Bodo Moeller wrote:
>
> So the callbacks that you mentioned are callbacks on an other level of
> the program, not callbacks set inside the OpenSSL library, right?
Yep this is correct.
> I thought at first that you were using callbacks inside the BIO
> sub-library.
>
> > A little more info... [snip]
>
> Note that SSL_write does not always just want to write data, sometimes
> select() for readable data is called for (during a handshake, which
> the peer can request at any time [renegotiation]). SSL_get_error is
> one possibility to find out what to do -- see apps/s_client.c, for
> example. Similarly, SSL_accept does not always just want to read (but
> the written data won't be so much that a blocking write would really
> have to be expected).
>
> And I finally found the cause of your problem: You call
> BIO_sock_should_retry with the return value of SSL_accept. You should
> not do that, the BIO library already has done that when BIO_read and
> BIO_write were called by the SSL library. The result is stored inside
> the BIO structure, from where the SSL library can obtain it (through
> the BIO_should_read/write macros) when SSL_get_error is called; and
> SSL_get_error is what you should use in your program.
Thanks for your help, I'd love to report this was the problem, but
unfortunately not. Here's the code I've added:
if (!ssl->in_handshake)
{
int acceptval=SSL_accept(ssl);
switch (SSL_get_error(ssl,acceptval))
{
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_CONNECT:
case SSL_ERROR_WANT_X509_LOOKUP:
// need to do the accept again, so return
// to the eventloop,
break;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
case SSL_ERROR_ZERO_RETURN:
// handshake failed, drop connection and print SSL error
break;
}
}
I also used SSL_do_handshake() in the place of SSL_accept to see if this
made any difference, but alas no.
I still have to parts to the handshake, the first generates an
SSL_ERROR_WANT_READ, we return back to the eventloop, when a read event
happens SSL_accept is caused again, this generates SSL_ERROR_SSL, when
looking at this with ERR_reason_error_string(ERR_get_error()) I get the
now familiar message "digest check failed".
This is the behaviour I experienced when using BIO_should_retry().
I've included at the end of this message the debug output I get from
running the s_client in debug mode (again everything is fine when the
socket is blocking), I'm not sure if this is any help at all.
Thanks for the help, it's much appreciated
Sarah
ssleay s_client -connect exeter:5336 -debug
CONNECTED(00000004)
write to 001281E8 [0012A600] (109 bytes => 109 (0x6D))
0000 - 80 6b 01 03 00 00 42 00-00 00 20 00 00 05 00 00 .k....B...
.....
0010 - 04 00 00 16 00 00 13 00-00 0a 00 00 07 00 00 15
................
0020 - 00 00 12 00 00 09 08 00-80 07 00 c0 06 00 40 05
..............@.
0030 - 00 80 03 00 80 01 00 80-00 00 14 00 00 11 00 00
................
0040 - 08 00 00 06 00 00 03 04-00 80 02 00 80 b0 98 4a
...............J
0050 - 54 ab 23 3e f1 2a 32 63-38 1a 99 3f a1 3a d1 93
T.#>.*2c8..?.:..
0060 - e4 75 00 29 d7 7f 2c 3f-2c ff a6 76 79 .u.)..,?,..vy
read from 001281E8 [0012FB60] (7 bytes => 7 (0x7))
0000 - 16 03 00 00 4a 02 ....J.
0007 - <SPACES/NULS>
read from 001281E8 [0012FB67] (72 bytes => 72 (0x48))
0000 - 00 46 03 00 37 78 af fb-63 9b 54 27 54 8c 5d 0e
.F..7x..c.T'T.].
0010 - 49 ab 9b 9c 98 90 60 8c-38 f4 b8 7c a0 1a 45 09
I.....`.8..|..E.
0020 - dc 73 d4 58 20 07 37 56-25 e2 f6 e1 bc 66 1e 68 .s.X
.7V%....f.h
0030 - 78 6b 82 e5 76 c0 d2 38-1d 4b 60 2f c5 93 3b ff
xk..v..8.K`/..;.
