search

openssl / openssl

TLS/SSL and crypto library
https://www.openssl.org
Apache License 2.0
25.48k stars 10.06k forks source link

openssl-1.1.1 version, cipher suits dont match at server, the server sends the error message, the openssl client keeps retrying(resending client hello) message #12552

Closed mkaroshi closed 3 years ago

mkaroshi commented 4 years ago

openssl client keeps retrying(resending client hello) when it receives ciphers dont match error from ssl server.

kaduk commented 4 years ago

That sounds like expected behavior for DTLS, when a ServerHello or alert are totally unauthenticated, and the connection might succeed if retried. If this is regular TLS, on the other hand, it would be weird. Please clarify.

mkaroshi commented 4 years ago

We are not using DTLS, we are using TLS only.

kaduk commented 4 years ago

Are you in a position where you can obtain a packet capture (with, e.g., tcpdump or wireshark) of the behavior in question and post it publicly? That would seem like the fastest path to understanding the issue.

mkaroshi commented 4 years ago

i was able to reproduce the issue. The client side ssl version is [mkaroshi@caxv-mkaroshi-2 thud]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017

server side openssl version is diag@8180:~$ openssl version OpenSSL 1.1.1g 21 Apr 2020

the wireshark capture is attached. ha.txt

mattcaswell commented 4 years ago

when it receives ciphers don't match error from ssl server.

In your wireshark trace it looks like this particular instance is the result of a "certificate expired" alert.

What is the application here? Is this your own custom application or some third party software?

mkaroshi commented 4 years ago

gnmi client sending request to ha proxy. Both are open source. Any error comes from the server, the client keeps retrying. On Thursday, August 6, 2020, 01:45:45 AM PDT, mattcaswell notifications@github.com wrote:

when it receives ciphers don't match error from ssl server.

In your wireshark trace it looks like this particular instance is the result of a "certificate expired" alert.

What is the application here? Is this your own custom application or some third party software?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

mattcaswell commented 4 years ago

gnmi client sending request to ha proxy. Both are open source. Any error comes from the server, the client keeps retrying.

This looks to me like a problem on the client side. I'd suggest contacting the developers of your client software.

mattcaswell commented 3 years ago

Can this be closed now?

mkaroshi commented 3 years ago

yes. On Thursday, September 24, 2020, 08:31:29 AM PDT, mattcaswell notifications@github.com wrote:

Can this be closed now?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

mattcaswell commented 3 years ago

Great. Closing.