In my earlier mail, I'd mistakenly connected to the http port and was getting a handshake failure (naturally!!). I am now connecting to the engine on the actual port which has been reserved for the SSL communication. The result :
OpenSSL> s_client -connect 10.10.10.114:10001 -debug -state -ssl3
CONNECTED(00000004)
SSL_connect:before/connect initialization
write to 0015F1E8 [00168FA0] (90 bytes => 90 (0x5A))
0000 - 16 03 00 00 55 01 00 00-51 03 00 3d b6 49 88 17 ....U...Q..=.I..
0010 - 1f 1e 64 05 a4 97 57 b2-30 86 18 7e 7d ad 6e e9 ..d...W.0..~}.n.
0020 - 01 fd 4f 46 fe 10 f0 76-a3 59 c9 00 00 2a 00 16 ..OF...v.Y...*..
0030 - 00 13 00 0a 00 66 00 07-00 05 00 04 00 65 00 64 .....f.......e.d
0040 - 00 63 00 62 00 61 00 60-00 15 00 12 00 09 00 14 .c.b.a.`........
0050 - 00 11 00 08 00 06 00 03-01 .........
005a - <SPACES/NULS>
SSL_connect:SSLv3 write client hello A
The openssl s_client is stuck at this point. It does not progress further than this. In the code, this is the point where it is hanging :
FILE : crypto/bio/bio_lib.c
BIO_read()
{
................
i=b->method->bread(b,out,outl); // hanging at this point
.........
}
Does any one know why this could be happening?
Help,
- Ashwin
Ashwin C Uthappa wrote:
Hi all,
Just some updates----
I used the openssl tool to try and establish communication with both the engine (which fails) and the "proxy engine" (which succeeds). I've pasted the output below.
Some details: the engine is a java application on a remote machine(Windows). The proxy engine is a C application that does a very basic mimicry of what the engine is supposed to do and is running off a Linux machine.
Still waiting..... I know the answer's out there!!
Thank you,
- Ashwin
Output of openssl :
-------------------------
WITH ENGINE :
----------------------
OpenSSL> s_client -connect 10.10.10.114:8080 -debug -state -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 081490E0 [08152EA8] (90 bytes => 90 (0x5A))
0000 - 16 03 00 00 55 01 00 00-51 03 00 3d b6 c1 9e ba ....U...Q..=....
0010 - 25 db 23 28 cd d3 7a 56-3f b7 59 29 a5 72 a4 42 %.#(..zV?.Y).r.B
0020 - 10 0a 9f 58 95 22 cb 62-00 58 00 00 00 2a 00 16 ...X.".b.X...*..
0030 - 00 13 00 0a 00 66 00 07-00 05 00 04 00 65 00 64 .....f.......e.d
0040 - 00 63 00 62 00 61 00 60-00 15 00 12 00 09 00 14 .c.b.a.`........
0050 - 00 11 00 08 00 06 00 03-01 .........
005a - <SPACES/NULS>
SSL_connect:SSLv3 write client hello A
read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 48 54 54 50 2f HTTP/
write to 081490E0 [08158730] (7 bytes => 7 (0x7))
0000 - 15 54 54 00 02 02 28 .TT...(
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
2545:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:279:
WITH PROXY ENGINE :
-----------------------------------
OpenSSL> s_client -connect 10.10.10.27:1112 -debug -state -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 081490E0 [08152EA8] (90 bytes => 90 (0x5A))
0000 - 16 03 00 00 55 01 00 00-51 03 00 3d b6 c2 0c d6 ....U...Q..=....
0010 - 57 3e 41 72 22 39 34 c5-01 24 ae dd 5a 7f e3 07 W>Ar"94..$..Z...
0020 - 1c bf 4f 21 26 00 e8 d9-e1 99 6d 00 00 2a 00 16 ..O!&.....m..*..
0030 - 00 13 00 0a 00 66 00 07-00 05 00 04 00 65 00 64 .....f.......e.d
0040 - 00 63 00 62 00 61 00 60-00 15 00 12 00 09 00 14 .c.b.a.`........
0050 - 00 11 00 08 00 06 00 03-01 .........