0040 - 73 0a a1 ea 16 00 03 s......
0048 - <SPACES/NULS>
read from 001281E8 [0012FB60] (5 bytes => 5 (0x5))
0000 - 16 03 00 02 b0 .....
read from 001281E8 [0012FB65] (688 bytes => 688 (0x2B0))
0000 - 0b 00 02 ac 00 02 a9 00-02 a6 30 82 02 a2 30 82
..........0...0.
0010 - 02 0b a0 03 02 01 02 02-02 01 7f 30 0d 06 09 2a
...........0...*
0020 - 86 48 86 f7 0d 01 01 04-05 00 30 81 94 31 0b 30
H........0..1.0
0030 - 09 06 03 55 04 06 13 02-47 42 31 17 30 15 06 03
...U....GB1.0...
0040 - 55 04 08 13 0e 43 61 6d-62 72 69 64 67 65 73 68
U....Cambridgesh
0050 - 69 72 65 31 12 30 10 06-03 55 04 07 13 09 43 61
ire1.0...U....Ca
0060 - 6d 62 72 69 64 67 65 31-0c 30 0a 06 03 55 04 0a
mbridge1.0...U..
0070 - 13 03 53 43 4f 31 0c 30-0a 06 03 55 04 0b 13 03
..SCO1.0...U....
0080 - 43 49 44 31 1d 30 1b 06-03 55 04 03 13 14 53 61
CID1.0...U....Sa
0090 - 72 61 68 27 73 20 55 4e-43 48 41 49 4e 45 44 20 rah's UNCHAINED
00a0 - 43 41 31 1d 30 1b 06 09-2a 86 48 86 f7 0d 01 09
CA1.0...*.H.....
00b0 - 01 16 0e 73 61 72 61 68-67 40 73 63 6f 2e 63 6f
[EMAIL PROTECTED]
00c0 - 6d 30 1e 17 0d 39 39 30-36 32 31 31 36 34 37 35
m0...99062116475
00d0 - 33 5a 17 0d 30 31 30 32-31 30 31 36 34 37 35 33
3Z..010210164753
00e0 - 5a 30 81 81 31 0b 30 09-06 03 55 04 06 13 02 47
Z0..1.0...U....G
00f0 - 42 31 17 30 15 06 03 55-04 08 13 0e 43 61 6d 62
B1.0...U....Camb
0100 - 72 69 64 67 65 73 68 69-72 65 31 0c 30 0a 06 03
ridgeshire1.0...
0110 - 55 04 0a 13 03 53 43 4f-31 0c 30 0a 06 03 55 04
U....SCO1.0...U.
0120 - 0b 13 03 43 49 44 31 1e-30 1c 06 03 55 04 03 13
...CID1.0...U...
0130 - 15 65 78 65 74 65 72 2e-65 75 72 6f 70 65 2e 73
.exeter.europe.s
0140 - 63 6f 2e 63 6f 6d 31 1d-30 1b 06 09 2a 86 48 86
co.com1.0...*.H.
0150 - f7 0d 01 09 01 16 0e 73-61 72 61 68 67 40 73 63
.......sarahg@sc
0160 - 6f 2e 63 6f 6d 30 5c 30-0d 06 09 2a 86 48 86 f7
o.com0\0...*.H..
0170 - 0d 01 01 01 05 00 03 4b-00 30 48 02 41 00 bd e0
.......K.0H.A...
0180 - 9f 96 10 54 16 10 e6 63-e8 c8 f6 2f 8b 20 37 5b ...T...c.../.
7[
0190 - 81 4c 80 b0 35 0c 53 e2-bd f2 73 88 ba b0 31 3b
.L..5.S...s...1;
01a0 - 31 5b 9a 73 26 fd 11 75-b4 96 7b e2 0d 95 96 a6
1[.s&..u..{.....
01b0 - 56 d7 7b be ac a3 9d ed-fd 1e 48 7d 1d 07 02 03
V.{.......H}....
