RE: SSL_ERROR_SYSCALL, errlist: No such file or directory
Posting a solution to this issue just in case it helps others with the same issue. The problem was solved by setting the socket to be non-blocking and then looping when the error is "SSL wants a read first". I try limit the number of loops to 10 before I give up. It takes 2 times in the loop before the handshake is successful. Not sure why this is necessary on Solaris, but not on Windows though. This code works on both platforms. # force non-blocking mode to agents. $sock->blocking(0); IO::Socket::SSL->start_SSL($sock, 'SSL_version'=> $ssl_ver, 'SSL_cipher_list'=> $ssl_cipher_list, 'SSL_verify_mode'=> hex $ssl_verify_mode, 'SSL_use_cert' => $use_cert, 'SSL_key_file' => $key_location, 'SSL_passwd_cb' => sub{return $key_pass}, 'SSL_cert_file' => $cert_location, 'SSL_ca_file'=> $ca_location, 'Timeout'=> 30, 'SSL_startHandshake' => 0 ) || die "Encountered an SSL handshake problem: ".IO::Socket::SSL::errstr(); my $attempts = 0; my $MAX_ATTEMPTS = 10; while ( 1 ) { $sock->connect_SSL && last; $attempts++; if ($attempts == $MAX_ATTEMPTS) { last; } if ( $sock->errstr() =~ /SSL wants a read first/ ) { IO::Select->new($sock)->can_read(30) && next; # retry if can read } elsif ( $sock->errstr() =~ /SSL wants a write first/ ) { IO::Select->new($sock)->can_write(30) && next; # retry if can write } last; } -- View this message in context: http://www.nabble.com/SSL_ERROR_SYSCALL%2C-errlist%3A-No-such-file-or-directory-tp20329506p20389663.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_ERROR_SYSCALL, errlist: No such file or directory
David, Sorry for the lack of information, let me try to fill in the blanks. We're using Perl (IO::Socket::SSL) on the sending side to establish a secure socket to a C agent on the receiving side. The C agent uses native OpenSSL APIs.On the Perl side, we create a TCP socket and then do a startSSL afterwards. The same exact code works fine with Perl running on Windows going to a C agent on Windows. If fails when Perl is running on Solaris going to the same C agent on Windows. This same Perl SSL code on Solaris works fine going to a Java server on Solaris. # Start the SSL handshake if (defined($self->{'_sslconf'})) { $self->{'_Socket'} = BfSSLSocket::startSSL($self->{'_Socket'}, $AddrIsIpv6, $self->{'_sslconf'}) if ($self->{'_Socket'}); } The above startSSL method basically comes down to this, which works on Windows. print "SSL connection to agent.\n"; $sock = IO::Socket::SSL->start_SSL($sock, 'SSL_version'=> $ssl_ver, 'SSL_cipher_list'=> $ssl_cipher_list, 'SSL_verify_mode'=> hex $ssl_verify_mode, 'SSL_use_cert' => $use_cert, 'SSL_key_file' => $key_location, 'SSL_passwd_cb' => sub{return $key_pass}, 'SSL_cert_file' => $cert_location, 'SSL_ca_file'=> $ca_location, 'SSL_startHandshake' => 0 ) || die "Encountered an SSL handshake problem: ".IO::Socket::SSL::errstr(); $sock->connect_SSL; On the Agent side, there's a dispatch process which receives requests and spawns a new Agent when it gets the connection. It hands the socket over to the new Agent process which then starts SSL. Once the SSL handshake is successful, it goes into the main loop which starts read/writes. } else if (NULL != start_SSL() || SS_OK == ssl_state) { agent_main_loop(); stop_SSL(); } void *start_SSL(void) { char err_buf[1024]; const char *sbuf=NULL; int err=0, rc=0; X509* client_cert; BFTRACE("In start_SSL"); /* Specify the context configuration options */ ssl_state = init_CTX(); /* You cannot send a hello in the middle of an SSL handshake. Defer the SSL hello until the end. Send the TCP hello now, if the state is SS_OK. */ switch (ssl_state) { case SS_OK: send_hello(CODE_HELLO); return NULL; default: break; /* Continue to do the SSL handshake. */ } BFTRACE("Calling SSL_new"); /* Create a new SSL context */ ssl = SSL_new(ctx); if (NULL == ssl) { sbuf = ERR_error_string(err, err_buf); send_msg("SSL", "SSLErrorNoSSL", "s", sbuf); ssl_state = SS_FAILED; return NULL; } /* hRemote is the duplicate file descriptor from the dispatch thread. */ SSL_set_fd(ssl, hRemote); SSL_set_accept_state(ssl); BFTRACE("Calling SSL_accept."); rc = SSL_accept(ssl); sprintf(err_buf, "SSL_accept rc=%d (1 is good, 0 is handshake failure, <0 is fatal)", rc); BFTRACE(err_buf); if (rc <= 0) { err = SSL_get_error(ssl, rc); sprintf(err_buf, "Error code: %d", err); BFTRACE(err_buf); ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)); BFTRACE(err_buf); switch (err) { case SSL_ERROR_NONE: sprintf(err_buf, "No error reported."); BFTRACE(err_buf); break; case SSL_ERROR_WANT_WRITE: sprintf(err_buf, "Error: SSL_ERROR_WANT_WRITE"); BFTRACE(err_buf); break; case SSL_ERROR_WANT_READ: sprintf(err_buf, "Error: SSL_ERROR_WANT_READ"); BFTRACE(err_buf); break; case SSL_ERROR_WANT_X509_LOOKUP: sprintf(err_buf, "Error: SSL_ERROR_WANT_X509_LOOKUP"); BFTRACE(err_buf); break; case SSL_ERROR_SYSCALL: sprintf(err_buf, "Error: SSL_ERROR_SYSCALL, errlist: %s", sys_errlist[errno]); BFTRACE(err_buf);
