You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Clifford Jansen (Jira)" <ji...@apache.org> on 2022/11/24 18:18:00 UTC
[jira] [Commented] (PROTON-2643) SSL connection hanging
[ https://issues.apache.org/jira/browse/PROTON-2643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17638383#comment-17638383 ]
Clifford Jansen commented on PROTON-2643:
-----------------------------------------
This looks to me like an OpenSSL bug. The server CertificateRequest (constructed from the ca-bad.pem example) plus the rest of the server's first response is just a bit larger than 17K, which happens to be the buffer size of the BIO. There have been several bugs fixed over the years relating to hangs on the BIO, but I could not find an exact match to this case. It appears fixed in OpenSSL 1.1 and above, so perhaps it was fixed accidentally as part of some other BIO hang bug.
One workaround is to trim the CA list to get the overall server's response below 17K (by removing unnecessary certs from the CA database). It is also possible that increasing the CA list with dummy entries might also work (since the CertificateRequest size can be up to 64K and there are presumably tests for that edge case).
Another workaround is to have the Proton code poke the OpenSSL session instance during the handshake phase to get it to "notice" opportunities to replenish the BIO buffer. I would normally be reluctant to add code like this but it has tiny overhead and, purely by coincidence, makes the operation slightly more similar to the new Proton TLS library for raw connections. This may result in reducing other bug variations between the two.
> SSL connection hanging
> ----------------------
>
> Key: PROTON-2643
> URL: https://issues.apache.org/jira/browse/PROTON-2643
> Project: Qpid Proton
> Issue Type: Bug
> Affects Versions: proton-c-0.37.0
> Environment: Qpid-proton 0.37 with epoll proactor and openssl 1.0.2k running on centos7
> Reporter: Fredrik Hallenberg
> Priority: Major
> Attachments: ssl-issue-3.zip
>
>
> With a CA bundle of a certain size the SSL/TLS connection process hangs. This is 100% repeatable. The process stops before reaching verification callback, it seems there is an issue with reading from the BIO sockets. I can only repeat it with certain CA bundles, it seems they have to contain >100 certificates but I have not found an obvious pattern. It does happen with my current system bundle (/etc/ssl/certs/ca-bundle.crt).
> I enclose an example with appropriate keys and bundles, the code is based on the cpp ssl example in the proton release. See the readme file on how to run it. Basically it will build a proton server from the example code and connect to it using openssl s_client. There is a good and a bad bundle included. The good one has a few less certificates than the big one but is otherwise the same. If using the bad bundle the connection process will stop after a few ssl read/writes. With the good bundle it proceeds as expected.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org