On Sun, 07 Apr 2019 at 18:12:45 +0200, gregor herrmann wrote:
> On Sun, 18 Nov 2018 19:41:05 +0200, Niko Tyni wrote:
>
>> Reiterating a bit: the underlying issue with TLSv1.3 seems to be related
>> to handling of 'non-application_data_records'.
>>
>> The client tries to POST but gets an 'SSL wants a read first' error,
>> then waits until timeout for the socket to become writable.
>>
>> A simple way to reproduce it here is
>>
>> perl -MLWP::UserAgent -e 'LWP::UserAgent->new->post("https://facebook.com";,
>> { data => "foo" }) or die'
>>
>> which deadlocks for me.
>
> I can't reproduce this problem:
Interesting, are you talking TLS 1.3?
$ dpkg-query -l "libssl*" "libnet-ssleay-perl" "liblwp-protocol-https-perl"
"libio-socket-ssl-perl"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==========================-============-============-=================================================================
ii libio-socket-ssl-perl 2.060-3 all Perl module
implementing object oriented interface to SSL sockets
ii liblwp-protocol-https-perl 6.07-2 all HTTPS driver for
LWP::UserAgent
ii libnet-ssleay-perl 1.85-2+b1 amd64 Perl module for Secure
Sockets Layer (SSL)
ii libssl-dev:amd64 1.1.1b-1 amd64 Secure Sockets Layer
toolkit - development files
un libssl-doc <none> <none> (no description
available)
un libssl0.9.8 <none> <none> (no description
available)
un libssl1.0-dev <none> <none> (no description
available)
ii libssl1.1:amd64 1.1.1b-1 amd64 Secure Sockets Layer
toolkit - shared libraries
$ openssl req -x509 -newkey rsa:4096 -keyout /tmp/key.pem -out /tmp/cert.pem
-subj /CN=example.net -nodes
$ openssl s_server -accept 127.0.0.1:4433 -key /tmp/key.pem -cert /tmp/cert.pem
-tls1_3
[…]
Then on a separate terminal, with SSL_MODE_AUTO_RETRY set (the default),
it blocks on read(2):
$ strace -eselect,read,write perl -MLWP::UserAgent -e
'LWP::UserAgent->new(ssl_opts =>
{verify_hostname => 0, SSL_ca_file =>
"/tmp/cert.pem"})->post("https://127.0.0.1:4433";, { data => "foo" })'
[…]
select(8, [3], [3], NULL, {tv_sec=180, tv_usec=0}) = 2 (in [3], out [3], left
{tv_sec=179, tv_usec=999998})
read(3, "…", 5) = 5
read(3, "…", 250) = 250
read(3, "…", 5) = 5
read(3, "…", 250) = 250
read(3,
With SSL_MODE_AUTO_RETRY cleared, the handshake terminates and it waits
for the reply from the server:
$ strace -eselect,read,write perl -MLWP::UserAgent -e
'LWP::UserAgent->new(ssl_opts =>
{verify_hostname => 0, SSL_ca_file =>
"/tmp/cert.pem"})->post("https://127.0.0.1:4433";, { data => "foo" })'
[…]
select(8, [3], [3], NULL, {tv_sec=180, tv_usec=0}) = 2 (in [3], out [3], left
{tv_sec=179, tv_usec=999998})
read(3, "…", 5) = 5
read(3, "…", 250) = 250
write(3, "…", 216) = 216
select(8, [3], NULL, NULL, {tv_sec=180, tv_usec=0}) = 1 (in [3], left
{tv_sec=179, tv_usec=999999})
read(3, "…", 5) = 5
read(3, "…", 250) = 250
select(8, [3], NULL, NULL, {tv_sec=180, tv_usec=0}
(and the connection closes gracefuly when I write “HTTP/1.1
200\r\nContent-Length: 0\r\n\r\n” from the server)
> % time perl -MLWP::UserAgent -e
> 'LWP::UserAgent->new->post("https://twitter.com";, { data => "foo" }) or die'
> perl -MLWP::UserAgent -e 0.13s user 0.02s system 36% cpu 0.415 total
twitter.com doesn't support TLS 1.3 though, right?
$ openssl s_client -4 -connect twitter.com:443 -servername twitter.com -tls1_3
CONNECTED(00000003)
139682444989504:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:../ssl/record/rec_layer_s3.c:1536:SSL alert number 40
--
Guilhem.
signature.asc
Description: PGP signature
