Are you appropriately calling SSL_clear() after your connection is shut down?
-Kyle H On Mon, Apr 27, 2009 at 3:08 PM, Dave Thompson <dave.thomp...@princetonpayments.com> wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Prokash Sinha >> Sent: Friday, 24 April, 2009 16:45 > >> I'm trying to understand why this following code is failing >> the second or third time... Is it a good way ( meaning first accept() >> without ssl, then do those association, then SSL_Accept() ) ---- > > Yes this is the (or at least a) correct sequence. > > By 'second or third [fails]' I guess you mean it always works for > the first connection in a given server process? > > Code trimmed to vital bits because I'm having to quote by hand: > >> sock = accept (tls_socket, (struct sockaddr *) &sa, &slen); > >> if (!SSL_CTX_check_private_key (ssl_ctx)) ...error... >> ssl = SSL_new (ssl_ctx); >> if (ssl==NULL) ...error... >> if (!SSL_check_private_key (ssl)) ...error... > > Aside: there should be no need to check_private_key if it was set from > a valid source in the first place, and definitely no need to check it > in an SSL if the parent CTX was just good. But it should do no harm. > >> sbio = BIO_new_socket (sock, BIO_NOCLOSE); >> if (sbio == NULL) ...error... >> SSL_set_bio (ssl, sbio, sbio); /* cannot fail */ >> i = SSL_accept (ssl); /** <<<<< here is the error ***>>> >> if (i<=0) >> { >> TRACE (trace (__FILE__, __LINE__, ERROR, NULL, >> "***SSL_accept() call failed\n")); >> i = SSL_get_error (ssl, i); >> print_ssl_error (i); > > This gives only a high-level error (as you saw). In general > for more detailed info on an OpenSSL error, call ERR_get_error > and print the value returned (preferably in hex), or better > (assuming you've loaded error strings) the string provided by > ERR_error_string for that value. Best, do this in a loop until > you get zero, as there may be multiple codes for one problem. > > But you indicate a problem only occurs on non-first connections. > How does your server handle multiple connections: Do you use threads? > Do you fork child processes? Do you just do one connection (for one > client) to completion before looking to accept() another? If threads, > are any of the variables shared? Is it possible you are clobbering > some memory during one connection that affects another(s)? Are you > leaving file(s) or other resources open that might cause a conflict? > (Although unless you're using client authentication against CApath, > which is rare, I can't think offhand of any that would break SSL_accept.) > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org