> From: [email protected] On Behalf Of Kyle Hamilton
> Sent: Friday, 18 September, 2009 15:07
> Once you receive SSL_ERROR_SSL, the next step is to use
> ERR_get_error(3ssl) to figure out what the specific SSL error was.
> Before you do this, you should call ERR_load_crypto_strings(3ssl) and
> SSL_load_error_strings(3ssl) so that you can get the full
> string; if you don't, you'll get a hexadecimal code, which
> you can feed to 'openssl errstr [code]' and it'll tell you
> what the code actually means. (errstr(1)).
>
Mostly right. SSL_load_ is enough (does both ERR_load_{crypto,SSL}_).
(And to be specific, it's usually best to do it once at startup.)
If you use ERR_get_error and ERR_error_string etc. you should
loop until you get 0 because there may be more than one code.
Or if you have an output C file (or BIO) available you can
just call ERR_print_errors[_fp] (one routine, once, simpler).
(And if the functions are in man/3ssl, errstr is in 1ssl.)
> It's *entirely* possible that the return of ERR_get_error()
> will be SSL_WANT_READ or SSL_WANT_WRITE. If this is the case, call
Wrong. SSL_ERROR_WANT_* are returns from SSL_get_error *instead of*
SSL_ERROR_SSL, not from ERR_get_error in addition to it.
> SSL_Connect() again with *exactly the same parameters*.
> Preferably, don't even move them in memory, just call it with
> the same pointers and everything. (Really,
That's important for the data to/from _read and _write, or
at least it was -- there was some discussion of changing it.
But there is no data for _connect.
> SSL_WANT_{(read|write)} could have been consolidated, since
> from the application developer's view it's exactly the same
> diagnostic and required action: call the last SSL function
> you called, with exactly the same parameters. <snip>
Not really; you can and usually should wait for the socket
to be readable or writable respectively before you call again,
and that differs, albeit often only one bit in select/poll.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