RE: SSL_ERROR_SYSCALL, errlist: No such file or directory
So I can now see the Solaris side. It appears it gets "gibberish", probably encrypted data. Does anyone know why it would appear that the socket is not decrypting the data? This same code works fine on a Windows system. SSL_ca_file: /opt/bf-567/Platform/keystore/CA.pem SSL_cert_file: /opt/bf-567/Platform/keystore/Cert.pem SSL_key_file: /opt/bf-567/Platform/keystore/Key.pem SSL_verify_mode: 0x01 SSL_version: TLSv1 SSL_cipher_list: ALL SSL_use_cert: 1 Making as SSL connection using socket IO::Socket::INET=GLOB(0x29bdfe8). SSL connection to agent. Socket is of type: ref(IO::Socket::SSL=GLOB(0x29bdfe8)) READ: ReadyLine: . Agent Connecting... READ: pbirk wrote: > > You are correct, it returns 0. RC=0 is a handshake failure?I think I > need to debug this on the Solaris side then. Which makes sense.Thanks > for the help! > > Calling SSL_accept. > SSL_accept rc=0 > Error code: 5 > error::lib(0):func(0):reason(0) > Error: SSL_ERROR_SYSCALL, errlist: No such file or directory > WSAGetLastError, rc=0 > > > David Schwartz wrote: >> >> >>> Calling SSL_accept. >>> Error code: 5 >>> error::lib(0):func(0):reason(0) >>> Error: SSL_ERROR_SYSCALL, errlist: No such file or directory >>> WSAGetLastError, rc=0 >>> >>> This is basically the APIs I call to get the above information. >>> >>> err = SSL_get_error(ssl, rc); >>> printf("Error code: %d", err); >>> ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)); >>> printf("Error: %s", err_buf); >>> printf("Error: SSL_ERROR_SYSCALL, errlist: %s", sys_errlist[errno]); >>> printf("WSAGetLastError, rc=%d", WSAGetLastError()); >>> >>> Windows client -> Windows server (success).. >>> Solaris client -> Windows server (above error).. >> >> You leave out the most important piece of information -- what was the >> return >> value from SSL_accept?! None of your 'printf's include 'rc', which is the >> most important piece of information there is. >> >> If it's zero, as I suspect, then you're barking up completely the wrong >> tree. >> >> DS >> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> >> > > -- View this message in context: http://www.nabble.com/SSL_ERROR_SYSCALL%2C-errlist%3A-No-such-file-or-directory-tp20329506p20332694.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_ERROR_SYSCALL, errlist: No such file or directory
You are correct, it returns 0. RC=0 is a handshake failure?I think I need to debug this on the Solaris side then. Which makes sense.Thanks for the help! Calling SSL_accept. SSL_accept rc=0 Error code: 5 error::lib(0):func(0):reason(0) Error: SSL_ERROR_SYSCALL, errlist: No such file or directory WSAGetLastError, rc=0 David Schwartz wrote: > > >> Calling SSL_accept. >> Error code: 5 >> error::lib(0):func(0):reason(0) >> Error: SSL_ERROR_SYSCALL, errlist: No such file or directory >> WSAGetLastError, rc=0 >> >> This is basically the APIs I call to get the above information. >> >> err = SSL_get_error(ssl, rc); >> printf("Error code: %d", err); >> ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)); >> printf("Error: %s", err_buf); >> printf("Error: SSL_ERROR_SYSCALL, errlist: %s", sys_errlist[errno]); >> printf("WSAGetLastError, rc=%d", WSAGetLastError()); >> >> Windows client -> Windows server (success).. >> Solaris client -> Windows server (above error).. > > You leave out the most important piece of information -- what was the > return > value from SSL_accept?! None of your 'printf's include 'rc', which is the > most important piece of information there is. > > If it's zero, as I suspect, then you're barking up completely the wrong > tree. > > DS > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/SSL_ERROR_SYSCALL%2C-errlist%3A-No-such-file-or-directory-tp20329506p20330410.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_ERROR_SYSCALL, errlist: No such file or directory
Anyone know what could be the cause of this error?This error occurs on a Windows system. The calling system (which shouldn't matter) is Solaris. However, other Windows systems that call to this system succeed, although the only notable error is here. Calling SSL_accept. Error code: 5 error::lib(0):func(0):reason(0) Error: SSL_ERROR_SYSCALL, errlist: No such file or directory WSAGetLastError, rc=0 This is basically the APIs I call to get the above information. err = SSL_get_error(ssl, rc); printf("Error code: %d", err); ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)); printf("Error: %s", err_buf); printf("Error: SSL_ERROR_SYSCALL, errlist: %s", sys_errlist[errno]); printf("WSAGetLastError, rc=%d", WSAGetLastError()); Windows client -> Windows server (success).. Solaris client -> Windows server (above error).. The only thing I see on the Solaris (client) side is the following Perl module error: Use of uninitialized value in numeric eq (==) at /PerlApp/IO/Socket/SSL.pm line 1145. But I believe this comes from an error path in SSL.pm after the failure occurred on the Windows server. Thanks in advance!!! This one has stumped me for a while. -- View this message in context: http://www.nabble.com/SSL_ERROR_SYSCALL%2C-errlist%3A-No-such-file-or-directory-tp20329506p20329506.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Perl enablement of OpenSSL FIPS
