errors seem to be going to "stderr" rather than via your "LOG" function. You don't show what "LOG" does but if it goes somewhere other than stderr then the errors are going somewhere different to your log file. Are you able to show us the stderr output from running your application? just compiled with gcc, i see no -lstatic in the makefile ... ive attached the ssl .c and .h files in question if you want to see them What does "ldd" show you for the application binary? i.e. ldd name-of-you-binary-here Matt
Re: ssl client write / server accept seems broken
On 3/23/21 11:06 PM, Matt Caswell wrote: On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps original code was deprecated, and changed from /* if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) == NULL) { */ if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) { which also got added to the client side yet should have been client should be if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) { not if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) { Looks like the original developer already tried to print the contents of the OpenSSL error stack: case SSL_ERROR_SSL: LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; } ERR_print_errors_fp(stderr);fflush(stderr); The errors seem to be going to "stderr" rather than via your "LOG" function. You don't show what "LOG" does but if it goes somewhere other than stderr then the errors are going somewhere different to your log file. Are you able to show us the stderr output from running your application? just compiled with gcc, i see no -lstatic in the makefile ... ive attached the ssl .c and .h files in question if you want to see them What does "ldd" show you for the application binary? i.e. ldd name-of-you-binary-here Matt
Re: ssl client write / server accept seems broken
On 3/23/21 11:06 PM, Matt Caswell wrote: On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps Looks like the original developer already tried to print the contents of the OpenSSL error stack: case SSL_ERROR_SSL: LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; } ERR_print_errors_fp(stderr);fflush(stderr); The errors seem to be going to "stderr" rather than via your "LOG" function. You don't show what "LOG" does but if it goes somewhere other than stderr then the errors are going somewhere different to your log file. Are you able to show us the stderr output from running your application? logread Tue Mar 23 16:09:43 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:44 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:46 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:46 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:49 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:49 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:54 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:54 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:59 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:59 2021 user.info : ac_send_init(): Error Tue Mar 23 16:10:05 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:10:05 2021 user.info : ac_send_init(): Error client side console 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: nothing on console / server side /var/log/message Mar 23 17:09:54 optim04 ac_server[617182]: ac_ssl_server_accept(): Error SSL_ERROR_SYSCALL - return code: -1. SSL_accept() Mar 23 17:09:54 optim04 ac_server[617182]: ac_ssl_server_accept(): Error code: -3 Mar 23 17:09:59 optim04 ac_server[617182]: ac_ssl_server_accept(): Error SSL_ERROR_SYSCALL - return code: -1. SSL_accept() Mar 23 17:09:59 optim04 ac_server[617182]: ac_ssl_server_accept(): Error code: -3 Mar 23 17:10:05 optim04 ac_server[617182]: ac_ssl_server_accept(): Error SSL_ERROR_SYSCALL - return code: -1. SSL_accept() Mar 23 17:10:05 optim04 ac_server[617182]: ac_ssl_server_accept(): Error code: -3 [root@optim04 ~]# just compiled with gcc, i see no -lstatic in the makefile ... ive attached the ssl .c and .h files in question if you