Re: Open SSL errors increase in Linux compared with Solaris
On 01/22/2014 11:40 PM, Dave Thompson wrote: Originally it meant the connection is terminated *abnormally* by the other end, as opposed to a normal/graceful FIN exchange. Windows sends RST if an application crashes, but all Unixes I have seen do FIN, unless the application forces RST by setting linger time 0. You can also get RSTs if TCP detects that there is data loss, such as data arriving to a closed socket, or closing a socket that has unread data in its buffer. Karthikeyan, is you protocol half-duplex or full-duplex? How do you negotiate closing a connection? -- Florian Weimer / Red Hat Product Security Team __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Open SSL errors increase in Linux compared with Solaris
> From: owner-openssl-us...@openssl.org On Behalf Of andrew cooke > Sent: Wednesday, January 22, 2014 06:49 > I'm no expert, but doesn't "connection reset by peer" mean that the other side > of the connection is hanging up? So maybe the error is with whatever you are > talking to? Andrew > Originally it meant the connection is terminated *abnormally* by the other end, as opposed to a normal/graceful FIN exchange. Windows sends RST if an application crashes, but all Unixes I have seen do FIN, unless the application forces RST by setting linger time 0. Nowadays lots of middleboxes like firewalls and routers and (supposedly) transparent proxies that want to prohibit or destroy a TCP connection use RST, so when you as one end system receive a RST in many situations there's a very good chance it's not actually from the peer. I think at this point the network capture is the best bet, first to confirm the server is actually receiving RST (and not just doing something weird on its own) and if so to start looking for where it is coming from. Although at that point we may need to know something about the affected clients. > On Wed, Jan 22, 2014 at 11:24:07AM +, Thirumal, Karthikeyan wrote: > > Dave, > > Thanks for your response. Please find the response for your queries below. > > > > > > 1. Yes, we are trying to upgrade it. But before that we are trying it in our > testbeds and all possible options for the fix. > > > > 2. The errno is 104 and it is "Connection reset by peer" > > > > 3. Can you help us with the above errno and our next step will be to take > the tcpdump / network trace. > > > > 4. We will check on the iptables and the setup. > > > > Thanks & Regards > > > > Karthikeyan Thirumal > > ADD-Web-NXP-India, Application Development Delivery > > iNautix Technologies India Private Limited, an affiliate of Pershing LLC, a > subsidiary of The Bank of New York Mellon Corporation > > http://www.inautix.co.in > > VOIP: 612-15112 > > Email: kthiru...@inautix.co.in<mailto:kthiru...@inautix.co.in> > > > > Information Classification: Internal Use Only > > > > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Dave Thompson > > Sent: Tuesday, January 07, 2014 4:08 AM > > To: openssl-users@openssl.org > > Subject: RE: Open SSL errors increase in Linux compared with Solaris > > > > 1: 0.9.8a is VERY old, and contains quite a few security flaws that have been > fixed since. > > Even if your application(s) can't accept the fairly small changes needed to > move to > > 1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y. > > > > 2: whenever you get ERROR_SYSCALL you should always look at errno on Unix > > (or [WSA}GetError() on Windows). What is it? > > > > 3: there are various TCP or (mostly) IP level errors that can cause a TCP > > connection initiation (also called handshake, but not to be confused with > > the SSL/TLS handshake) to fail. It wouldn't surprise me if the Linux stack > > returns errors to the application process in some cases that Solaris does not - > > or vice versa. If the errno value isn't specific enough, get a network trace > > on the Linux box (with tcpdump) or a machine very close: I like wireshark > > on Windows, also available for MacOSX, and usually one of those either > > exists or can be temporarily put on the desired network segment. > > > > 4: it is also possible there are actually more errors. Are you sure the Linux > > box's network adapter and cable are solidly good? Do any other applications > > (especially inbound) on that box get errors? Linux or at least most versions > > have iptables which functions as an IP firewall - is yours set in a way > > that interferes with some (or even all?) desired TCP connections? > > > > > > From: owner-openssl-us...@openssl.org<mailto:owner-openssl- > us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of > Arjunan, Karthikeyan > > Sent: Thursday, January 02, 2014 06:14 > > To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> > > Cc: Arjunan, Karthikeyan > > Subject: Open SSL errors increase in Linux compared with Solaris > > > > Hi, > > We have migrated from openssl-0.9.8a Solaris to Linux version. We > find that there is a drastic increase in the SSL_ERROR_SYSCALL in Linux openssl > version compared to Solaris. I am using SSL_accept which returns a negative > value . The return code for SSL_get_
