Re: Strange OpenSSL error when my server accepts a new OpenSSL connection while existing ones are active

Wed, 09 Oct 2013 21:19:39 -0700 

On Wed, Oct 09, 2013 at 07:54:34PM -0700, Jeremy Friesner wrote:

> If you're interested in trying to reproduce the fault yourself,
> let me know and I can upload the code I'm testing with.

Are you using SSL_pending(), BIO_pending() or anything similar
anywhere in your code?

With SSL sessions created via SSLv23_method(), use of this primitive
will lead to the failure in question when invoked before the SSL
session has switched to SSLv3, TLSv1, ...

Though I would expect the failure to occur on access to just the
new session, not already established sessions, unless they're in
the middle of a handshake...

ssl/ssl_locl.h:

    #define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, 
s_get_meth) \
    const SSL_METHOD *func_name(void)  \
            { \
            static const SSL_METHOD func_name##_data= { \
            TLS1_2_VERSION, \
            tls1_new, \
            tls1_clear, \
            tls1_free, \
            s_accept, \
            s_connect, \
            ssl23_read, \
            ssl23_peek, \
            ssl23_write, \
            ssl_undefined_function, \
            ssl_undefined_function, \
            ssl_ok, \
            ssl3_get_message, \
            ssl3_read_bytes, \
            ssl3_write_bytes, \
            ssl3_dispatch_alert, \
            ssl3_ctrl, \
            ssl3_ctx_ctrl, \
            ssl23_get_cipher_by_char, \
            ssl23_put_cipher_by_char, \
            ssl_undefined_const_function, \
        ...

The "ssl_undefined_const_function" above is the "ssl_pending"
function for the SSL method in question.  Presumably it is updated
to a more approriate value (typically ssl3_pending) once a particular
protocol is selected.

    int ssl_undefined_const_function(const SSL *s)
            {
            
SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
            return(0);
            }

The method-specific ssl_pending function is used in:

    int SSL_pending(const SSL *s)
            {
            /* SSL_pending cannot work properly if read-ahead is enabled
             * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
             * and it is impossible to fix since SSL_pending cannot report
             * errors that may be observed while scanning the new data.
             * (Note that SSL_pending() is often used as a boolean value,
             * so we'd better not return -1.)
             */
            return(s->method->ssl_pending(s));
            }

    ...

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to