want to see them What does "ldd" show you for the application binary? i.e. ldd name-of-you-binary-here client root@OpenWrt:~# ldd /usr/sbin/ac_client /lib/ld-musl-mips-sf.so.1 (0x77e2) libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x77da) libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x77bc6000) libaxl.so.0 => /usr/lib/libaxl.so.0 (0x77b6e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77b4a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77e2) server ldd /usr/bin/ac_server linux-vdso.so.1 (0x7fff2bd99000) libmariadb.so.3 => /lib64/libmariadb.so.3 (0x7f9e81fbb000) libpthread.so.0 => /lib64/libpthread.so.0 (0x7f9e81d9b000) libssl.so.1.1 => /lib64/libssl.so.1.1 (0x7f9e81b07000) libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x7f9e81621000) l
Re: ssl client write / server accept seems broken
IM inclined top think the code for the certs is ok, but can really say, and im not an openssl programmer by any means... just need someone to put eyes on the code and fix it really. The cert looks ok - at least nothing obviously wrong. 2048 bit RSA key. yes freshly generated when i run the client - i get an error on the client side Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error It would be useful to see any errors on the OpenSSL error stack which might provide more details about specifically what has failed. For example you can call the `ERR_print_errors_fp` function to dump the error stack to a `FILE *`. Or alternatively use the `ERR_*` functions to examine the stack and print it to your log: Yupp above my head :( Ah. That's a shame - we could really use understanding the real error behind this. "SSL_ERROR_SSL" just means "libssl encountered an error". You have to modify your code to print more detailed error information There doesn't look to be anything obviously wrong from the snippets of code that you have shared. I suspect some kind of config issue - but without more detailed error information its difficult to say for sure. Would you be able to get a packet capture of a failing connection? That might give us some kind of clue. Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps just compiled with gcc, i see no -lstatic in the makefile ... ive attached the ssl .c and .h files in question if you want to see them as for a packet capture i can try, they are both remote systems and lastly if it helps Unfortunately, not really. This appears to show a working TLSv1.3 connection. Matt #include #include /* Transforms the error code from SSL function to more meaningful message - check man SSL_get_error */ int ac_ssl_handle_err(ac_ssl_conn_t *ssl_con, int ret_val, const char* custom_prefix, const char* custom_msg) { int err_code; if (!ret_val) return 0; err_code = SSL_get_error(ssl_con->ssl, ret_val); switch(err_code) { case SSL_ERROR_NONE: return 0; case SSL_ERROR_ZERO_RETURN: LOG(LOG_ERR, "%s: Error SSL_ERROR_ZERO_RETURN - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; case SSL_ERROR_WANT_READ: LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_READ - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; case SSL_ERROR_WANT_WRITE: LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_WRITE - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; case SSL_ERROR_WANT_CONNECT: LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_CONNECT - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; case SSL_ERROR_WANT_ACCEPT: LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_ACCEPT - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; case SSL_ERROR_WANT_X509_LOOKUP: LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_X509_LOOKUP - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; case SSL_ERROR_SYSCALL: LOG(LOG_ERR, "%s: Error SSL_ERROR_SYSCALL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; case SSL_ERROR_SSL: LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; } ERR_print_errors_fp(stderr);fflush(stderr); return 1; } #ifndef _AC_SSL_H_ #define _AC_SSL_H_ #include #include #include #include #include #include typedef struct _ssl_conn { int socket; SSL_CTX *ctx; SSL *ssl; char* server; int port; char* key_file; char* key_pass; char* cert_file; char* ca_file; } ac_ssl_conn_t; int ac_ssl_client_init(ac_ssl_conn_t *ssl_con); int ac_ssl_client_connect(ac_ssl_conn_t *ssl_con); int ac_ssl_client_read(ac_ssl_conn_t *ssl_con, void *buf, int buf_len); int ac_ssl_client_write(ac_ssl_conn_t *ssl_con, void *buf, int buf_len); int ac_ssl_client_close(ac_ssl_conn_t *ssl_con); int ac_ssl_server_init(ac_ssl_conn_t *ssl_con); int ac_ssl_server_accept(ac_ssl_conn_t *ssl_con); int ac_ssl_server_peer_name(ac_ssl_conn_t *ssl_con, char *cname, int cname_len); int ac_ssl_server_read(ac_ssl_conn_t *ssl_con, void *buf, int buf_len); int ac_ssl_server_write(ac_ssl_conn_t *ssl_con, void *buf, int buf_len); int ac_ssl_server_close(ac_ssl_conn_t *ssl_con); /* this is common function for both server and client, but it's declared in ac_client.c I think it's useless for now to move it in its own source file */ int ac_ssl_handle_err(ac_ssl_conn_t *ssl_con, int ret_val, const char* custom_prefix, const char* custom_msg); #endif #include #include #include #include #include #include #include #include /* Initialize SSL Library */ int ac_ssl_client_init(ac_ssl_conn_t *ssl_con) { SSL_library_init(); return 0; } /* Create Client Socket */ int
Re: ssl client write / server accept seems broken
On 3/23/21 9:31 PM, Matt Caswell wrote: On 23/03/2021 02:37, Embedded Devel wrote: I have an application previously written for us 10+ years ago that no longer seems to be happy Has something happened that might have caused this? Did you upgrade OpenSSL, or do some other kind of update to your code? Which version of OpenSSL are you using? surely an openssl upgrade, this code is maybe 7-8 years old OpenSSL 1.1.1g FIPS 21 Apr 2020 Centos 7 and the original dev is no longer available, so who can i pay to bang this out and make it happy, or who can guide me through getting it functional... basic info below. I have a client process which is supposed to speak to a server via ssl, and then send data Ive created a "CA" and generated the CSR / and certs for both the client and the server. What kind of certs did you generate? How big are the keys? Are you able to share the certs (not the keys)? original expired certs -rw-r--r-- 1 root root 1424 Mar 22 16:59 ac_ca_cert.pem -rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_ca_key.pem -rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_client_cert.pem -rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_client_key.pem -rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_server_cert.pem -rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_server_key.pem -rw--- 1 root root 1204 Mar 22 18:24 ca.crt -rw--- 1 root root 1766 Mar 22 18:23 ca.key new certs -rw-r--r-- 1 root root 1529 Mar 22 17:45 myCA.pem -rw-r--r-- 1 root root 1566 Mar 22 18:04 portaladmin.domain.com.crt -rw-r--r-- 1 root root 1115 Mar 22 18:04 portaladmin.domain.com.csr -rw-r--r-- 1 root root 216 Mar 22 18:04 portaladmin.domain.com.ext -rw--- 1 root root 1675 Mar 22 18:04 portaladmin.domain.com.key i can share the certs -BEGIN CERTIFICATE- MIIEVjCCAz6gAwIBAgIUUfHyC4C5rTOHqYIC2WAmV7t06jowDQYJKoZIhvcNAQEL BQAwga0xCzAJBgNVBAYTAk5MMRUwEwYDVQQIDAxTJ0dyYXZlbmhhZ2UxFDASBgNV BAcMC1NHcmF2ZW5oYWdlMR0wGwYDVQQKDBRPcHRpbSBFbnRlcnByaXNlcyBCVjER MA8GA1UECwwIV2lyZWxlc3MxGjAYBgNVBAMMEWNhLm9wdGltY2xvdWQuY29tMSMw IQYJKoZIhvcNAQkBFhRhZG1pbkBvcHRpbWNsb3VkLmNvbTAeFw0yMTAzMjIxNzA0 MDlaFw0yMzA2MjUxNzA0MDlaMIG3MQswCQYDVQQGEwJOTDEVMBMGA1UECAwMUydH cmF2ZW5oYWdlMRUwEwYDVQQHDAxTJ0dyYXZlbmhhZ2UxHTAbBgNVBAoMFE9wdGlt IEVudGVycHJpc2VzIEJWMREwDwYDVQQLDAhXaXJlbGVzczEjMCEGA1UEAwwacG9y dGFsYWRtaW4ub3B0aW1jbG91ZC5jb20xIzAhBgkqhkiG9w0BCQEWFGFkbWluQG9w dGltY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUqI 0sHGKXuSMuEVOvJzPDmMX8HLhIA1qXlBbanEMfdMMTwXelZrQYMYj0D9eiuXfWLE ddawppFbhFgLpVBG4sG0G9Asm92Knk/9XCONqblvTSIWL1b24LiGQ45At/IeQE7j UVXoCsivZds2rUQFIWa6ctXZBBCDxBp/RmHZYvaNKuP21mapRh7//eWmzrA5kSgG 