[
https://issues.apache.org/jira/browse/PROTON-2643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17638383#comment-17638383
]
Clifford Jansen commented on PROTON-2643:
-----------------------------------------
This looks to me like an OpenSSL bug. The server CertificateRequest
(constructed from the ca-bad.pem example) plus the rest of the server's first
response is just a bit larger than 17K, which happens to be the buffer size of
the BIO. There have been several bugs fixed over the years relating to hangs
on the BIO, but I could not find an exact match to this case. It appears fixed
in OpenSSL 1.1 and above, so perhaps it was fixed accidentally as part of some
other BIO hang bug.
One workaround is to trim the CA list to get the overall server's response
below 17K (by removing unnecessary certs from the CA database). It is also
possible that increasing the CA list with dummy entries might also work (since
the CertificateRequest size can be up to 64K and there are presumably tests for
that edge case).
Another workaround is to have the Proton code poke the OpenSSL session instance
during the handshake phase to get it to "notice" opportunities to replenish the
BIO buffer. I would normally be reluctant to add code like this but it has
tiny overhead and, purely by coincidence, makes the operation slightly more
similar to the new Proton TLS library for raw connections. This may result in
reducing other bug variations between the two.
> SSL connection hanging
> ----------------------
>
> Key: PROTON-2643
> URL: https://issues.apache.org/jira/browse/PROTON-2643
> Project: Qpid Proton
> Issue Type: Bug
> Affects Versions: proton-c-0.37.0
> Environment: Qpid-proton 0.37 with epoll proactor and openssl 1.0.2k
> running on centos7
> Reporter: Fredrik Hallenberg
> Priority: Major
> Attachments: ssl-issue-3.zip
>
>
> With a CA bundle of a certain size the SSL/TLS connection process hangs. This
> is 100% repeatable. The process stops before reaching verification callback,
> it seems there is an issue with reading from the BIO sockets. I can only
> repeat it with certain CA bundles, it seems they have to contain >100
> certificates but I have not found an obvious pattern. It does happen with my
> current system bundle (/etc/ssl/certs/ca-bundle.crt).
> I enclose an example with appropriate keys and bundles, the code is based on
> the cpp ssl example in the proton release. See the readme file on how to run
> it. Basically it will build a proton server from the example code and connect
> to it using openssl s_client. There is a good and a bad bundle included. The
> good one has a few less certificates than the big one but is otherwise the
> same. If using the bad bundle the connection process will stop after a few
> ssl read/writes. With the good bundle it proceeds as expected.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
