Thursday, January 31, 2013

openssl hanging CONNECTED(00000003) SSL_connect:unknown state

This one took me an hour to provide a workaround. Our POB recipes to import LDAP (apacheds) SSL certificates running from Remoto-IT were failing in a remote machine with just one message from openssl s_client: "CONNECTED(00000003)". Using the msg and the state flags we could see a little bit more:
$ openssl version
OpenSSL 1.0.1 14 Mar 2012
$ openssl s_client -msg -state -connect w.x.y.z:10636
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.1  [length 00dd]
    01 00 00 d9 03 02 51 0a c4 32 c9 50 79 93 ea 10
    7f d1 41 57 3f 52 27 c6 86 df 9b fa 20 09 0c 92
    b4 e8 ae 5f 6c fa 00 00 66 c0 14 c0 0a c0 22 c0
    21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00
    84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0
    03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00
    9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00
    41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00
    12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02
    01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34
    00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09
    00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15
    00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f
    00 10 00 11 00 23 00 00 00 0f 00 01 01
SSL_connect:unknown state
Look at the negotiation trying to use TLS 1.1 for openssl 1.0.1. From my MAC I could negotiate though:
$ openssl version
OpenSSL 0.9.8r 8 Feb 2011
$ echo |  openssl s_client -msg -state -connect w.x.y.z:10636
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> SSL 2.0 [length 0080], CLIENT-HELLO
    01 03 01 00 57 00 00 00 20 00 00 39 00 00 38 00
    00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
    33 00 00 32 00 00 2f 00 00 9a 00 00 99 00 00 96
    03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00
    00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00
    08 00 00 06 04 00 80 00 00 03 02 00 80 00 00 ff
    5d df 78 59 05 15 8f fc d4 df 62 0f b5 b7 e8 79
    af 6e 49 22 09 5b 1c 89 5a 96 49 fa b1 a2 41 91
SSL_connect:SSLv2/v3 write client hello A
<<< TLS 1.0 Handshake [length 0051], ServerHello
    02 00 00 4d 03 01 51 0a c5 e1 1c 6f 7f cc c2 92
    8c 3c 02 3c ad 42 04 59 35 35 be 24 72 b6 92 27
    a7 b9 a7 fc ae c2 20 51 0a c5 e1 a5 5e 9a 62 d8
    1f 5d c4 be 3e 7d ef 89 b1 67 6d 5a db 20 3c d2
    5b 3f 1f 19 e2 f1 83 00 39 00 00 05 ff 01 00 01
    00
SSL_connect:SSLv3 read server hello A
...
But then look at the negotiation trying to use SSL2.0 up front for the Lion client openssl. While the openssl project has been trying to solve issues like this (hangs) I believe there is still some code review to be made as previous versions of openssl were working correctly in terms of negotiations. For now we managed to get around this issue passing SSL3 as the preferred secure transport:
$ echo |  openssl s_client -ssl3 -msg -state -connect w.x.y.z:10636
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> SSL 3.0 Handshake [length 005a], ClientHello
...
It might not be an option for you in which case just try with other available protocol options. BTW this happened in Ubuntu 12.04.

Infrastructure as a Service demands high level of automation. Basically all best practices taught for software developers should be followed by Ops guys as well, especially when it comes to automating the building of environments and testing. These practices should be mandated and not overlooked to avoid surprises in production systems while still being as agile as possible on the Infrastructure side. Back to the lab ...

No comments:

Followers