Hi,
Could someone please specify a condition under which a Client should change its state from SSL3_ST_CW_FINISHED_A to SSL3_ST_CR_FINISHED_A (instead of going to SSL_ST_OK)?
I am stuck at this one point with my Client-Server authentication as my Client keeps on going to the SSL3_ST_CR_FINISHED_A state, trying to read the Server finished message while it already has read all of the received Server packet.
It just ends up reading garbage inside of ssl3_get_finished() function call and then obviously return error.
Thanks, Bilal
From: "Bilal Shahid" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Undestanding a code snipet from OpenSSL Date: Thu, 04 Nov 2004 16:22:21 +0500
Hi,
Lets assume that we are the Client executing the following code snipet. Basically, we are trying go authenticate to hte FreeRADIUS server using EAP-TTLS. We just received the Server Hello, Certificate, Key Exchange and Server Done messages from the Server and now we are in the middle of preparing an appropriate respnse to the Server.
In the following case statement (taken from the function ssl3_connect, file s3_clnt of OpenSSL), we are writing the Finished message to the Client.
case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: ret=ssl3_send_finished(s,SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, s->method->ssl3_enc->client_finished_label, s->method->ssl3_enc->client_finished_label_len);
if (ret <= 0) goto end; s->state=SSL3_ST_CW_FLUSH;
/* clear flags */ s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; if (s->hit) { s->s3->tmp.next_state=SSL_ST_OK; if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { s->state=SSL_ST_OK; s->s3->flags|=SSL3_FLAGS_POP_BUFFER; s->s3->delay_buf_pop_ret=0; } } else { s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; } s->init_num=0; break;
After making the call to ssl3_send_finished we check the flag s->hit. And on the basis of its value we set our next state to be either
SSL_ST_OK (s->s3->tmp.next_state=SSL_ST_OK)
or
SSL3_ST_CR_FINISHED_A (s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A)
Now here is the question.
When we have already written the "Finished" message, so why and how could we go to the second of the states mentioned above i.e. SSL3_ST_CR_FINISHED_A. What exactly are the circumstances under which we would go into SSL3_ST_CR_FINISHED_A? I reckon we have already read ALL of the server packet before getting to write our own response to it.
I am asking this question because my Client is doing exactly the same i.e. going to the SSL3_ST_CR_FINISHED_A state; while it has ALREADY READ all that the Server's last pachet had to offer.
I would really appreciate any helpful advice in this matter.
Thanks, Bilal
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.com/
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