4YhGUys38bqsuTJu7I5lDxT1FcJKpYlQn6EZyGPlplYI6JindGUNZVbvHKQlaQ/a Mom+nJDcbl01G4+AukKcu+AXBCFAA0FDax64bu3EX5phmSSPZymX+RcmJUEU/kxb /sRUcCwHxtgLXOGwrQIDAQABo2IwYDAfBgNVHSMEGDAWgBSyC0km1cK4ENeQhkI5 VN/hEFcBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAlBgNVHREEHjAcghpwb3J0 YWxhZG1pbi5vcHRpbWNsb3VkLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEto6D/Gt rTR6Qf3cCrwosI9PpnIRD+Sp3QceMTevuajdCKGU58dTG0MNvqAmr/CmJ4ih9UBi IBAyR+QxT47PC8bZFSJMI6a3FesTEpAkQnmwkEr3dZ1zns0+651HwsUMuOkAKnYr 4JId48f8NAuSnDKUZeUytAr7lJ+DN32Qa8HQXb78bXuElMjYzUwapMNwJ9NrQjIQ bUbvByGHFq67maP+/UuxnIJB7vIs9W1Krxx9ewXdKdDpHCyWynnxnWvefVx6aBFR eIOySv/Wf2rjFvRRS/kdYKXbzj5eUzdRVrka21AfpBqB/ZHFCHCy47PyUYurln30 hd/EInnSdA1pmg== -END CERTIFICATE- IM inclined top think the code for the certs is ok, but can really say, and im not an openssl programmer by any means... just need someone to put eyes on the code and fix it really. when i run the client - i get an error on the client side Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error It would be useful to see any errors on the OpenSSL error stack which might provide more details about specifically what has failed. For example you can call the `ERR_print_errors_fp` function to dump the error stack to a `FILE *`. Or alternatively use the `ERR_*` functions to examine the stack and print it to your log: Yupp above my head :( and lastly if it helps ❯ openssl s_client -connect 46.23.86.244:3490 CONNECTED(0003) Can't use SSL_get_servername depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = ad...@optimcloud.com verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = ad...@optimcloud.com verify return:1 depth=0 C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com, emailAddress = ad...@optimcloud.com verify return:1 --- Certificate chain 0 s:C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com, emailAddress = ad...@optimcloud.
ssl client write / server accept seems broken
I have an application previously written for us 10+ years ago that no longer seems to be happy and the original dev is no longer available, so who can i pay to bang this out and make it happy, or who can guide me through getting it functional... basic info below. I have a client process which is supposed to speak to a server via ssl, and then send data Ive created a "CA" and generated the CSR / and certs for both the client and the server. when i run the client - i get an error on the client side Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error here is the specific snippt of c thats failing int ac_ssl_client_write(ac_ssl_conn_t *ssl_con, void *buf, int buf_len) { fd_set write_fds; struct timeval tv; int rc = -1; tv.tv_sec = TIMEOUT_WRITE; tv.tv_usec = 0; FD_ZERO(_fds); FD_SET(ssl_con->socket, _fds); if ((rc = select(ssl_con->socket + 1, NULL, _fds, NULL, )) == 1) { if (FD_ISSET(ssl_con->socket, _fds)) { rc = SSL_write(ssl_con->ssl, buf, buf_len); if(ac_ssl_handle_err(ssl_con, rc, "ac_ssl_client_write()", "") != 0) return -1; } } FD_CLR(ssl_con->socket, _fds); return rc; } and like wise i get this error on the server side Mar 23 03:13:58 optim04 ac_server[597280]: ac_ssl_server_accept(): Error SSL_ERROR_SYSCALL - return code: -1. SSL_accept() Mar 23 03:13:58 optim04 ac_server[597280]: ac_ssl_server_accept(): Error code: -3 which ive located in this snippet of code /* Accept SSL Connection */ int ac_ssl_server_accept(ac_ssl_conn_t *ssl_con) { int rc = -1; /* Load Key and Certficates */ if ((rc = ac_ssl_server_certs(ssl_con)) != 0) { LOG(LOG_ERR, "ac_ssl_server_certs(): Error code %d\n", rc); return -1; } if ((ssl_con->ssl = SSL_new(ssl_con->ctx)) == NULL) { LOG(LOG_ERR, "SSL_new(): Error\n"); close(ssl_con->socket); if (ssl_con->ctx != NULL) SSL_CTX_free(ssl_con->ctx); return -2; } SSL_set_fd(ssl_con->ssl, ssl_con->socket); SSL_set_accept_state(ssl_con->ssl); rc = SSL_accept(ssl_con->ssl); if(ac_ssl_handle_err(ssl_con, rc, "ac_ssl_server_accept()", "SSL_accept()") == 1) return -3; return 0; }