SSL_ERROR_SSL generated in SSL_connect
Toby Shepheard
I've implemented a basic SSL client in C on Solaris using openssl. I've also
written some wrapping code, so now I can compile it as a .so object to
integrate with another piece of software (Vignette StoryServer 5.5)
When run as a standalone program, everything is fine. However, when I
compile as a .so and run it in the StoryServer environment, I hit a problem
with SSL_connect:
SSL_get_error(ssl, (SSL_connect(ssl))
always returns SSL_ERROR_SSL
The man pages suggest this may be a protocol error. I then called
ERR_print_errors(bio_err)
ERR_error_string(err, szDebug)
this gave
2546:error:140840FF:lib(20):func(132):reason(255):s3_clnt.c:382:
and
error:FFFFFFFF::lib(255) :func(4095) :reason(4095)
but perhaps I didn't do that last bit properly! (code below).
The only other clue I have is from using ssldump. This shows a TCP
connection being initialised, but nothing else - not even a client hello!
A stripped down version of the code, with all the SSL stuff, is appended at
the end. If anyone can point me to where things may be going wrong, or even
how I can get more info about what might be happening, I'd really appreciate
it!
As it works when I compile as an executable, I suspect it may be something
to do with the environment settings or compiling as a .so, but I don't see
how or why.
Thanks,
Toby
(code follows)
__________________________________________
BIO* bio_err = 0;
SSL_METHOD* meth;
SSL_CTX* ctx;
SSL* ssl;
int err;
// the TCP socket connection has been made already - socket is iSocket.
if(!bio_err)
{
/* Global system initialization*/
SSL_library_init();
SSL_load_error_strings();
/* An error write context */
bio_err=BIO_new_fp(zzsm_fp, BIO_NOCLOSE);
}
/* Create context*/
meth=SSLv3_method();
ctx=SSL_CTX_new(meth);
// Load trusted CAs
SSL_CTX_load_verify_locations(ctx, CA_LIST, 0);
SSL_CTX_set_verify_depth(ctx, 1);
/* Load random data */
RAND_load_file(RANDOM, 1024*1024)
ssl = SSL_new(ctx);
err = SSL_set_fd(ssl, iSocket);
// everything works fine up to here. I've removed error handling
// code from the email to keep the size down.
err = SSL_connect(ssl);
if(err <= 0 )
{
int sslError;
sprintf(szDebug, "zzss_secureConnection: Error establishing SSL
layer\n");
zzsm_debugError(szDebug);
sslError = SSL_get_error(ssl, err);
switch(sslError)
{
// here I always reach this case:
case SSL_ERROR_SSL:
printf(
"SSL error: possible protocol error, or other SSL error\n");
ERR_print_errors(bio_err);
// I don't think this is right, as I'm using SSL_get_error
// mixed with ERR_error_string. ERR errors are unsigned longs, SSL uses
int.
// I'm a bit confused! But I'm more worried about the connect error :-)
ERR_error_string(sslError, szDebug);
printf(szDebug);
}
}
_______________________________
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Toby Shepheard
I got the proper error response working now (it was getting a bit late
yesterday, my brain obviously wasn't in top gear!), and it is as follows:
error:140840FF:SSL routines:SSL3_CONNECT:unknown state
Does this help anyone or provide any further indications of the problem?
What could cause an unknown state?
Cheers,
Toby
> ERR_error_string(ERR_getError(), szDebug);
> printf(szDebug);
// returns the following:
// error:140840FF:SSL routines:SSL3_CONNECT:unknown state
Lutz Jaenicke
> Small update:
>
> I got the proper error response working now (it was getting a bit late
> yesterday, my brain obviously wasn't in top gear!), and it is as follows:
>
> error:140840FF:SSL routines:SSL3_CONNECT:unknown state
>
> Does this help anyone or provide any further indications of the problem?
> What could cause an unknown state?
Your problem shows, that the SSL object is not correctly initialized.
* I assume, that we are talking about a recent version of OpenSSL.
(Old versions (before 0.9.3?) required SSL_set_connect_state() before
SSL_connect().)
