Can't get SSL error information

[Bill Rebey]

Hi All.

I can't get any error information out of OpenSSL. For example, when I run
this code sequence, which has a SSL_write() call that fails:

SSL_load_error_strings();
ERR_load_ERR_strings();
OpenSSL_add_ssl_algorithms ();
...
...
// This fails...
iRetVal = SSL_write (_psslConnection, (char *)pvBuf, iSize);
if (iRetVal == SOCKET_ERROR)
{
int iSSLErrno = SSL_get_error (_psslConnection, iRetVal);
printf ("SSL Error is: '%s'\n",
ERR_error_string(iSSLErrno,NULL)); // <<<DOESN'T WORK!
}

I get only the following output:

SSL Error is: 'error:00000001:lib(0):func(0):reason(1)'

How can I get meaningful error information out of OpenSSL? What am I doing
wrong?

Any help would be appreciated!

Bill Rebey

======================= Confidentiality Statement =======================
The information contained in this message and any attachments is
intended only for the use of the individual or entity to which it is
addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL
and exempt from disclosure under applicable law. If you have received
this message in error, you are prohibited from copying, distributing, or
using the information. Please contact the sender immediately by return
e-mail and delete the original message from your system.
===================== End Confidentiality Statement =====================

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Lutz Jaenicke]

On Fri, Aug 10, 2001 at 04:00:12PM -0400, Bill Rebey wrote:
> I can't get any error information out of OpenSSL. For example, when I run
> this code sequence, which has a SSL_write() call that fails:
>
> SSL_load_error_strings();
> ERR_load_ERR_strings();
> OpenSSL_add_ssl_algorithms ();
> ...
> ...
> // This fails...
> iRetVal = SSL_write (_psslConnection, (char *)pvBuf, iSize);
> if (iRetVal == SOCKET_ERROR)
> {
> int iSSLErrno = SSL_get_error (_psslConnection, iRetVal);
> printf ("SSL Error is: '%s'\n",
> ERR_error_string(iSSLErrno,NULL)); // <<<DOESN'T WORK!
> }
>
> I get only the following output:
>
> SSL Error is: 'error:00000001:lib(0):func(0):reason(1)'
>
> How can I get meaningful error information out of OpenSSL? What am I doing
> wrong?

You misunderstood the use of SSL_get_error() and ERR_error_string().
SSL_get_error() will return the error state of the actual SSL object
(see man SSL_get_error()). If a hard error was found (like SSL_ERROR_SSL)
then you will find the detailed error information by calling ERR_get_error().
The return value of ERR_get_error() is what you have to pass to
ERR_error_string().

Best regards,
Lutz
--
Lutz Jaenicke Lutz.J...@aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153

[Bill Rebey]

Thanks for giving me a clue! Got that working.

However, the error "information" isn't informative at all. The only error
on the stack is:

'error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure'

Well, I kind of assumed THAT! What I want to know is WHY it failed. Where
does it tell me what went wrong? Could they not agree on a cipher? Was a
certificate or key missing or something like that? Was something wrong with
authentication?

How do I know why the two sides didn't connect?

Thanks again for the help,

Bill Rebey

======================= Confidentiality Statement =======================

The information contained in this message and any attachments is
intended only for the use of the individual or entity to which it is
addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL
and exempt from disclosure under applicable law. If you have received
this message in error, you are prohibited from copying, distributing, or
using the information. Please contact the sender immediately by return
e-mail and delete the original message from your system.
===================== End Confidentiality Statement =====================

[Lutz Jaenicke]

On Sun, Aug 12, 2001 at 11:46:04PM -0400, Bill Rebey wrote:
> However, the error "information" isn't informative at all. The only error
> on the stack is:
>
> 'error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure'
>
> Well, I kind of assumed THAT! What I want to know is WHY it failed. Where
> does it tell me what went wrong? Could they not agree on a cipher? Was a
> certificate or key missing or something like that? Was something wrong with
> authentication?
>
> How do I know why the two sides didn't connect?

I don't know :-)

The error you hit is not very informative, indeed. It is flagged when
the handhake_func returns 0 (but not a negative value to indicate
error!?). I would therefore _guess_ that the peer has closed the connection.
Did you try ssldump?

[Greg Stark]

www.rtfm.com/ssldump

====================
Greg Stark
ghs...@pobox.com
====================

----- Original Message -----
From: "Bill @ Rebey.com" <Bi...@Rebey.com>
To: <openss...@openssl.org>
Sent: Monday, August 13, 2001 12:35 PM
Subject: RE: Can't get SSL error information

> No, I haven't tried ssldump. What is it? Is it a utility? A build
option?
> A function that I can call? What's it do?