005a - <SPACES/NULS>
SSL_connect:SSLv3 write client hello A
read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 16 03 00 00 4a ....J
read from 081490E0 [0814E69D] (74 bytes => 74 (0x4A))
0000 - 02 00 00 46 03 00 3d b6-c2 0c 46 0e 54 1d 63 df ...F..=...F.T.c.
0010 - f8 24 8a 71 83 07 3f d7-a3 d4 3f 94 cf 41 9e 69 .$.q..?...?..A.i
0020 - 3b 22 62 4a 77 ef 20 37-96 1f 07 e9 60 a5 fd 44 ;"bJw. 7....`..D
0030 - 93 19 5c c1 af e9 37 a6-bc 26 a9 47 b5 da 8a ae ..\...7..&.G....
0040 - 05 0f 7c 3c d3 0d fa 00-0a ..|<.....
004a - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 16 03 00 01 7f .....
read from 081490E0 [0814E69D] (383 bytes => 383 (0x17F))
0000 - 0b 00 01 7b 00 01 78 00-01 75 30 82 01 71 30 82 ...{..x..u0..q0.
0010 - 01 1b a0 03 02 01 02 02-01 00 30 0d 06 09 2a 86 ..........0...*.
0020 - 48 86 f7 0d 01 01 04 05-00 30 0d 31 0b 30 09 06 H........0.1.0..
0030 - 03 55 04 06 13 02 49 4e-30 1e 17 0d 30 32 30 35 .U....IN0...0205
0040 - 32 39 31 34 33 30 30 30-5a 17 0d 30 32 30 36 32 29143000Z..02062
0050 - 38 31 34 33 30 30 30 5a-30 0d 31 0b 30 09 06 03 8143000Z0.1.0...
0060 - 55 04 06 13 02 49 4e 30-5c 30 0d 06 09 2a 86 48 U....IN0\0...*.H
0070 - 86 f7 0d 01 01 01 05 00-03 4b 00 30 48 02 41 00 .........K.0H.A.
0080 - fd bc 8a 16 ca 33 ef e6-fa fe aa 18 1e 18 50 f3 .....3........P.
0090 - 15 d9 f3 41 1c 7e dd 4a-55 84 50 76 cd 65 34 ee ...A.~.JU.Pv.e4.
00a0 - 8d 57 4f a4 5d fe 9d ac-ec f3 f9 c2 83 5c 51 cd .WO.]........\Q.
00b0 - 66 e6 9e 96 b3 ce 66 2a-3b 4b b5 44 5b eb 2e 17 f.....f*;K.D[...
00c0 - 02 03 01 00 01 a3 66 30-64 30 1d 06 03 55 1d 0e ......f0d0...U..
00d0 - 04 16 04 14 cd 8a b6 93-71 ea 51 40 1e 96 5a 86 ........q.Q@..Z.
00e0 - 6b 14 be d7 45 69 6f e1-30 35 06 03 55 1d 23 04 k...Eio.05..U.#.
00f0 - 2e 30 2c 80 14 cd 8a b6-93 71 ea 51 40 1e 96 5a .0,......q.Q@..Z
0100 - 86 6b 14 be d7 45 69 6f-e1 a1 11 a4 0f 30 0d 31 .k...Eio.....0.1
0110 - 0b 30 09 06 03 55 04 06-13 02 49 4e 82 01 00 30 .0...U....IN...0
0120 - 0c 06 03 55 1d 13 04 05-30 03 01 01 ff 30 0d 06 ...U....0....0..
0130 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 41 00 0e .*.H.........A..
0140 - fc b1 43 75 44 c5 be 40-54 80 90 05 fd 82 46 3e [EMAIL PROTECTED]>
0150 - 27 74 c5 4c 91 e6 ab da-b2 b5 d0 df e7 39 3d 5e 't.L.........9=^
0160 - 5a ee 86 58 e3 41 65 fb-ff cc b3 c8 b3 59 93 66 Z..X.Ae......Y.f
0170 - c2 81 92 38 00 7f 24 90-cd e9 19 55 93 fd d9 ...8..$....U...
depth=0 /C=IN
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IN
verify error:num=10:certificate has expired
notAfter=Jun 28 14:30:00 2002 GMT
verify return:1
depth=0 /C=IN
notAfter=Jun 28 14:30:00 2002 GMT
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 16 03 00 00 04 .....
read from 081490E0 [0814E69D] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 081490E0 [08158730] (73 bytes => 73 (0x49))
0000 - 16 03 00 00 44 10 00 00-40 48 95 70 bc 89 23 16 [EMAIL PROTECTED]#.
