EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL worked in 5.0.106, not in latest

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#3014
Posted: 05/29/2007 15:01:23
by Allen Drennan (Standard support level)
Joined: 05/29/2007
Posts: 11

Hello,

I am the author of the SSL plugin for Synapse (ssl_sbb.pas). After upgrading from 5.0.106 to the latest revision (VCL source) my SSL/TLS client to server code stopped functioning and no longer works. My HTTPS web server and client code still works fine though. I have upgraded many times in the past without issues, so I am wondering what are the possible problems that are new TElSecureClient and TElSecureServer since revision 5.0.106.
#3015
Posted: 05/29/2007 15:27:30
by Allen Drennan (Standard support level)
Joined: 05/29/2007
Posts: 11

I have narrowed the problem to the the initial SSL handshake for accepting connections. The logic that worked previously was:

// wait for SSL open or error
while (not FElSecureServer.Active) and (FLastError=0) do
begin
// data available?
if FRecvBuffers<>'' then
FElSecureServer.DataAvailable
else
if not FELSecureServer.Active then
begin
// socket recv
lResult:=Recv(FSocket.Socket,@FRecvBuffer[1],Length(FRecvBuffer),0);
if lResult=SOCKET_ERROR then
begin
FLastErrorDesc:='';
FLastError:=WSAGetLastError;
end
else
begin
if lResult>0 then
FRecvBuffers:=FRecvBuffers+Copy(FRecvBuffer,1,lResult);
end;
end;
end;

This code doesn't work anymore, because of something related to DataAvailable having some data, but not enough. If I change on the server:

if FRecvBuffers<>'' then
FElSecureServer.DataAvailable

to

if Length(FRecvBuffers)>7 then
FElSecureServer.DataAvailable

and use an SSL client compiled with an older build, it works. However if I update my client to the latest SSL code everything fails during the SSL handshake on both sides.
#3019
Posted: 05/30/2007 01:12:23
by Ken Ivanov (EldoS Corp.)

Your code should work correctly. Would you be so kind to specify the *exact* problems you are encountering on client and server sides (it's a good idea to handle the OnError event and check if it is fired)?
#3022
Posted: 05/30/2007 14:33:49
by Allen Drennan (Standard support level)
Joined: 05/29/2007
Posts: 11

Thanks but I am going to return to 5.0.106 until the problem is resolved. It appears to be a bug in the SSL open handshake sequence that only exists in the most recent versions.
#3024
Posted: 05/31/2007 00:57:25
by Eugene Mayevski (EldoS Corp.)

Quote
Allen Drennan wrote:
Thanks but I am going to return to 5.0.106 until the problem is resolved.


Unfortunately this is not gonna happen, as you are the only person to experience the problem and you don't give us the logs.


Sincerely yours
Eugene Mayevski
#3062
Posted: 06/04/2007 21:02:07
by Allen Drennan (Standard support level)
Joined: 05/29/2007
Posts: 11

I have spent numerous hours examining the SSL handshaking to determine the difference between the older and newer versions. This worked perfectly for many years, until recently. You are welcome to review the code for (ssl_sbb.pas) which is attached. I also attached 2 logs from CodeSite which show the binary exchange during the SSL handshake from 5.0.106 and the latest version which doesn't work.


[ Download ]
#3064
Posted: 06/05/2007 03:28:05
by Ken Ivanov (EldoS Corp.)

Thank you very much for the logs.

Got it. The problem is caused by misuse of PSK cipher suites (which seem to get enabled in your code). PSK requires special handling, such as creating handlers for OnKeyNeeded events. If the appropriate setup is not performed, PSK handshake fails.

By default, PSK (and some other exotic cipher suites, e.g. SRP-based) are turned off to prevent handshake problems. Please try either to turn off PSK suites or to implement OnKeyNeeded event handlers and check if the error has gone.
#3073
Posted: 06/05/2007 14:28:40
by Allen Drennan (Standard support level)
Joined: 05/29/2007
Posts: 11

Thanks, that worked. I have attached an updated ssl_sbb.pas for your distribution/setup since it is currently distributed with SecureBlackBox setup.


[ Download ]
#3074
Posted: 06/05/2007 14:53:28
by Eugene Mayevski (EldoS Corp.)

Thank you for the fixes, I've put the file to our VCS for further use.


Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 2740 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!