>
>
> -----Original Message-----
> From: owner-ope...@openssl.org
> [mailto:owner-ope...@openssl.org] On Behalf Of Lutz Jaenicke
> Sent: Monday, August 13, 2001 9:19 AM
> To: openss...@openssl.org
> Subject: Re: Can't get SSL error information
>

[Eric Rescorla]

"Bill @ Rebey.com" <Bi...@Rebey.com> writes:
> No, I haven't tried ssldump. What is it? Is it a utility? A build option?
> A function that I can call? What's it do?

It's an SSL protocol sniffer. See http://www.rtfm.com/ssldump

-Ekr

[t...@cccsoft.com]

I am trying to install openssl-0.9.6b onto a Linux REDHAT 7.1 server.
This is my first install of openssl-0.9.6b on REDHAT 7.1 . ON REDHAT 6.4
openssl-0.9.6b works just fine.

All seems to go fine with install and creating key/csr/crt files.

when testing for operation with the command:

openssl s_client -debug -state -connect localhost:443 -ssl3

The following output is recieved:

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 08154620 [0815E3D8] (90 bytes => 90 (0x5A))

0000 - 16 03 00 00 55 01 00 00-51 03 00 3b 74 1b 19 f3 ....U...Q..;t...

0010 - 69 21 6d 34 cf 24 61 d0-c4 89 d1 f4 cd ee e4 e6 i!m4.$a.........

0020 - c1 f4 fc 9c b8 e5 d7 5b-55 83 ca 00 00 2a 00 16 .......[U....*..

0030 - 00 13 00 0a 00 66 00 07-00 05 00 04 00 65 00 64 .....f.......e.d

0040 - 00 63 00 62 00 61 00 60-00 15 00 12 00 09 00 14 .c.b.a.`........

0050 - 00 11 00 08 00 06 00 03-01 .........

005a - <SPACES/NULS>

SSL_connect:SSLv3 write client hello A

read from 08154620 [08159BC8] (5 bytes => 5 (0x5))

0000 - 3c 21 44 4f 43 <!DOC

write to 08154620 [08163C60] (7 bytes => 7 (0x7))

0000 - 15 21 44 00 02 02 28 .!D...(

SSL3 alert write:fatal:handshake failure

SSL_connect:error in SSLv3 read server hello A

22796:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:
279:

When testing with the command:

openssl s_client -debug -state -connect localhost:443 -ssl2

The following output is received (the command hangs after presenting the
last line)

CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 08164348 [0815B511] (51 bytes => 51 (0x33))
0000 - 80 31 01 00 02 00 18 00-00 00 10 07 00 c0 05 00 .1..............
0010 - 80 03 00 80 01 00 80 08-00 80 06 00 40 04 00 80 ............@...
0020 - 02 00 80 84 7f 3f 80 d3-f2 f9 c9 e4 18 85 0c a0 .....?..........
0030 - 9e 1e fb ...
SSL_connect:SSLv2 write client hello A

Any assistance will be greatly appreciated..

Tim Blanchette
----------------------------------------------------
Technical Operation/Web Development
Christensen Computer Company
www.cccsoft.com

[Bill @ Rebey.com]

No, I haven't tried ssldump. What is it? Is it a utility? A build option?
A function that I can call? What's it do?

[Bill @ Rebey.com]

Is there anywhere to get an ssldump binary for WinNT?

-----Original Message-----
From: owner-ope...@openssl.org
[mailto:owner-ope...@openssl.org] On Behalf Of Eric Rescorla
Sent: Monday, August 13, 2001 12:59 PM
To: openss...@openssl.org
Subject: Re: Can't get SSL error information

"Bill @ Rebey.com" <Bi...@Rebey.com> writes:

> No, I haven't tried ssldump. What is it? Is it a utility? A build
option?
> A function that I can call? What's it do?

It's an SSL protocol sniffer. See http://www.rtfm.com/ssldump

-Ekr

[Eric Rescorla]

"Bill @ Rebey.com" <Bi...@Rebey.com> writes:
> Is there anywhere to get an ssldump binary for WinNT?

Not that I know of. If someone has done a port I'd love
to have a copy.

[Lutz Jaenicke]

On Mon, Aug 13, 2001 at 09:41:38AM -0700, t...@cccsoft.com wrote:
> openssl s_client -debug -state -connect localhost:443 -ssl3
>
> The following output is recieved:

> SSL_connect:SSLv3 write client hello A
>
> read from 08154620 [08159BC8] (5 bytes => 5 (0x5))
>
> 0000 - 3c 21 44 4f 43 <!DOC
>
> write to 08154620 [08163C60] (7 bytes => 7 (0x7))
>
> 0000 - 15 21 44 00 02 02 28 .!D...(
>
> SSL3 alert write:fatal:handshake failure
>
> SSL_connect:error in SSLv3 read server hello A
>
> 22796:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:

The answer is quite obvious: your webserver on port 443 is serving
http answers: <!DOC... You seem to have a configuration problem with
you webserver.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.J...@aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153