RE: Accept failing - SysCall error - advice?
From: owner-openssl-us...@openssl.org On Behalf Of Nathan Smyth Sent: Wednesday, 11 April, 2012 09:08 If this server is getting connections from the client above, and that client mistakenly handles WANT_READ by closing or even exiting/aborting, the server gets either TCP abort or unexpected TCP shutdown (aka EOF), which causes this error. Errno didn't return much. But this sounds reasonable. Playing with the blocking settings on the fd seems to help. Assume that it could be similar for the SSL_ACCEPT? (though WANT_WRITE, perhaps?) Both client calls including SSL_connect and server calls including SSL_accept can use nonblocking socket, and all behave the same way. All can return either WANT_READ or WANT_WRITE. Do NOT assume that SSL_write only does socket writes or SSL_read only does socket reads; if you use nonblocking you must be prepared to handle whatever SSL_get_error tells you is 'wanted'. See the man page and/or http://www.openssl.org/support/faq.html#PROG10 . If you don't want to code this way, use blocking socket. That's much simpler, but it does block your thread; if you need or want concurrency you must then manage it at the thread or process level, not a 'work-item' level. Interestingly, in a situation where two apps open a number of SSL connections between each other (over time) I get a deadlock - where a client blocks on the SSL_Connect, and the server on the general (socketIO) accept. Any hints? Not really. If you're doing the socket creation yourself and SSL_set_fd, as you said, then the socket connect should match the socket accept, before either one gets into OpenSSL at all. Look at netstat (or equivalent); look at a wire trace (like wireshark) if these are (or can be) on different machines. You can actually use socket-BIO, and/or accept-BIO and connect-BIO, to do plain TCP connections directly, To clarify, that's what I'm dong now, right? Not as I understood your description. You indicated you use plain OS sockets for TCP and OpenSSL with SSL_set_fd (which creates a socket-BIO) for SSL. I said an alternative is you use socket BIO(s) for TCP, and also socket BIO(s) for SSL. It's almost the same for SSL, but not the same for TCP. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Accept failing - SysCall error - advice?
Thanks, Dave, for your reply. Very helpful. If this server is getting connections from the client above, and that client mistakenly handles WANT_READ by closing or even exiting/aborting, the server gets either TCP abort or unexpected TCP shutdown (aka EOF), which causes this error. Errno didn't return much. But this sounds reasonable. Playing with the blocking settings on the fd seems to help. Assume that it could be similar for the SSL_ACCEPT? (though WANT_WRITE, perhaps?) Interestingly, in a situation where two apps open a number of SSL connections between each other (over time) I get a deadlock - where a client blocks on the SSL_Connect, and the server on the general (socketIO) accept. Any hints? You are but invisibly; SSL_set_fd() creates a socket-BIO internally. That's fine You can actually use socket-BIO, and/or accept-BIO and connect-BIO, to do plain TCP connections directly, To clarify, that's what I'm dong now, right? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Accept failing - SysCall error - advice?
Hi there, I'm having trouble getting the SSL Connect/Accepts to work. For the client, SSL_Connect returns -1. Raising SSL Error = 2, SSL_ERROR_WANT_READ For the server, SSL_ACCEPT returns 0 (or -1 if non blocking), raising SSL Error 5 = SSL_ERROR_SYSCALL. ERR_ERROR_STRING() prints:0005:lib(0):func(0):DH Does anyone have any advice on things to try to help debug this? I'm not using BIOs, but instead using SSL_set_fd(). This is because the application uses many sockets, but only sometimes uses SSL. Thanks!! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Accept failing - SysCall error - advice?
The code itself is simple: Basically, just establish the socket connection.
Then:
SSL_set_fd(ssl, sock);
ret = SSL_accept(ssl); (or SSL_Connect for the client)
if (ret= 0)
{ print errors }
else
OK
- Original Message -
From: Nathan Smyth naf...@ymail.com
To: openssl-users@openssl.org openssl-users@openssl.org
Cc:
Sent: Tuesday, 10 April 2012, 14:24
Subject: Accept failing - SysCall error - advice?
Hi there,
I'm having trouble getting the SSL Connect/Accepts to work.
For the client, SSL_Connect returns -1. Raising SSL Error = 2,
SSL_ERROR_WANT_READ
For the server, SSL_ACCEPT returns 0 (or -1 if non blocking), raising SSL Error
5 = SSL_ERROR_SYSCALL.
ERR_ERROR_STRING() prints:0005:lib(0):func(0):DH
Does anyone have any advice on things to try to help debug this? I'm not using
BIOs, but instead using SSL_set_fd(). This is because the application uses many
sockets, but only sometimes uses SSL.
Thanks!!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: Accept failing - SysCall error - advice?
From: owner-openssl-us...@openssl.org On Behalf Of Nathan Smyth Sent: Tuesday, 10 April, 2012 09:25 I'm having trouble getting the SSL Connect/Accepts to work. For the client, SSL_Connect returns -1. Raising SSL Error = 2, SSL_ERROR_WANT_READ Are you using nonblocking socket? If ssl_connect returns -1 and you call SSL_get_error(ssl,rc) and it returns WANT_READ, that is normal behavior for nonblocking. You need to retry the call when the socket is (likely) ready to read data; the most direct way to do this is select() or poll() or similar depending on your OS, but more complicated ways are possible. See man SSL_get_error . Or for simpler code, use blocking. Then SSL_* returns only when it has completed successfully, or definitively failed. For the server, SSL_ACCEPT returns 0 (or -1 if non blocking), raising SSL Error 5 = SSL_ERROR_SYSCALL. ERR_ERROR_STRING() prints:0005:lib(0):func(0):DH Again assuming ssl_get_error(ssl,rc) returns SYSCALL, you should not (try to) decode that with ERR_error_string. The error codes that ERR_error_string decodes are the ones from ERR_get_error ERR_peek_error etc. *not* SSL_get_error. For SSL_accept -1 and SSL_get_error SYSCALL you should instead check the *OS* level error -- errno in Unix, WSAGetLastError() in Windows. On Unix you can decode with strerror(errno), on Windows it's a little more complicated. If this server is getting connections from the client above, and that client mistakenly handles WANT_READ by closing or even exiting/aborting, the server gets either TCP abort or unexpected TCP shutdown (aka EOF), which causes this error. Does anyone have any advice on things to try to help debug this? I'm not using BIOs, but instead using SSL_set_fd(). This is because the application uses many sockets, but only sometimes uses SSL. You are but invisibly; SSL_set_fd() creates a socket-BIO internally. But when SSL_* then does I/O on that BIO the BIO does it on your socket, which is what you want. You can actually use socket-BIO, and/or accept-BIO and connect-BIO, to do plain TCP connections directly, or wrap SSL_* around them to do SSL. This doesn't offer any more functionality than plain OS sockets, and in fact last I looked didn't do IPv6 well, but it does use the OpenSSL style (naming, memory management, error handling) consistently and it is the same API on Unix and Windows (and I believe VMS, if that still works) rather than similar but slightly different APIs. Your choice. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
