You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Clifford Jansen (Jira)" <ji...@apache.org> on 2022/11/24 18:34:00 UTC

[jira] [Resolved] (PROTON-2643) SSL connection hanging

     [ https://issues.apache.org/jira/browse/PROTON-2643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Clifford Jansen resolved PROTON-2643.
-------------------------------------
    Fix Version/s: proton-c-0.39.0
         Assignee: Clifford Jansen
       Resolution: Fixed

> SSL connection hanging
> ----------------------
>
>                 Key: PROTON-2643
>                 URL: https://issues.apache.org/jira/browse/PROTON-2643
>             Project: Qpid Proton
>          Issue Type: Bug
>    Affects Versions: proton-c-0.37.0
>         Environment: Qpid-proton 0.37 with epoll proactor and openssl 1.0.2k running on centos7
>            Reporter: Fredrik Hallenberg
>            Assignee: Clifford Jansen
>            Priority: Major
>             Fix For: proton-c-0.39.0
>
>         Attachments: ssl-issue-3.zip
>
>
> With a CA bundle of a certain size the SSL/TLS connection process hangs. This is 100% repeatable. The process stops before reaching verification callback, it seems there is an issue with reading from the BIO sockets. I can only repeat it with certain CA bundles, it seems they have to contain >100 certificates but I have not found an obvious pattern. It does happen with my current system bundle (/etc/ssl/certs/ca-bundle.crt). 
> I enclose an example with appropriate keys and bundles, the code is based on the cpp ssl example in the proton release. See the readme file on how to run it. Basically it will build a proton server from the example code and connect to it using openssl s_client. There is a good and a bad bundle included. The good one has a few less certificates than the big one but is otherwise the same. If using the bad bundle the connection process will stop after a few ssl read/writes. With the good bundle it proceeds as expected.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org