Issue is not seen for Openssl version 1.0.2g. Issue is present for all
versions post 1.0.2g.
Thanks,
Ajay
On Fri, Jul 6, 2018 at 11:33 AM Ajay Nalawade <ajay.nalaw...@gmail.com>
wrote:
> Here are some more observations.
> 1. It did not take much load to cause this error(Creating even 2
> connections in parallel gives this issue).
> 2. While a client is sending data, another client connecting does not
> error. The error seems to be only when two clients try to handshake
> together. If we serialise ssl wrap even thousands of clients do not give
> this issue.
> 3. There comes a time(after 40 iterations in case of 3 parallel
> handshaking clients) after which the server kind of gives up and keeps on
> giving the same error no matter how much we slow down the clients(I stopped
> my client script for 5 minutes before trying again).
>
> On Thu, Jul 5, 2018 at 6:29 PM Ajay Nalawade <ajay.nalaw...@gmail.com>
> wrote:
>
>> package main
>>
>> import (
>> "log"
>> "net"
>> "net/http"
>> "fmt"
>> "os"
>> "bufio"
>> "io"
>> "strconv"
>> "github.com/spacemonkeygo/openssl"
>> )
>>
>> func init_fips() {
>> err := openssl.FIPSModeSet(true)
>> if err != nil {
>> panic(fmt.Errorf("%v Error:%v\n", "openssl failed to set
>> fips mode.", err))
>> }
>> log.Print("OpenSSL FIPS mode is set to: True\n")
>> }
>>
>> func main() {
>> init_fips()
>>
>> laddr := "0.0.0.0:443"
>> var ln net.Listener
>> var err error
>>
>> // Init SSL shared context used across connections
>> ctx, err := openssl.NewCtxFromFiles("/etc/certs/sslcert.crt",
>> "/etc/certs/sslcert.key")
>> if err != nil {
>> log.Fatalf("Failed to read ssl certificate. Error: %v", err)
>> }
>>
>> // Set options and do not allow SSLv2 and SSLv3 communication
>> _ = ctx.SetOptions(openssl.CipherServerPreference |
>> openssl.NoSSLv2 | openssl.NoSSLv3)
>>
>> // Read certificate
>> // Listen on bind address
>> ln, err = openssl.Listen("tcp", laddr, ctx)
>>
>> if err != nil {
>> log.Fatalf("Failed to start server. Error: %v",
>> err)
>> os.Exit(1)
>> } else {
>> log.Println("Started secure server")
>> }
>> if err != nil {
>> log.Fatalf("server: listen: %s", err)
>> }
>> log.Print("server: listening")
>> for {
>> accepted, err := ln.Accept()
>>
>> if err != nil {
>> log.Println("Got errored while accepting connection. %v", err)
>> return
>> }
>>
>> go handleClient(accepted)
>> }
>> }
>>
>> func handleClient(conn net.Conn) {
>> defer conn.Close()
>> reader := bufio.NewReader(conn)
>> for {
>> //log.Print("server: conn: waiting")
>> var err error
>> httpreq, err := http.ReadRequest(reader)
>> if err != nil {
>> log.Print("Errored while reading request. Error: %v", err)
>> break
>> }
>> buf := make([]byte, httpreq.ContentLength)
>> toread := int(httpreq.ContentLength)
>> rbytes := 0
>> n := 0
>> for toread > 0 {
>> n, err = httpreq.Body.Read(buf[rbytes:])
>> if err != nil && err != io.EOF {
>> log.Print("Errored while reading request body.
>> Error: %v", err)
>> break
>> }
>> rbytes += n
>> toread = toread - n
>> }
>>
>> resp := append([]byte("HTTP/1.1 200 OK\r\n"+"Content-Length: "+
>> strconv.Itoa(len(buf))+"\r\n\r\n"), buf...)
>> _, err = conn.Write(resp)
>> if err != nil {
>> log.Print("Errored while writing response. Error: %v",
>> err)
>> break
>> }
>>
>> log.Printf("server: conn: wrote %d bytes", n)
>>
>> }
>> log.Println("server: conn: closed")
>> }
>>
>> On Thu, Jul 5, 2018 at 6:25 PM Ajay Nalawade <ajay.nalaw...@gmail.com>
>> wrote:
>>
>>> I am able to reproduce this issue with attached go lang based server. Am
>>> I doing anything wrong here.
>>> Is there any known issue, or any workaround available for this issue.
>>>
>>> Thanks,
>>> Ajay
>>>
>>> On Thu, Jun 7, 2018 at 12:33 PM Ajay Nalawade <ajay.nalaw...@gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I have golang based openssl server with FIPS mode set. I am using
>>>> Openssl library build with fips module 2.0.
>>>> With Openssl 1.0.1u version, everything was running fine.
>>>> Recently I upgraded to version 1.0.2o. With this version, under high
>>>> traffic condition (more than 4k requests per minute), read request fails
>>>> with following error.
>>>> "SSL errors: SSL routines:SSL3_GET_RECORD:decryption failed or bad
>>>> record mac"
>>>>
>>>> If I disable FIPS mode, every thing runs fine. Is there any known issue
>>>> with version 1.0.2o with FIPS mode set.
>>>>
>>>> Thanks a lot in advance,
>>>> Ajay
>>>>
>>>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
