[Libwebsockets] Mbedtls handshake fails often (on windows)

Lasa Martxel mlasa at ikerlan.es
Wed Feb 6 10:29:30 CET 2019


Hello Andy,

I have applied your patch and so far I have no more issues:

[2019/02/06 09:20:23:9039] NOTICE: lws_mbedtls_sni_cb: localhost
[2019/02/06 09:20:23:9039] INFO: SNI: Found: localhost
[2019/02/06 09:20:23:9039] INFO: SNI: Found: localhost:4343 at vhost 'localhost'
[2019/02/06 09:20:23:9039] INFO: mbedtls_handshake: ssl ret -0 state 2
[2019/02/06 09:20:23:9039] INFO: mbedtls_handshake: ssl ret -0 state 3
[2019/02/06 09:20:23:9039] INFO: mbedtls_handshake: ssl ret -0 state 4
[2019/02/06 09:20:24:0893] INFO: mbedtls_handshake: ssl ret -0 state 5
[2019/02/06 09:20:24:0893] INFO: mbedtls_handshake: ssl ret -0 state 6
[2019/02/06 09:20:24:0893] INFO: mbedtls_handshake: ssl ret -0 state 7
[2019/02/06 09:20:24:0893] INFO: mbedtls_handshake: ssl ret -0 state 8
[2019/02/06 09:20:24:0893] INFO: mbedtls_handshake: ssl ret -6900 state 8
[2019/02/06 09:20:24:0893] DEBUG: lws_tls_server_accept: 03D7DE68: accept SSL_get_error 5 errno 0
[2019/02/06 09:20:24:0893] INFO: SSL_accept says -2
[2019/02/06 09:20:24:0893] INFO: lws_header_table_attach: wsi 03D7DE68: ah 00000000 (tsi 0, count = 0) in
[2019/02/06 09:20:24:0893] DEBUG: _realloc: size 944: ah struct
[2019/02/06 09:20:24:0893] DEBUG: _realloc: size 4096: ah data
[2019/02/06 09:20:24:0893] INFO: _lws_create_ah: created ah 03A5EF70 (size 4096): pool length 1

I have attached the complete log I get after applying your fix. Let me know if I can help with testing or something.

Thank you!

Martxel

-----Mensaje original-----
De: Andy Green [mailto:andy at warmcat.com] 
Enviado el: miércoles, 6 de febrero de 2019 10:10
Para: Lasa Martxel; libwebsockets at ml.libwebsockets.org
Asunto: Re: [Libwebsockets] Mbedtls handshake fails often (on windows)



On 06/02/2019 15:40, Lasa Martxel wrote:
> Morning,
> 
> I'm having an issue with libwebsockets.
> 
> I have built libwebsockets with mbedtls support on windows. I have 
> created a simple example that responds GET requests, both http and https.
> 
> With HTTP requests, I don't have issues so far. When I use HTTPS however 
> I get an error in the TLS negotiation every 4-5 requests.
> 
> If I wait a few seconds between requests, I don't get the error that often.
> 
> I have tried with the minimal tls example, and it happens the same thing:

Thanks for checking like that.  And thanks for the log.

> [2019/02/06 07:36:47:7747] INFO: mbedtls_handshake: ssl ret -0 state 7
> 
> [2019/02/06 07:36:47:7747] INFO: mbedtls_handshake: ssl ret -0 state 8
> 
> [2019/02/06 07:36:47:7747] INFO: mbedtls_handshake: ssl ret -6900 state 8

-0x6900 is mbedtls-speak for MBEDTLS_ERR_SSL_WANT_READ... it's a 
nonfatal "I can't do the next step until I get some data from the remote 
peer".  Your "sometimes" behaviour is likely just racing whether the 
data came before we looked (happy), or we had to wait (error).

> [2019/02/06 07:36:47:7747] DEBUG: lws_tls_server_accept: 0302E900: 
> accept SSL_get_error 5 errno 0

This is after the openssl adaptation api has seen the above... it's 
translating the mbedtls condition to openssl error semantics... 5 is 
SSL_ERROR_SYSCALL and the matching errno is 0.

SYSCALL means that some posix api said something other than "perfect" 
and you have to check errno to find out the situation.

Errno is 0 so in other words there's no error.

> [2019/02/06 07:36:47:7747] INFO: SSL_accept says -1

...but it treats it like a fatal error and you're dead.

> [2019/02/06 07:36:47:7747] INFO: SSL_accept failed socket 824: -1
> 
> [2019/02/06 07:36:47:7747] INFO: lws_adopt_descriptor_vhost: fail ssl 
> negotiation
...
> 
> When I build and run it on linux, there are no problems.
> 
> Any clues?

What happens if you try this kind of thing?

diff --git a/lib/tls/mbedtls/mbedtls-server.c 
b/lib/tls/mbedtls/mbedtls-server.c
index d75500d77..943533d79 100644
--- a/lib/tls/mbedtls/mbedtls-server.c
+++ b/lib/tls/mbedtls/mbedtls-server.c
@@ -319,6 +319,11 @@ lws_tls_server_accept(struct lws *wsi)
         if (m == SSL_ERROR_SYSCALL && errno == 11)
                 return LWS_SSL_CAPABLE_MORE_SERVICE_READ;

+#if defined(WIN32)
+       if (m == SSL_ERROR_SYSCALL && errno == 0)
+               return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
+#endif
+
         if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL)
                 return LWS_SSL_CAPABLE_ERROR;


-Andy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: output.txt
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20190206/968955db/attachment-0001.txt>


More information about the Libwebsockets mailing list