Hi Marek,

thank you for the hint. There was a bug in setting up SSL socket.

Aarno

On 28 Sep 2006, at 16:58, Marek Marcola wrote:

> Hello,
>> I first do SSL_connect. Tshark shows following:
>>
>> 0.004727 193.53.0.56 -> 130.59.10.95 SSLv2 Client Hello
>> 0.007715 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [ACK] Seq=1
>> Ack=143 Win=6864 Len=0 TSV=2682067880 TSER=1368743865
>> 0.042333 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a
>> reassembled PDU]
>> 0.042432 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a
>> reassembled PDU]
>> 0.042478 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK]
>> Seq=143 Ack=2897 Win=63712 [TCP CHECKSUM INCORRECT] Len=0
>> TSV=1368743865 TSER=2682067912
>> 0.087649 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a
>> reassembled PDU]
>> 0.088289 130.59.10.95 -> 193.53.0.56 TCP [TCP segment of a
>> reassembled PDU]
>> 0.088408 130.59.10.95 -> 193.53.0.56 TLSv1 Server Hello,
>> Certificate, Server Key Exchange, Server Hello Done
>> 0.089515 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK]
>> Seq=143 Ack=6914 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
>> TSV=1368743865 TSER=2682067958
>> 0.195570 193.53.0.56 -> 130.59.10.95 TLSv1 Client Key Exchange,
>> Change Cipher Spec, Encrypted Handshake Message

> Here we have end of client handshake packets:
> - Client Key Exchange
> - Change Cipher Spec (from now, all comunication to server will be
> encrypted)
> - Encrypted Handshake Message - probably client Finished packet,
> but this packet is encrypted and we know only that this packet
> belongs to handshake protocol
>
>
>> 0.225875 130.59.10.95 -> 193.53.0.56 TLSv1 Change Cipher Spec
>> 0.246038 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK]
>> Seq=333 Ack=6920 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
>> TSV=1368743865 TSER=2682068098
>> 0.249246 130.59.10.95 -> 193.53.0.56 TLSv1 Encrypted Handshake
>> Message

> Here we have end of server handshake packets:
> - Change Cipher Spec (from now, all comunication to client will be
> encrypted)
> - Encrypted Handshake Message - probably server Finished packet,
> but this packet is encrypted and we know only that this packet
> belongs to handshake protocol
>
>> 0.446155 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK]
>> Seq=333 Ack=6965 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
>> TSV=1368743866 TSER=2682068121
>> 0.777072 130.59.10.95 -> 193.53.0.56 TLSv1 Application Data
>> 0.846349 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK]
>> Seq=333 Ack=7002 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
>> TSV=1368743866 TSER=2682068649
>> 0.852923 130.59.10.95 -> 193.53.0.56 TLSv1 Application Data
>> 1.046481 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK]
>> Seq=333 Ack=8359 Win=65214 [TCP CHECKSUM INCORRECT] Len=0
>> TSV=1368743867 TSER=2682068721

> Two encrypted application data packets from server.
>
>> It is, the per is sending application data after I connect. When I
>> try, following happens:
>>
>> 1.777630 193.53.0.56 -> 130.59.10.95 TLSv1 Client Hello
>> 1.781125 130.59.10.95 -> 193.53.0.56 TLSv1 Encrypted Alert
>> 1.781129 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [FIN, ACK]
>> Seq=8388 Ack=465 Win=9008 Len=0 TSV=2682069653 TSER=1368743868
>> 1.781221 193.53.0.56 -> 130.59.10.95 TLSv1 Alert (Level: Fatal,
>> Description: Unexpected Message), Alert (Level: Fatal, Description:
>> Unexpected Message)

> This looks like your client tries to do second handshake, this is not
> re-handshake (renegotiation) because when renegotiation is performed
> packets are encrypted and we may see only something like
> "Encrypted Handshake Message", not "Client Hello".
> For me this looks like you are using one context for SSL_connect()
> and other for SSL_read().
> When SSL_read() is performed on SSL object created from SSL_CTX
> which is created with "client" method, auto-SSL_connect() is performed
> on unconnected SSL object when SSL_read()/SSL_write() is called.
> Check this.
>
>>
>> This happens multiple times. Then
>>
>> 1.781245 193.53.0.56 -> 130.59.10.95 TCP 7700 > 7700 [ACK]
>> Seq=1144 Ack=8389 Win=65222 [TCP CHECKSUM INCORRECT] Len=0
>> TSV=1368743868 TSER=2682069653
>> 1.784479 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [RST]
>> Seq=8388 Len=0
>> 1.784483 130.59.10.95 -> 193.53.0.56 TCP 7700 > 7700 [RST]
>> Seq=8389 Len=0

> Server reset connection.
>
> Best regards,
> --
> Marek Marcola
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org