Hello!
The patch http://cvs.openssl.org/chngview?cn=22565
does not fix the following error messages at write and session re-negotiation,
for TLS_v1_1_client_method:
OpenSSL error 1: error:00000001:lib(0):func(0):reason(1)
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
My simplified use case for a O_NONBLOCK fd (based on Kannel gwlib code):
ssl_context = SSL_CTX_new(TLSv1_1_client_method());
SSL_CTX_set_mode(ssl_context,
SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
...
SSL *ssl = SSL_new(ssl_context);
...
ERR_clear_error();
if (SSL_set_fd(ssl, fd) == 0) { ... }
flags = fcntl(fd, F_GETFL);
newflags = flags | O_NONBLOCK;
fcntl(fd, F_SETFL, newflags);
BIO_set_nbio(SSL_get_rbio(ssl), 1);
BIO_set_nbio(SSL_get_wbio(ssl), 1);
SSL_set_connect_state(ssl);
The following applies to latest release openssl-1.0.1i.
I think my server (a proprietary server) always negotiates the connection down
to TLSv1 (and also supports SSLv3). This is the alert message from Wireshark
after certificate exchange using TLSv1_1_client_method:
TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)
The reason why I started using specifically TLSv1/TLSv1.1 is because this bug
(known in 1.0.1h) occurs when negotiating with my server, using default
SSLv23_client_method:
error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
More info here:
http://serverfault.com/questions/389197/ssl-routinesssl23-writessl-handshake-failure
Results:
Library error messages every time data is sent again into channel, but a
working connection for TLSv1_1_client_method.
There are no errors for TLS_v1_client_method or SSLv3_client_method. The
connection fails to negotiate (gets stuck) with the bug mentioned above using
SSLv23_client_method(), even with SSL_OP_NO_SSLv2 option. Connection negotiates
into SSLv3 and works without library errors using SSLv23_client_method() with
SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1.
Please review and fix.
ps: if you are a Kannel dev, try this quick demo:
Connection *con;
con = conn_open_ssl_nb(server_addr, server_port, NULL, NULL);
SSL_clear(conn_get_ssl(pc->con));
SSL_set_ssl_method(conn_get_ssl(con), TLSv1_1_client_method());
-- реклама -----------------------------------------------------------
Крутые телефоны! Низкие цены! Покупай тут!
http://aukro.ua/?utm_source=i.ua&utm_medium=advert
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
