Re: SSL_accept gives error on 300+ simultaneous connection

Fri, 01 Jun 2007 12:49:14 -0700 

Thanks Marek for quick response that cleared all my doubts.

On 6/1/07, Marek Marcola <[EMAIL PROTECTED]> wrote:

Hello,
> I have a SSL server that uses Openssl 9.7e. It works fine initially
> but after a bit load (like 200+ connection), lots of SSL hanshake
> failure occurs. The failure reason given is SSL_ERROR_SSL and the
> string received is
>
> error:140730FF:lib(20):func(115):reason(255):.\ssl\s23_srvr.c:227
>
> On looking in the openssl code, the error is
> SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE);
>
> This error is not coming for initial connections but after some time.
>
> I am not new'ing and deleting SSL object but maintaining a pool of SSL
> objects that are reused after SSL_clear call. Do we need to do
> anything else apart from SSL_clear before using SSL objects?.
>
> I debugged more and it appears when first time SSL object is used, its
> variables "state" and "rstate" has values 24576 and 240. When I free
> this using SSL_free and SSL_new than again the state and rstate has
> same values and no problem in SSL_accept.
>
> But when I try not to SSL_free object and reuse that than its a
> problem. The state=8576 and rstate=240 and I got this error in the
> error string
> error:140730FF:lib(20):func(115):reason(255):.\ssl\s23_srvr.c:227
>
> Can someone please let me know why SSL_clear is not working or I am
> doing some other mistake.

$ man SSL_clear
....
WARNINGS
       SSL_clear() resets the SSL object to allow for another
connection. The reset operation however keeps several settings of the
last sessions (some of these settings were made automatically during the
last handshake).
        It only makes sense when opening a new session (or reusing an old one)
with the same peer that shares these settings.  SSL_clear() is not a
short form for the sequence SSL_free(3); SSL_new(3);
....

Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to