0010 - 86 5a cc ce 9b fe 7b 10-e8 18 a6 7f ca e4 fa 10 .Z....{.........
0020 - 1f eb 44 9e 6d 53 66 b7-d0 38 4a 25 18 55 7f 3b ..D.mSf..8J%.U.;
0030 - 5e 4e c0 58 23 fa 4a 8f-11 28 1a dd 5f 56 e6 ec ^N.X#.J..(.._V..
0040 - 35 73 05 1e ae 1e 79 00-42 5s....y.B
SSL_connect:SSLv3 write client key exchange A
write to 081490E0 [08158730] (6 bytes => 6 (0x6))
0000 - 14 03 00 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 081490E0 [08158730] (69 bytes => 69 (0x45))
0000 - 16 03 00 00 40 a8 b2 cf-a5 6a e5 c2 c5 23 99 6f ....@....j...#.o
0010 - fe 86 dc 6b ba e1 ef d5-aa 05 f6 3f 83 23 11 3b ...k.......?.#.;
0020 - 56 21 9a c0 55 54 c2 7a-98 0d 85 39 32 9d 5a 4c V!..UT.z...92.ZL
0030 - 02 54 8e 6a a5 59 cc 35-d4 a1 4b fb 3e d1 3c b6 .T.j.Y.5..K.>.<.
0040 - 8c 7c d1 1d e7 .|...
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 14 03 00 00 01 .....
read from 081490E0 [0814E69D] (1 bytes => 1 (0x1))
0000 - 01 .
read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 16 03 00 00 40 ....@
read from 081490E0 [0814E69D] (64 bytes => 64 (0x40))
0000 - 2e a9 f3 ac 42 e2 13 fc-9b eb 8b 48 ac 04 e0 f9 ....B......H....
0010 - ed ca 7e 34 13 a2 eb 81-7b 34 58 8f e3 31 35 41 ..~4....{4X..15A
0020 - 16 7e 25 ef 89 9e 4b d8-ed b6 44 88 4e a4 f8 2d .~%...K...D.N..-
0030 - 2b d1 75 11 bf f8 31 43-db 03 1a 5a 2b 8d 3e 3c +.u...1C...Z+.><
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=IN
i:/C=IN
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBcTCCARugAwIBAgIBADANBgkqhkiG9w0BAQQFADANMQswCQYDVQQGEwJJTjAe
Fw0wMjA1MjkxNDMwMDBaFw0wMjA2MjgxNDMwMDBaMA0xCzAJBgNVBAYTAklOMFww
DQYJKoZIhvcNAQEBBQADSwAwSAJBAP28ihbKM+/m+v6qGB4YUPMV2fNBHH7dSlWE
UHbNZTTujVdPpF3+nazs8/nCg1xRzWbmnpazzmYqO0u1RFvrLhcCAwEAAaNmMGQw
HQYDVR0OBBYEFM2KtpNx6lFAHpZahmsUvtdFaW/hMDUGA1UdIwQuMCyAFM2KtpNx
6lFAHpZahmsUvtdFaW/hoRGkDzANMQswCQYDVQQGEwJJToIBADAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBAUAA0EADvyxQ3VExb5AVICQBf2CRj4ndMVMkear2rK1
0N/nOT1eWu6GWONBZfv/zLPIs1mTZsKBkjgAfySQzekZVZP92Q==
-----END CERTIFICATE-----
subject=/C=IN
issuer=/C=IN
---
No client certificate CA names sent
---
SSL handshake has read 551 bytes and written 238 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 512 bit
SSL-Session:
Protocol : SSLv3
Cipher : DES-CBC3-SHA
Session-ID: 37961F07E960A5FD4493195CC1AFE937A6BC26A947B5DA8AAE050F7C3CD30DFA
Session-ID-ctx:
Master-Key: 81BE594B6449F1FFAD4A8F0DBE6831A045F68A475846C076AEBDA76B44A2677CAF720FF55203B98BC33FD702B15C7461
Key-Arg : None
Start Time: 1035387404
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
---
This is ME
write to 081490E0 [08152EA8] (37 bytes => 37 (0x25))
0000 - 17 03 00 00 20 e2 d2 38-9c 37 76 c3 1f da 8d 9b .... ..8.7v.....
