RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr
Thank you Dave and Lutz. Good to know that I can ignore the error message bad gethostbyaddr. Real problem is that Client hello B is not coming through. Yes, there is a firewall in between client and server. Since the SSL client was able to send in a few bytes (cient hello A?) successfully, firewall connection in this direction looks ok. It might be that firewall doesn't allow communication in opposite direction (from server to client) and hence client not receiving server hello? I will look into the firewall side... Thanks, Byju Joy Dave Thompson-4 wrote: -Original Message- From: [EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent: Friday, 10 October, 2008 09:03 - Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] - Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw== From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear OpenSSL experts, I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on Windows Server 2003 Standard Edition Version 5.2.3790. Could you please help me with bad gethostbyaddr error message while doing SSL handshake? Log is given below: s_server calls do_server calls do_accept which, after the actual (TCP) accept, calls gethostbyaddr to try to get the client host's name. If your system/network doesn't have DNS set up to do reverse-mapping for that host, you get this printed. (That would include DNS not set up at all, but I don't think Svr03 can do that. It could include using a bad/wrong nameserver, or zone; or unreachable/down one; or using a good nameserver but the zone admin doesn't do reverse-mapping at all -- some don't; or didn't do it for that host -- particularly if it's a dynamic host e.g. a(nother) PC many admins don't consider it worth the trouble.) But it causes no harm; it just passes back a nullptr for the hostname string, which the actual logic (sv_body or www_body) never uses. The connection can still be completed and used, at least through 0.9.8g and I doubt this would be changed. (If you actually want to fix the revlookup, you need to say more about the type and relative network location of the client machine, and if it's not something simple you'll probably need to go elsewhere to a network-mgt group/list/forum.) D:\OpenSSL2\binopenssl OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3 verify depth is 2 Enter pass phrase for D:\my_key.pem: my_pass_phrase Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B This is your actual problem: you are not receiving the client hello. You appear to be getting a normal TCP shutdown instead i.e. FIN not RST. This might mean the client deliberately closed; on some system types it also occurs if the client fails e.g. segfault; it might also occur if something between you in the network like a firewall dislikes you. ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/-FWD--DNS-Error-while-doing-SSL-handshake---bad-gethostbyaddr-tp19918981p19950564.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] DNS Error while doing SSL handshake - bad gethostbyaddr
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] - Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw== From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear OpenSSL experts, I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on Windows Server 2003 Standard Edition Version 5.2.3790. Could you please help me with bad gethostbyaddr error message while doing SSL handshake? Log is given below: D:\OpenSSL2\binopenssl OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3 verify depth is 2 Enter pass phrase for D:\my_key.pem: my_pass_phrase Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B ERROR shutting down SSL CONNECTION CLOSED ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B ERROR shutting down SSL CONNECTION CLOSED ACCEPT bad gethostbyaddr Thanks Regards, Byju Joy +91-9902511344, +91-80-67245657, *7098068 - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr
-Original Message- From: [EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent: Friday, 10 October, 2008 09:03 - Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] - Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw== From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear OpenSSL experts, I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on Windows Server 2003 Standard Edition Version 5.2.3790. Could you please help me with bad gethostbyaddr error message while doing SSL handshake? Log is given below: s_server calls do_server calls do_accept which, after the actual (TCP) accept, calls gethostbyaddr to try to get the client host's name. If your system/network doesn't have DNS set up to do reverse-mapping for that host, you get this printed. (That would include DNS not set up at all, but I don't think Svr03 can do that. It could include using a bad/wrong nameserver, or zone; or unreachable/down one; or using a good nameserver but the zone admin doesn't do reverse-mapping at all -- some don't; or didn't do it for that host -- particularly if it's a dynamic host e.g. a(nother) PC many admins don't consider it worth the trouble.) But it causes no harm; it just passes back a nullptr for the hostname string, which the actual logic (sv_body or www_body) never uses. The connection can still be completed and used, at least through 0.9.8g and I doubt this would be changed. (If you actually want to fix the revlookup, you need to say more about the type and relative network location of the client machine, and if it's not something simple you'll probably need to go elsewhere to a network-mgt group/list/forum.) D:\OpenSSL2\binopenssl OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3 verify depth is 2 Enter pass phrase for D:\my_key.pem: my_pass_phrase Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B This is your actual problem: you are not receiving the client hello. You appear to be getting a normal TCP shutdown instead i.e. FIN not RST. This might mean the client deliberately closed; on some system types it also occurs if the client fails e.g. segfault; it might also occur if something between you in the network like a firewall dislikes you. ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]