Re: Crash seen in "OPENSSL_sk_pop_free" API
Viktor, Thank you for taking a look. We are not invoking either of the API X509_STORE_CTX_get0_chain/X509_STORE_CTX_get1_chain We invoke X509_verify_cert() during the certification verification and this fails (expectedly due to the missing CA certificate), so we invoke X509_STORE_CTX_free to clean up the "X509_STORE_CTX" context and hit this crash (this is not seen always) X509_STORE_new() X509_STORE_CTX_new() X509_STORE_set_verify_cb_func X509_STORE_set_default_paths X509_STORE_load_locations X509_STORE_CTX_init X509_STORE_CTX_set_flags X509_verify_cert > Fails with error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY as CA certificate is not present. /* Cleanup. */ X509_STORE_CTX_free(pContext); >Crash seen here in sk_X509_pop_free 360 void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func) 361 { 362 int i; 363 364 if (st == NULL) 365 return; 366 for (i = 0; i < st->num; i++) 367 if (st->data[i] != NULL)-> Crash seen here 368 func((char *)st->data[i]); 369 OPENSSL_sk_free(st); 370 } Thanks Bala On Monday, 16 August, 2021, 11:40:24 pm IST, Viktor Dukhovni wrote: > On 16 Aug 2021, at 5:58 am, Bala Duvvuri via openssl-users > wrote: > > We are using OpenSSl version 1.1.1d in our program and crash is being seen in > "OPENSSL_sk_pop_free" API, we invoke this API in our certificate verification > API. Since crash is not seen always, trying to understand from OpenSSL code, > when can this occur? > > Below is the bt of the crash > > #0 0x0f31f438 in OPENSSL_sk_pop_free (st=0x1041de20, func=0xf34d5b0 > ) at crypto/stack/stack.c:367 > #1 0x0f344c74 in sk_X509_pop_free (freefunc=, sk= out>) at include/openssl/x509.h:99 > #2 X509_STORE_CTX_cleanup (ctx=ctx@entry=0x1041ba70) at > crypto/x509/x509_vfy.c:2454 > #3 0x0f344cf4 in X509_STORE_CTX_free (ctx=ctx@entry=0x1041ba70) at > crypto/x509/x509_vfy.c:2281 The call in question frees the certificate chain built by X509_verify_cert(). sk_X509_pop_free(ctx->chain, X509_free); That chain is owned by the X509_STORE_CTX. You probably made the mistake of freeing it (or one of the certificates in question) yourself. There are two functions for accessing the built chain: STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) { return ctx->chain; } STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) { if (!ctx->chain) return NULL; return X509_chain_up_ref(ctx->chain); } If you call X509_STORE_CTX_get0_chain(3), you MUST NOT free the result. If you call X509_STORE_CTX_get1_chain(3), you own the chain copy, and should free the result when you no longer need it. -- Viktor.
Re: Getting error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
> On 19 Aug 2021, at 12:11 am, Jayalakshmi bhat > wrote: > > We are trying to integrate OpenSSL 1.1.1i on our device that runs on the ARM > platform. Device boots to ready > state with OpenSSL 1.1.1i. However when we try to access the device EWS, we > are getting below error > > error:0B080074:x509 certificate routines:X509_check_private_key:key values > mismatch > > We have confirmed that there are no issues with certificate and private key > by checking the certificate key hashes. > > Have any one encountered this issue when certificate and private key are > properly installed. Clearly OpenSSL does not agree that the certificate and key are matched. This is of course not a common problem, so you'll have to figure out what's special about your situation. Most likely you're mistaken, and the X509_check_private_key() function is called in a context in which the most recently loaded certificate does not match the most recently loaded key. -- Viktor.
Getting error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Hi All, We are trying to integrate OpenSSL 1.1.1i on our device that runs on the ARM platform. Device boots to ready state with OpenSSL 1.1.1i. However when we try to access the device EWS, we are getting below error error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch We have confirmed that there are no issues with certificate and private key by checking the certificate key hashes. Have any one encountered this issue when certificate and private key are properly installed. Any inputs are appreciated. Thank you Jayalakshmi
problems with too many ssl_read and ssl_write errors
* We have a server that has around 2025 clients connected at any instant. * Our application creates a Server /Listener socket that then is converted into a Secure socket using OpenSSL library. This is compiled and built in a Windows x64 environment. We also built the OpenSSL for the Windows. The Listener socket is created with a default backlog of 500. The Accept socket is non-blocking socket and waits for connections * Every Client makes a regular blocking connection to the Server. The Server accepts the connection after which the Client socket is converted to a secure socket using the OpenSSL Library. * The connections are coming at a rate of about 10 connections /second ? Not sure about this number. * We are able to connect to all the clients in a few minutes and it stays like that for some time. There constant exchange of messages between Server(COS) and clients without issues. * The application logic is to keep trying to connect every timeout. * After maybe a few hours/days we see the clients dropping connections. The logs indicate the SSL_Read or SSL_Write on the Server fails for a client with SSL_Error number 5 (SSL_ERROR_SYSCALL) and the equivalent Windows error of WSATimeOut. We then observe the WSAECONNRESET as the Client closed connection. We see this behavior for multiple sites. * The number of Clients disconnected starts increasing and we see the logs in the Client where the server refuses any more connections form Clients (10061- WSAECONNREFUSED) There is nothing to indicate this state in the server logs. Our theory is the backlog is filled and Server refusing further connections. * We are trying to find why we get the SSL_Read/SSL_Write Error as it a Blocking socket. We cannot use to a non-blocking socket due to platform and application limitation