Are you appropriately calling SSL_clear() after your connection is shut down?
-Kyle H
On Mon, Apr 27, 2009 at 3:08 PM, Dave Thompson
<dave.thomp...@princetonpayments.com> wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Prokash Sinha
>> Sent: Friday, 24 April, 2009 16:45
>
>> I'm trying to understand why this following code is failing
>> the second or third time... Is it a good way ( meaning first accept()
>> without ssl, then do those association, then SSL_Accept() ) ----
>
> Yes this is the (or at least a) correct sequence.
>
> By 'second or third [fails]' I guess you mean it always works for
> the first connection in a given server process?
>
> Code trimmed to vital bits because I'm having to quote by hand:
>
>> sock = accept (tls_socket, (struct sockaddr *) &sa, &slen);
>
>> if (!SSL_CTX_check_private_key (ssl_ctx)) ...error...
>> ssl = SSL_new (ssl_ctx);
>> if (ssl==NULL) ...error...
>> if (!SSL_check_private_key (ssl)) ...error...
>
> Aside: there should be no need to check_private_key if it was set from
> a valid source in the first place, and definitely no need to check it
> in an SSL if the parent CTX was just good. But it should do no harm.
>
>> sbio = BIO_new_socket (sock, BIO_NOCLOSE);
>> if (sbio == NULL) ...error...
>> SSL_set_bio (ssl, sbio, sbio); /* cannot fail */
>> i = SSL_accept (ssl); /** <<<<< here is the error ***>>>
>> if (i<=0)
>> {
>> TRACE (trace (__FILE__, __LINE__, ERROR, NULL,
>> "***SSL_accept() call failed\n"));
>> i = SSL_get_error (ssl, i);
>> print_ssl_error (i);
>
> This gives only a high-level error (as you saw). In general
> for more detailed info on an OpenSSL error, call ERR_get_error
> and print the value returned (preferably in hex), or better
> (assuming you've loaded error strings) the string provided by
> ERR_error_string for that value. Best, do this in a loop until
> you get zero, as there may be multiple codes for one problem.
>
> But you indicate a problem only occurs on non-first connections.
> How does your server handle multiple connections: Do you use threads?
> Do you fork child processes? Do you just do one connection (for one
> client) to completion before looking to accept() another? If threads,
> are any of the variables shared? Is it possible you are clobbering
> some memory during one connection that affects another(s)? Are you
> leaving file(s) or other resources open that might cause a conflict?
> (Although unless you're using client authentication against CApath,
> which is rare, I can't think offhand of any that would break SSL_accept.)
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-us...@openssl.org
> Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
