> From: owner-openssl-us...@openssl.org On Behalf Of Nathan Smyth > Sent: Tuesday, 10 April, 2012 09:25
> I'm having trouble getting the SSL Connect/Accepts to work. > > For the client, SSL_Connect returns -1. Raising SSL Error = > 2, SSL_ERROR_WANT_READ > Are you using nonblocking socket? If ssl_connect returns -1 and you call SSL_get_error(ssl,rc) and it returns WANT_READ, that is normal behavior for nonblocking. You need to retry the call when the socket is (likely) ready to read data; the most direct way to do this is select() or poll() or similar depending on your OS, but more complicated ways are possible. See man SSL_get_error . Or for simpler code, use blocking. Then SSL_* returns only when it has completed successfully, or definitively failed. > For the server, SSL_ACCEPT returns 0 (or -1 if non blocking), > raising SSL Error 5 = SSL_ERROR_SYSCALL. > ERR_ERROR_STRING() prints:00000005:lib(0):func(0):DH > Again assuming ssl_get_error(ssl,rc) returns SYSCALL, you should not (try to) decode that with ERR_error_string. The error codes that ERR_error_string decodes are the ones from ERR_get_error ERR_peek_error etc. *not* SSL_get_error. For SSL_accept -1 and SSL_get_error SYSCALL you should instead check the *OS* level error -- errno in Unix, WSAGetLastError() in Windows. On Unix you can decode with strerror(errno), on Windows it's a little more complicated. If this server is getting connections from the client above, and that client mistakenly handles WANT_READ by closing or even exiting/aborting, the server gets either TCP abort or unexpected TCP shutdown (aka EOF), which causes this error. > Does anyone have any advice on things to try to help debug > this? I'm not using BIOs, but instead using SSL_set_fd(). > This is because the application uses many sockets, but only > sometimes uses SSL. > You are but invisibly; SSL_set_fd() creates a socket-BIO internally. But when SSL_* then does I/O on that BIO the BIO does it on your socket, which is what you want. You can actually use socket-BIO, and/or accept-BIO and connect-BIO, to do plain TCP connections directly, or "wrap" SSL_* around them to do SSL. This doesn't offer any more functionality than plain OS sockets, and in fact last I looked didn't do IPv6 well, but it does use the OpenSSL "style" (naming, memory management, error handling) consistently and it is the same API on Unix and Windows (and I believe VMS, if that still works) rather than similar but slightly different APIs. Your choice. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
