Eric Rescorla wrote: > > "Paul L. Allen" <[EMAIL PROTECTED]> writes: > > Eric Rescorla wrote: > > > > I've watched my Java client connecting to my OpenSSL server using > > > > ssldump. I can see the server's cert going over to the client. The > > > > client does not send its own cert over to the server, and the server > > > > confirms that it has not got a cert from the client. The client > > > > sends its first line of application data to the server and ssldump > > > > successfully decrypts it. The server receives binary garbage, and > > > > things unravel from there. > > > What do you mean by "the server receives binary garbage"? > > > > The client sends 60 bytes (including the newline) of printable ASCII > > using BIO_puts(). The server does a matching BIO_gets(), which hangs > > apparently waiting for a newline. I kill the client. The server's > > BIO_gets() returns 90 bytes of non-printable binary. > Hm... This is very surprising since SSL/TLS includes a MAC check > on the data and therefore any crypto mismatches should result > in errors, not receiving binary data. Is there any chance that > you're BIO_gets() is on the native socket and not the OpenSSL > BIO?
That possibly occurred to me as well, so I carefully checked out the code last week. It looked right. But since doing the BIO_gets() on the wrong BIO is the most likely explanation, I'll work it through one more time. > > If I'm interpreting the trace right, the server is sending a > > CertificateRequest message. Ssldump does successfully decrypt > > the line of application data. A typescript of the ssldump session > > is attached. > Yes, that appears correct. Hmmm... When I watch a demo client and server with client authentication, I see the client's cert going over the wire. I wonder why I don't see it in the case of my real code? Would mis-matching the BIO on the server side explain this as well? Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math & Computing Technology \ [EMAIL PROTECTED] POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
