Can't get OpenSSL demo sslecho to work but s_server works

[space88man]

When I build sslecho (from openssl demos/sslecho) - modified code - here for pkcs11-provider
the private key loads but it cannot accept any SSL connections - whereas - s_server works correctly.

For an external provider like pkcs11-provider is there any other configuration needed for an SSL_CTX? This demo code does minimal preparation.

I modified the demo to load a private key from KEY_URI env var and certificate from CERT_PEM env var.

SSL_CTX_check_private_key works but some how pkcs11-provider is not hooked into the SSL processing state machine. If I use pkcs11-spy, there is no token access during the SSL accept (whereas s_server will access the token to perform handshake).

sslecho-demov3.zip

# use the token and openssl.cnf from pkcs11-provider/tests/tmp.softokn
# in pkcs11-provider/tests
OPENSSL_CONF=tmp.softokn/openssl.cnf
KEY_URI=<some key from softoken>
CERT_PEM=<some cert from softoken>
./sslecho s

$ CERT_PEM=testCert.pem KEY_URI="pkcs11:id=%eb%89%60%0a%39%fa%bf%fd%12%1b%70%b5%ab%36%be%86%95%41%14%b3
"./sslecho s

sslecho : Simple Echo Client/Server (OpenSSL 3.0.1-dev) : Mar  1 2024 : 10:34:40

We are the server on port: 4433

found pkey = 0x1a95e50

Client TCP connection accepted
40ACC3F8FA7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:ssl/t1_lib.c:3280:
Server exiting...
sslecho exiting

With s_server — no problem performing SSL handshake:

$ openssl s_server -key $KEY_URI -cert $CERT_PEM        
Using default temp DH parameters                                                                                            
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MIGCAgEBAgIDBAQCEwIEIIe/a4dtVCznIWWQaajIqaQOnvZzge5DMziWGeCAovfo
BDAtUo0GQ7Mmj8iKsSD9zhcZIjv9GGp05I4Y/WUTyBcaBO2DfOfZGxJKynpdYwCN
v22hBgIEZeFHAqIEAgIcIKQGBAQBAAAArgYCBD77kaqzAwIBHQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SH

Update: if I copy and paste the main(...) from sslecho into the top of s_server s_server_main() at this line it works if I open the store twice(!):

https://github.com/openssl/openssl/blob/a7e992847de83aa36be0c399c89db3fb827b0be2/apps/s_server.c#L995

    do {
        char *ptr;
        // open the store twice once here 
       // and once in the main of sslecho
        if ((ptr = getenv("KEY_URI"))) {
            OSSL_STORE_open_ex(ptr, NULL, NULL, NULL, NULL,
                           NULL, NULL, NULL);
        }
        fprintf(stderr, "open store once %d\n", __LINE__);
        // sslecho will open the  store again
        sslecho("s", NULL, NULL); /* the main of sslecho copied into s_server.c */
        return 0;
    }while(0);

but if I try to replicate in sslecho: open store twice it fails during SSL_accept

Code coped into s_server.c:

• failure log (open store only once in sslecho):
  debug.log
• success log (open store twice: once in s_server, once in sslecho):
  debug1.log
• s_server on its own:
  debug2.log

[space88man]

If I insert the following as the first line of main

char *key_uri;
    if((key_uri = getenv("KEY_URI"))) {
// do nothing store open/close
        OSSL_STORE_CTX *store = OSSL_STORE_open_ex(key_uri, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
        OSSL_STORE_close(store);
}

it works, I suspect the location of this call matters. This call has to be before any call to SSL_CTX_new().

sslecho-demo-workingv4.zip

[space88man]

#352

Sequence of SSL_CTX_new and OSSL_STORE_open_ex matters