Hi everyone,
Recently I have problem when trying to update my OpenSSL library from 1.0.1f to
1.1.0g.
I have a server that runs 24/24 and receive connections from only 1 source, and
1 connection at a time, nothing really fancy, but it worked very well in
OpenSSL 1.0.1f version. In 1.1.0g, the connection is establish and runs
perfectly the 1st time. And the 2nd time the client try to connect, after the
SSL connection is establish, SSL_read cannot return -1, and have no errors
(checked with SSL_get_errors...)
My server runs on Linux 14.04, while my client runs on Windows 7, both with
OpenSSL 1.1.0.
If anyone have an idea what happened, I would be glad to know, please tell me
if you need any details.
Here the principal code snipset (I don't have the certificate verification code
snip here, but it was there, and it always works so I guess there no point
repost it now):
+ Some initial configurations:
SSL_CTX* ctx_in;
const SSL_METHOD *method;
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
method = TLS_server_method();
ctx_in = SSL_CTX_new(method);
//Setup trusted certs & list of clients CA
SSL_CTX_set_verify(ctx_in, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_verify_depth(ctx_in, 1); //our certificate chain contain only 1
more root CA
//Load issuer certificate from memory
X509_STORE* store = SSL_CTX_get_cert_store(ctx_in);
X509_STORE_add_cert(store, certinMem(caVerifClientReal);
SSL_CTX_set_client_CA_list(ctx_in, NULL);
SSL_CTX_add_client_CA(ctx_in, certinMem(pubClientReal));
//Setup curves parameters
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh (ctx_in, ecdh);
EC_KEY_free(ecdh);
//Set options
SSL_CTX_set_options(ctx_in, SSL_OP_SINGLE_ECDH_USE && SSL_MODE_AUTO_RETRY);
...
+ Main loop:
char buf[1024];
struct sockaddr_in addr; //client
socklen_t len = sizeof(addr);
while (1)
{
//initialize buffer
buf[0] = '\0';
int client = accept(server, reinterpret_cast<struct sockaddr*>(&addr),
&len);
if (-1 != client)
{
//set SSL security
const char* const PREFERRED_CIPHERS = "ECDHE-RSA-AES256-SHA"; //define
cipher suite used for SSL connection
SSL_set_cipher_list(ssl, PREFERRED_CIPHERS);
//set SSL socket
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
if (SSL_accept(ssl) == FAIL) //waits for a client to initiate the
handshake
{/* do SSL-protocol accept */
ERR_print_errors_fp(stderr);
}
else
{
verifCerts(ssl);
int ret = -1;
ret = SSL_do_handshake(ssl); //check connection
if (ret <= 0)
{
ERR_print_errors_fp(stderr);
}
else
{
//wait on buffer
int bytes = SSL_read(ssl, buf, sizeof(buf));
//here bytes return -1, and there is no error with
SSL_get_errors
}
}
sd = SSL_get_fd(ssl); /* get socket connection */
close(sd); /* close connection */
}
Huy-Cong VU
Platform hardware member
Network administrator
Wandercraft
09 72 58 77 03
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