Hi, Does anyone know of any Perl modules already written that can call the native OpenSSL FIPS_mode_set and FIPS_mode APIs. I am using Perl's Net::SSLeay and IO::Socket::SSL modules but these do not appear to have any exposed APIs to enable FIPS mode. Thanks! Also, I assume if I enable FIPS from a C program (separate from the Perl calls), as long as the OpenSSL DLL's are still loaded, the FIPS mode enablement from the C program would also apply to the Perl use of the same shared DLLs. What keeps a DLL loaded, is it the process that loaded it still being active (stays open as long as the process is still going) or just having code call into a method so it loads/unloads the DLL's more frequently? Regards, Pete -- View this message in context: http://www.nabble.com/Perl-enablement-of-OpenSSL-FIPS-tp20267045p20267045.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL 0.9.7m Link Failure w/FIPS
I'm getting the following error after following the steps in the FIPS users guide to compile on Windows at this link: http://openssl.org/docs/fips/UserGuide-1.1.1.pdf. I'm using FIPS 1.1.2 with OpenSSL 0.9.7m. I do ms\do_ms (tried with ms\do_nasm as well), then nmake -f ms\ntdll.mak. The contents of out32dll are as follows after the failure. If I do the compile again, it can successfully build ssleay32.dll, but libeay32.dll is corrupted when trying to add in the manifest. Any ideas why this failed? Directory of C:\downloads\OpenSSL\openssl-0.9.7m\out32dll 10/09/2008 11:28 AM . 10/09/2008 11:28 AM .. 10/09/2008 11:27 AM 651,264 fips_premain_dso.exe 10/09/2008 11:27 AM 380 fips_premain_dso.exe.manifest 10/09/2008 11:27 AM29,696 fips_standalone_sha1.exe 10/09/2008 11:27 AM 380 fips_standalone_sha1.exe.manifest 10/09/2008 11:28 AM 2,097,152 libeay32.dll 10/09/2008 11:28 AM 380 libeay32.dll.manifest 10/09/2008 11:28 AM 343,847 libeay32.exp 10/09/2008 11:28 AM 566,392 libeay32.lib cl /Fotmp32dll\fips_premain_dso.obj -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc 32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_C RT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c .\fips-1.0\fips_premain.c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /out:out32dll\fip s_premain_dso.exe @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm50D.tmp SET FIPS_LINK=link SET FIPS_CC=cl SET FIPS_CC_ARGS=/Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_ MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECA TE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c SET PREMAIN_DSO_EXE=out32dll\fips_premain_dso.exe SET FIPS_SHA1_EXE=out32dll\fips_standalone_sha1.exe SET FIPS_TARGET=out32dll\libeay32.dll SET FIPSLIB_D=c:\downloads\openssl_fips/ perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME ~1\ADMINI~1\LOCALS~1\Temp\nm50F.tmp Integrity check OK cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_ WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENS SL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c c:\downloads\openssl_fips//fips_premain. c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out :out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ nm50F.tmp ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for th e target platform; ignored Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp LINK : fatal error LNK1000: Internal error during IMAGE::BuildImage Version 8.00.50727.42 ExceptionCode= C005 ExceptionFlags = ExceptionAddress = 0046563C (0040) "c:\PROGRA~1\MID05A~1\VC\bin\li nk.exe" NumberParameters = 0002 ExceptionInformation[ 0] = 0001 ExceptionInformation[ 1] = 0008 CONTEXT: Eax= 0008 Esp= 0012EEA8 Ebx= Ebp= 0111B008 Ecx= Esi= 015B002C Edx= 000EC028 Edi= 015AFFF0 Eip= 0046563C EFlags = 00010202 SegCs = 001B SegDs = 0023 SegSs = 0023 SegEs = 0023 SegFs = 003B SegGs = Dr0= Dr3= Dr1= Dr6= Dr2= Dr7= First stage Link failure at util\fipslink.pl line 42. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x9' Stop. -- View this message in context: http://www.nabble.com/OpenSSL-0.9.7m-Link-Failure-w-FIPS-tp19902596p19902596.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL FIPS 1.2 availability?