01c0 - 01 00 01 a3 58 30 56 30-32 06 09 60 86 48 01 86
....X0V02..`.H..
01d0 - f8 42 01 04 04 25 16 23-68 74 74 70 3a 2f 2f 77
B...%.#http://w
01e0 - 77 77 2e 63 72 79 70 74-73 6f 66 74 2e 63 6f 6d
ww.cryptsoft.com
01f0 - 2f 63 61 2d 63 72 6c 2e-70 65 6d 30 20 06 09 60 /ca-crl.pem0
..`
0200 - 86 48 01 86 f8 42 01 0d-04 13 16 11 54 68 69 73
.H...B......This
0210 - 20 69 73 20 61 20 63 6f-6d 6d 65 6e 74 30 0d 06 is a
comment0..
0220 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00
.*.H............
0230 - 1f f3 ef e3 43 90 35 11-fe 8d dc 45 8e f6 8c 8c
....C.5....E....
0240 - f0 1b fc b3 38 71 9c ac-53 d7 c6 e9 fa 94 dc 76
....8q..S......v
0250 - 08 0a 09 db 38 5a 76 99-7a fe 06 38 13 44 84 84
....8Zv.z..8.D..
0260 - 25 ff 0d ea cb 64 0a 14-67 c9 24 4b 37 bb f0 f2
%....d..g.$K7...
0270 - 3f 36 b7 20 e4 88 88 17-9d 95 c1 ed 8c 41 0e ab ?6.
.........A..
0280 - 94 1f 2b 12 9d 3c 97 6e-17 93 d2 d5 b4 e6 ee d9
..+..<.n........
0290 - 91 d5 d7 ad c2 38 66 e6-1a 1d 58 44 84 a6 69 4c
.....8f...XD..iL
02a0 - ba d4 3f 79 cd b2 4b e1-b9 f4 6c f3 24 96 31 85
..?y..K...l.$.1.
depth=0
[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
read from 001281E8 [0012FB60] (5 bytes => 5 (0x5))
0000 - 16 03 00 00 04 .....
read from 001281E8 [0012FB65] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
write to 001281E8 [00138B80] (73 bytes => 73 (0x49))
0000 - 16 03 00 00 44 10 00 00-40 8e 58 5d 42 81 8f 33
....D...@.X]B..3
0010 - 5a 88 52 bf 4b 29 e4 1d-c0 09 24 6a 9c 8d 03 8d
Z.R.K)....$j....
0020 - 5c cd 9d 36 66 f9 dd 97-65 42 36 06 3b c6 48 e0
\..6f...eB6.;.H.
0030 - 82 db d1 ff 67 6f 60 60-80 67 fc e7 83 b0 2d 30
....go``.g....-0
0040 - fa c2 ab 31 84 29 f4 5f-39 ...1.)._9
write to 001281E8 [00138B80] (6 bytes => 6 (0x6))
0000 - 14 03 00 00 01 01 ......
write to 001281E8 [00138B80] (61 bytes => 61 (0x3D))
0000 - 16 03 00 00 38 4d 75 2b-49 ff 1a 7b 2f fb 92 6f
....8Mu+I..{/..o
0010 - 22 93 66 56 d4 8c fb fc-de ef 1f 23 2e a5 57 d2
".fV.......#..W.
0020 - 30 cc ba 43 00 a3 b1 9a-3f 6a aa 26 43 d7 3e 2a
0..C....?j.&C.>*
0030 - 90 17 58 22 43 f6 9d 49-6b 0d ef b1 ae ..X"C..Ik....
read from 001281E8 [0012FB60] (5 bytes => 5 (0x5))
0000 - 15 03 00 00 02 .....
read from 001281E8 [0012FB65] (2 bytes => 2 (0x2))
0000 - 02 2f ./
28537:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal
parameter:s3_pkt.c:761
28537:error:140790DB:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:222
--
Have you seen the fnords?
Sarah Bateman([EMAIL PROTECTED]), Software Engineer
Client Integration Development, SCO, Vision Park, Cambridge
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