0010 - b3 fd 29 9a 15 0f 9a 75-8b 62 16 52 37 fa 11 c0 ..)....u.b.R7...
0020 - 74 d7 5e 56 a2 t.^V.
read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 17 03 00 00 28 ....(
read from 081490E0 [0814E69D] (40 bytes => 40 (0x28))
0000 - 96 d2 89 7f a7 9c 98 fe-83 f8 37 f0 7d c1 6c dc ..........7.}.l.
0010 - 05 ca 81 54 2b 90 84 f2-ce 52 b5 d1 bc 62 95 5b ...T+....R...b.[
0020 - af 5f 30 87 21 c3 72 43- ._0.!.rC
From server:read from 081490E0 [0814E698] (5 bytes => 5 (0x5))
0000 - 17 03 ..
0005 - <SPACES/NULS>
read from 081490E0 [0814E69D] (32 bytes => 32 (0x20))
0000 - 05 31 8b 2a c7 86 12 39-e2 dc 8c bc 1d c2 e8 fe .1.*...9........
0010 - e4 c0 ef 7b 1f eb e5 17-a9 be 2c 35 d7 65 f2 23 ...{......,5.e.#
This is ME
Ashwin C Uthappa wrote:
Hi All,
I'm back...with a slightly different flavor of the problem I was encountering earlier.
Briefly stated, my setup is like this :
I intend to carry out SSL communication (NOT web transactions) between a communication application and a engine. In the actual production environment, I am supposed to create a shared object (that contains the my communication application) to be plugged into iPlanet. The iplanet web server will then fork the communication layer that will (try to) establish a connection with the engine.
ns-httpd(Iplanet web server)
|
|
fork()
|
|
ns-httpd(communication layer) <=========SSL===========> engine
The communication layer is developed in C. The engine is developed in Java.
Earlier, my communication layer used to crash. That was due to conflicts between iplanet and openssl in the usage of certain functions like MD5_Update() and SHA1_Update(). I fixed that by modifying the header files and recompiling.
The earlier environment was iplanet web server 4.0 on Solaris 2.6. Everything worked fine with that....no hitches at all!!
Lately, I've upgraded to solaris 2.8 and iplanet web server 6.0, service pack 1. The openSSL version is OpenSSL 0.9.6g
Now, my communication layer reaches upto the SSL_connect(). From this point, it sometimes returns with a SSL_ERROR_SYSCALL. Sometimes, it does not return from SSL_connect(). While earlier the program used to crash at this point, now it does not...the particular thread of execution that does the SSL_connect()just does not progress. All the other threads that I've started in the communication layer still function normally. I've put some debugging information at the end of this mail.
I tested the communication layer with a standalone server I developed, a "proxy engine". With this proxy engine, my communication layer establishes a connection and works well. It's when I try to connect to the actual engine that I'm facing this problem.
As far as I know, the engine side of the SSL communication has not changed.
Could someone please help me out with this? It's terribly frustrating!!!!!!
- Ashwin
PS :
I put in debug comments in the SSL code and this is a broad summary of the flow :
File :function
------------------
SSL_connect()
|
ssl3_connect() (file : s3_clnt.c)
{
.....
case SSL3_ST_CR_SRVR_HELLO_A:
case SSL3_ST_CR_SRVR_HELLO_B:
ssl3_get_server_hello() ;
.....
}
|
|
ssl3_get_server_hello() (file : s3_clnt.c)
|
ssl3_get_message() (file: s3_both.c )
|
ssl3_read_bytes() (file:s3_pkt.c)
|
ssl3_read_n() (file:s3_pkt.c)
|
BIO_read() (file: bio_lib.c )
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