Is there an estimated (planned) date for when the OpenSSL FIPS 1.2 module will be released? -- View this message in context: http://www.nabble.com/OpenSSL-FIPS-1.2-availability--tp19888614p19888614.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem "unknown message digest algorithm" verifying server certificate from Perl OpenSSL client
Tim Hudson wrote: > > Try connecting with >openssl s_client -state -debug -connect hostname:port and see what > details > are returned in the server certificate - that will at least tell you what > algorithms are used by the server certificate. > > Are you sure you are actaully calling OpenSSL_add_all_algorithms() or the > older > varients of it? > > Tim. > I created a new self-signed cert for the server (in a p12 keystore) and exported the key/cert to PEMs for the client. The cert was created using key algorithm RSA and keysize 1024. I was about to give you the data you requested (great suggestion) and could not recreate the problem after recreating the certs this way. Maybe I had DSA before and that's the algorithm not supported? I might try creating a DSA cert to see if that's the issue. I was calling SSLeay_add_ssl_algorithms() previously and that did not help anything. If I called SSLeay_add_all_algorithms(), it bombed out. I think there's a reported problem calling that method. Appreciate the help very much. -- View this message in context: http://www.nabble.com/Problem-%22unknown-message-digest-algorithm%22-verifying-server-certificate-from-Perl-OpenSSL-client-tp19112522p19127272.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem "unknown message digest algorithm" verifying server certificate from Perl OpenSSL client
I'm trying to use IO-Socket-SSL-1.13_5, Net-SSLeay 1.32 and OpenSSL 0.9.7j. I have the Perl module coded the following way. When $ssl_verify_mode = 0x01 to verify the peer certificate, I get the error below. I'm using the same self-signed certificate on the server as I'm using on the client (it's split up into CA.pem, Cert.pem, and Key.pem).I've seen a similar error on Google where the resolution was to call SSLeay_add_ssl_algorithms().. I did this in my application and still have the "unknown message digest algorithm" error. Does anyone have a clue what would cause this problem? Thanks in advance! I'll be happy to provide any additional information needed to help resolve this. Let me know if there's a better forum for this question. IO::Socket::SSL->start_SSL($sock, 'SSL_version' => $ssl_ver, 'SSL_cipher_list' => $ssl_cipher_list, 'SSL_verify_mode' => hex $ssl_verify_mode, 'SSL_use_cert' => $use_cert, 'SSL_key_file' => $key_location, 'SSL_passwd_cb'=> sub{return $key_pass}, 'SSL_cert_file'=> $cert_location, 'SSL_ca_file' => $ca_location ) || die "Encountered an SSL handshake problem: ".IO::Socket::SSL::errstr(); "Debug output" SSL_ca_file: CA.pem SSL_cert_file: Cert.pem SSL_key_file: Key.pem SSL_verify_mode: 0x01 SSL_version: TLSv1 SSL_cipher_list: ALL SSL_use_cert: 1 "Error" Making as SSL connection using socket GLOB(0x2659ffc). DEBUG: .../IO/Socket/SSL.pm:1263: IO::Socket::SSL::SSL_Context HASH(0x1cbe784) DEBUG: .../IO/Socket/SSL.pm:1381: new ctx 29512696 SSL connect attempt failed with unknown errorerror:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm SSL error: 4860: 1 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Regards, Pete -- View this message in context: http://www.nabble.com/Problem-%22unknown-message-digest-algorithm%22-verifying-server-certificate-from-Perl-OpenSSL-client-tp19112522p19112522.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]