Re: Open SSL errors increase in Linux compared with Solaris
I'm no expert, but doesn't "connection reset by peer" mean that the other side of the connection is hanging up? So maybe the error is with whatever you are talking to? Andrew On Wed, Jan 22, 2014 at 11:24:07AM +, Thirumal, Karthikeyan wrote: > Dave, > Thanks for your response. Please find the response for your queries below. > > > 1. Yes, we are trying to upgrade it. But before that we are trying it > in our testbeds and all possible options for the fix. > > 2. The errno is 104 and it is "Connection reset by peer" > > 3. Can you help us with the above errno and our next step will be to > take the tcpdump / network trace. > > 4. We will check on the iptables and the setup. > > Thanks & Regards > > Karthikeyan Thirumal > ADD-Web-NXP-India, Application Development Delivery > iNautix Technologies India Private Limited, an affiliate of Pershing LLC, a > subsidiary of The Bank of New York Mellon Corporation > http://www.inautix.co.in > VOIP: 612-15112 > Email: kthiru...@inautix.co.in<mailto:kthiru...@inautix.co.in> > > Information Classification: Internal Use Only > > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson > Sent: Tuesday, January 07, 2014 4:08 AM > To: openssl-users@openssl.org > Subject: RE: Open SSL errors increase in Linux compared with Solaris > > 1: 0.9.8a is VERY old, and contains quite a few security flaws that have been > fixed since. > Even if your application(s) can't accept the fairly small changes needed to > move to > 1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y. > > 2: whenever you get ERROR_SYSCALL you should always look at errno on Unix > (or [WSA}GetError() on Windows). What is it? > > 3: there are various TCP or (mostly) IP level errors that can cause a TCP > connection initiation (also called handshake, but not to be confused with > the SSL/TLS handshake) to fail. It wouldn't surprise me if the Linux stack > returns errors to the application process in some cases that Solaris does not > - > or vice versa. If the errno value isn't specific enough, get a network trace > on the Linux box (with tcpdump) or a machine very close: I like wireshark > on Windows, also available for MacOSX, and usually one of those either > exists or can be temporarily put on the desired network segment. > > 4: it is also possible there are actually more errors. Are you sure the Linux > box's network adapter and cable are solidly good? Do any other applications > (especially inbound) on that box get errors? Linux or at least most versions > have iptables which functions as an IP firewall - is yours set in a way > that interferes with some (or even all?) desired TCP connections? > > > From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Arjunan, Karthikeyan > Sent: Thursday, January 02, 2014 06:14 > To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> > Cc: Arjunan, Karthikeyan > Subject: Open SSL errors increase in Linux compared with Solaris > > Hi, > We have migrated from openssl-0.9.8a Solaris to Linux > version. We find that there is a drastic increase in the SSL_ERROR_SYSCALL in > Linux openssl version compared to Solaris. I am using SSL_accept which > returns a negative value . The return code for SSL_get_error is 5. Please > advise how to reduce the increase in error . > > Thanks, > Karthikeyan Arjunan > > > ** > This message and any files or attachments sent with this message contain > confidential information and is intended only for the individual named. If > you are not the named addressee, you should not disseminate, distribute, copy > or use any part of this email. If you have received this message in error, > please delete it and all copies from your system and notify the sender > immediately by return Email. > > Email transmission cannot be guaranteed to be secure or error-free as > information can be intercepted, corrupted, lost, destroyed, late, incomplete > or may contain viruses. The sender, therefore, does not accept liability for > any errors or omissions in the contents of this message, which arise as a > result of email transmission. > ** > > ** > This message and any files or attachments sent with this message contain > confidential information and is intended only for the individual named. If >
RE: Open SSL errors increase in Linux compared with Solaris
