Something a little funny in the code of SslStreamServer.cs

[bnimble]

In InitializeServerContext, it takes great pains to set the bits on sslContext.Options, e.g.

        if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
        {
            sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
        }

...but then the options get summarily overwritten on line 172:

        // Set the workaround options
        sslContext.Options = SslOptions.SSL_OP_ALL;

Did it mean to do that? I'm in large part wondering because I'm running into an "error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" when contacting this as an SslStream server, which purportedly happens if SSLv3 is not enabled in the Options.

(Of course, there's also a small comment in the code "// no SSLv3 support". Is that the case?)

[davidiw]

Honestly, you could likely change the code as necessary. I only implemented the DTLS portion. This is a pretty thin wrapper around the actual library itself. So I don't think there would be any negative ramifications of supporting SSL3 / TLS1.2

[bnimble]

Already got it cloning; I'll see what I can puzzle out (but no guarantees; it's horridly busy over here sometimes :) )

[bnimble]

I managed to get a connection going after removing that "sslContext.Options = SslOptions.SSL_OP_ALL;", but there was a point in the handshaking that just sat there and would not continue.

I tried a few things to get around it, but the thing that finally worked was altering BIO.cs a little. There's a point at which when there's nothing to write out and nothing to read in (yet!). I noticed some commented-out code in SslStreamBase::InternalBeginWrite that looked like it may have encountered this sort of issue before.

Changing BIO::ReadBytes to:

    public ArraySegment<byte> ReadBytes(int count)
    {
        byte[] buf = new byte[count];
        int ret = 0;
        if (count > 0)
        {
            ret = Native.BIO_read(this.ptr, buf, buf.Length);
            if (ret < 0)
                throw new OpenSslException();
        }
        return new ArraySegment<byte>(buf, 0, ret);
    }

...basically just 'skipping' the read when the count is zero (as happens when the write_bio.BytesPending == 0) prevents that exception from being thrown when the SSL negotiation is in that "quiet" phase (for me, this happened during 'cipher change request' # 2)

I've worked with git before, but I've never put something back on github before. You want I should push it somehow? :)

Cheers :)

-- Ritchie Annand