* You want to perform a SSL_connect() with SSLv3 only (indicated by
SSL3_CONNECT).
* You have initialized the SSL_CTX with a SSLv3_client_method (or a
generic SSLv3_method) or a SSLv23 method with SSL_OP_NO_* options
set.
* You are not reusing an old SSL object that was already used once and
not cleared with SSL_clear()?
Please check out all of these points first.
Best regards,
Lutz
--
Lutz Jaenicke Lutz.J...@aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
Toby Shepheard
> -----Original Message-----
> From: owner-ope...@openssl.org
> [mailto:owner-ope...@openssl.org]On Behalf Of Lutz Jaenicke
> Sent: 07 March 2001 12:32
> To: openss...@openssl.org
> Subject: Re: SSL_ERROR_SSL generated in SSL_connect
>
>
> On Wed, Mar 07, 2001 at 11:19:28AM -0000, Toby Shepheard wrote:
> > Small update:
> >
> > I got the proper error response working now (it was getting
> a bit late
> > yesterday, my brain obviously wasn't in top gear!), and it
> is as follows:
> >
> > error:140840FF:SSL routines:SSL3_CONNECT:unknown state
> >
> > Does this help anyone or provide any further indications of
> the problem?
> > What could cause an unknown state?
>
> Your problem shows, that the SSL object is not correctly initialized.
>
> * I assume, that we are talking about a recent version of OpenSSL.
> (Old versions (before 0.9.3?) required
> SSL_set_connect_state() before
> SSL_connect().)
I am using OpenSSL 0.9.6, 24 Sep 2000.
The server is Apache 1.3.17 with mod_ssl2.8.0-1.3.17
> * You want to perform a SSL_connect() with SSLv3 only (indicated by
> SSL3_CONNECT).
Yes
> * You have initialized the SSL_CTX with a SSLv3_client_method (or a
> generic SSLv3_method) or a SSLv23 method with SSL_OP_NO_* options
> set.
//Is this ok? I'm using the generic SSLv3_method
meth=SSLv3_method();
ctx=SSL_CTX_new(meth);
> * You are not reusing an old SSL object that was already used once and
> not cleared with SSL_clear()?
// The SSL object should be new (iSocket comes from TCP connect statement
earlier)
ssl = SSL_new(ctx);
err = SSL_set_fd(ssl, iSocket);
err = SSL_connect(ssl);
> Please check out all of these points first.
They seem ok to me. Thanks for the pointers though - any more ideas?
Thanks,
Toby
Lutz Jaenicke
> //Is this ok? I'm using the generic SSLv3_method
> meth=SSLv3_method();
> ctx=SSL_CTX_new(meth);
>
> > * You are not reusing an old SSL object that was already used once and
> > not cleared with SSL_clear()?
>
> // The SSL object should be new (iSocket comes from TCP connect statement
> earlier)
> ssl = SSL_new(ctx);
> err = SSL_set_fd(ssl, iSocket);
> err = SSL_connect(ssl);
>
> > Please check out all of these points first.
>
> They seem ok to me. Thanks for the pointers though - any more ideas?
for a generic method, the SSL is initialized for "server" (accept) state.
Could you please insert a SSL_set_connect_state() just before the
SSL_connect()? From reading the source I would expect it to help
(and to lead to more work for me, because this must go into the manual
pages :-)
Best regards,
Lutz
--
Lutz Jaenicke Lutz.J...@aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
Toby Shepheard
Your the best :-)
SSL_set_connect_state() did the trick. I've got some other problems now, but
hopefully I can iron them out myself. I can't say I understand why it worked
as a plain old C executable, but not in Vignette as a .so, but its now
working fine in both.
Cheers!
Toby
> -----Original Message-----
> From: owner-ope...@openssl.org
> [mailto:owner-ope...@openssl.org]On Behalf Of Lutz Jaenicke
> Sent: 07 March 2001 16:38
> To: openss...@openssl.org
> Subject: Re: SSL_ERROR_SSL generated in SSL_connect
>
>