Dave, Thanks for your response. Please find the response for your queries below. 1. Yes, we are trying to upgrade it. But before that we are trying it in our testbeds and all possible options for the fix. 2. The errno is 104 and it is "Connection reset by peer" 3. Can you help us with the above errno and our next step will be to take the tcpdump / network trace. 4. We will check on the iptables and the setup. Thanks & Regards Karthikeyan Thirumal ADD-Web-NXP-India, Application Development Delivery iNautix Technologies India Private Limited, an affiliate of Pershing LLC, a subsidiary of The Bank of New York Mellon Corporation http://www.inautix.co.in VOIP: 612-15112 Email: kthiru...@inautix.co.in<mailto:kthiru...@inautix.co.in> Information Classification: Internal Use Only From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Tuesday, January 07, 2014 4:08 AM To: openssl-users@openssl.org Subject: RE: Open SSL errors increase in Linux compared with Solaris 1: 0.9.8a is VERY old, and contains quite a few security flaws that have been fixed since. Even if your application(s) can't accept the fairly small changes needed to move to 1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y. 2: whenever you get ERROR_SYSCALL you should always look at errno on Unix (or [WSA}GetError() on Windows). What is it? 3: there are various TCP or (mostly) IP level errors that can cause a TCP connection initiation (also called handshake, but not to be confused with the SSL/TLS handshake) to fail. It wouldn't surprise me if the Linux stack returns errors to the application process in some cases that Solaris does not - or vice versa. If the errno value isn't specific enough, get a network trace on the Linux box (with tcpdump) or a machine very close: I like wireshark on Windows, also available for MacOSX, and usually one of those either exists or can be temporarily put on the desired network segment. 4: it is also possible there are actually more errors. Are you sure the Linux box's network adapter and cable are solidly good? Do any other applications (especially inbound) on that box get errors? Linux or at least most versions have iptables which functions as an IP firewall - is yours set in a way that interferes with some (or even all?) desired TCP connections? From: owner-openssl-us...@openssl.org<mailto:owner-openssl-us...@openssl.org> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Arjunan, Karthikeyan Sent: Thursday, January 02, 2014 06:14 To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Cc: Arjunan, Karthikeyan Subject: Open SSL errors increase in Linux compared with Solaris Hi, We have migrated from openssl-0.9.8a Solaris to Linux version. We find that there is a drastic increase in the SSL_ERROR_SYSCALL in Linux openssl version compared to Solaris. I am using SSL_accept which returns a negative value . The return code for SSL_get_error is 5. Please advise how to reduce the increase in error . Thanks, Karthikeyan Arjunan ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. ** ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. **
RE: Open SSL errors increase in Linux compared with Solaris
1: 0.9.8a is VERY old, and contains quite a few security flaws that have been fixed since. Even if your application(s) can't accept the fairly small changes needed to move to 1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y. 2: whenever you get ERROR_SYSCALL you should always look at errno on Unix (or [WSA}GetError() on Windows). What is it? 3: there are various TCP or (mostly) IP level errors that can cause a TCP connection initiation (also called handshake, but not to be confused with the SSL/TLS handshake) to fail. It wouldn't surprise me if the Linux stack returns errors to the application process in some cases that Solaris does not - or vice versa. If the errno value isn't specific enough, get a network trace on the Linux box (with tcpdump) or a machine very close: I like wireshark on Windows, also available for MacOSX, and usually one of those either exists or can be temporarily put on the desired network segment. 4: it is also possible there are actually more errors. Are you sure the Linux box's network adapter and cable are solidly good? Do any other applications (especially inbound) on that box get errors? Linux or at least most versions have iptables which functions as an IP firewall - is yours set in a way that interferes with some (or even all?) desired TCP connections? From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Arjunan, Karthikeyan Sent: Thursday, January 02, 2014 06:14 To: openssl-users@openssl.org Cc: Arjunan, Karthikeyan Subject: Open SSL errors increase in Linux compared with Solaris Hi, We have migrated from openssl-0.9.8a Solaris to Linux version. We find that there is a drastic increase in the SSL_ERROR_SYSCALL in Linux openssl version compared to Solaris. I am using SSL_accept which returns a negative value . The return code for SSL_get_error is 5. Please advise how to reduce the increase in error . Thanks, Karthikeyan Arjunan ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. **
