[openssl-users] SSL_shutdown return error when close in init state(openssl 1.1.0)
Hello
I'm using open1.1.0e in async mode with intel QuickAssist Engine to handle
https connections, but there's some problem.
I use apache benchmark tool to test thehttps connections, the description is
as follow:
client(ab)-- server(my program)
<-TCP handshake>
-ssl client hello--->
<-server hello,certicate...-
---client key exchange>
//here, server's SSL_do_handshake reutrns SSL_ERROR_WANT_ASYNC repeatly,
---FIN+ACK-->
//client want to close the connection, then, server should close ssl connection
,In program, I intend to close SSL connections in quiet mode:
SSL_set_quiet_shutdown(ssl,1);
SSL_shutdown(ssl);
but SSL_shutdown returns SSL_ERROR_SSL, because SSL_in_init(s) return true.
int SSL_shutdown(SSL *s)
{
/*
* Note that this function behaves differently from what one might
* expect. Return values are 0 for no success (yet), 1 for success; but
* calling it once is usually not enough, even if blocking I/O is used
* (see ssl3_shutdown).
*/
if (s->handshake_func == NULL) {
SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
return -1;
}
if (!SSL_in_init(s)) {
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
struct ssl_async_args args;
args.s = s;
args.type = OTHERFUNC;
args.f.func_other = s->method->ssl_shutdown;
return ssl_start_async_job(s, , ssl_io_intern);
} else {
return s->method->ssl_shutdown(s);
}
} else {
SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
return -1;
}
}
I'm confused, what should I do here ???
(1) just call SSL_free(ssl) to free SSL connection, then the async engine may
callback and using SSL's waitctx, which cause crash. Also I noticed that SSL's
job doesn't free neither, which may cause memory leak;
(2)continue call SSL_shutdown(ssl), and it will always return SSL_ERROR_SSL
Is anybody know? thanks
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to increase the priority of some cipher ?
The environment is quite simple,client use apachebench to test the performance of a https server the apachebench command is like this: ab -c 500 -n 100 https://xx.xx.xx.xx/ TLSv1.2,AES256-GCM-SHA384 : the server can handle more than 1500 requests per second(cpu : 99%)。 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 : the server can ONLY handle 500 requests per second(cpu :99%)。 At 2017-09-27 00:58:43, "Benjamin Kaduk" <bka...@akamai.com> wrote: I am curious about this statement that "(EC)DHE cost much more resources than RSA". In particular, ECDHE is supposed to be less computation-intensive than RSA for a given security level, so it would be interesting to hear what your setup is where the reverse is supposed to be observed. -Ben On 09/26/2017 03:44 AM, 李明 wrote: just find it, server respect client's cipher preference by default, it selects the suite preferred by client among the cipherlist that both the client and server support. so it's not enough to just increase RSA cipher priority on server side , SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite that itself most prefer among the cipherlist that both the client and server support. 在 2017-09-26 15:15:10,"李明" <mid...@163.com> 写道: Hello, Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA. In order to get higher performance , I want to prioritize RSA related ciphers, does anyone knows how to do it. I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks fine in openssl command line ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD but, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384 【网易自营】好吃到爆!鲜香弹滑加热即食,经典13香/麻辣小龙虾仅75元3斤>> 【网易自营|30天无忧退货】仅售同款价1/4!MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to increase the priority of some cipher ?
sorry, write by mistake TLSv1.2,AES256-GCM-SHA384 : the server can handle more than 1500 requests per second(cpu : 99%)。 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 : the server can ONLY handle less then 1400 requests per second(cpu :99%)。 At 2017-09-27 08:52:01, "李明" <mid...@163.com> wrote: The environment is quite simple,client use apachebench to test the performance of a https server the apachebench command is like this: ab -c 500 -n 100 https://xx.xx.xx.xx/ TLSv1.2,AES256-GCM-SHA384 : the server can handle more than 1500 requests per second(cpu : 99%)。 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 : the server can ONLY handle 500 requests per second(cpu :99%)。 At 2017-09-27 00:58:43, "Benjamin Kaduk" <bka...@akamai.com> wrote: I am curious about this statement that "(EC)DHE cost much more resources than RSA". In particular, ECDHE is supposed to be less computation-intensive than RSA for a given security level, so it would be interesting to hear what your setup is where the reverse is supposed to be observed. -Ben On 09/26/2017 03:44 AM, 李明 wrote: just find it, server respect client's cipher preference by default, it selects the suite preferred by client among the cipherlist that both the client and server support. so it's not enough to just increase RSA cipher priority on server side , SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite that itself most prefer among the cipherlist that both the client and server support. 在 2017-09-26 15:15:10,"李明" <mid...@163.com> 写道: Hello, Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA. In order to get higher performance , I want to prioritize RSA related ciphers, does anyone knows how to do it. I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks fine in openssl command line ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD but, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384 【网易自营】好吃到爆!鲜香弹滑加热即食,经典13香/麻辣小龙虾仅75元3斤>> 【网易自营|30天无忧退货】仅售同款价1/4!MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>> 【网易自营|30天无忧退货】仅售同款价1/4!MUJI制造商“2017秋冬舒适家居拖鞋系列”限时仅34.9元>> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to increase the priority of some cipher ?
just find it, server respect client's cipher preference by default, it selects the suite preferred by client among the cipherlist that both the client and server support. so it's not enough to just increase RSA cipher priority on server side , SSL_OP_CIPHER_SERVER_PREFERENCE will make the server select the suite that itself most prefer among the cipherlist that both the client and server support. 在 2017-09-26 15:15:10,"李明" <mid...@163.com> 写道: Hello, Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA. In order to get higher performance , I want to prioritize RSA related ciphers, does anyone knows how to do it. I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks fine in openssl command line ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD but, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384 【网易自营】好吃到爆!鲜香弹滑加热即食,经典13香/麻辣小龙虾仅75元3斤>> -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to increase the priority of some cipher ?
Hello, Currently, openssl prefer (EC)DHE handshakes over plain RSA, but (EC)DHE cost much more resouces than RSA. In order to get higher performance , I want to prioritize RSA related ciphers, does anyone knows how to do it. I have tried cipherlist "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL" , it looks fine in openssl command line ./openssl ciphers -v 'RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL' AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD but, after SSL_CTX_set_cipher_list(ctx, "RSA:ALL:!COMPLEMENTOFDEFAULT:!eNULL") in my application, it didn't work, the first choice is still ECDHE-RSA-AES256-GCM-SHA384-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
