RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr

2008-10-13 Thread Byju Joy

Thank you Dave and Lutz. Good to know that I can ignore the error message
bad gethostbyaddr. Real problem is that Client hello B is not coming
through. Yes, there is a firewall in between client and server. Since the
SSL client was able to send in a few bytes (cient hello A?) successfully,
firewall connection in this direction looks ok. It might be that firewall
doesn't allow communication in opposite direction (from server to client)
and hence client not receiving server hello? I will look into the firewall
side...

Thanks,
Byju Joy



Dave Thompson-4 wrote:
 
 -Original Message-
 From: [EMAIL PROTECTED] On Behalf Of Lutz Jaenicke
 Sent: Friday, 10 October, 2008 09:03
 - Forwarded message from Joy, Byju (GE Healthcare,
 consultant) [EMAIL PROTECTED] -

 Subject: DNS Error while doing SSL handshake - bad gethostbyaddr
 Date: Fri, 10 Oct 2008 15:00:51 +0200
 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr
 thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw==
 From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]

 Dear OpenSSL experts,

 I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on
 Windows Server 2003 Standard Edition Version 5.2.3790. Could you please
 help me with bad gethostbyaddr error message while doing SSL
 handshake? Log is given below:

 s_server calls do_server calls do_accept which, after the actual (TCP)
 accept,
 calls gethostbyaddr to try to get the client host's name. If your
 system/network
 doesn't have DNS set up to do reverse-mapping for that host, you get this
 printed.
 (That would include DNS not set up at all, but I don't think Svr03 can do
 that.
 It could include using a bad/wrong nameserver, or zone; or
 unreachable/down
 one;
 or using a good nameserver but the zone admin doesn't do reverse-mapping
 at
 all
 -- some don't; or didn't do it for that host -- particularly if it's a
 dynamic
 host e.g. a(nother) PC many admins don't consider it worth the trouble.)
 
 But it causes no harm; it just passes back a nullptr for the hostname
 string,
 which the actual logic (sv_body or www_body) never uses. The connection
 can
 still
 be completed and used, at least through 0.9.8g and I doubt this would be
 changed.
 (If you actually want to fix the revlookup, you need to say more about the
 type
 and relative network location of the client machine, and if it's not
 something
 simple you'll probably need to go elsewhere to a network-mgt
 group/list/forum.)
 

 D:\OpenSSL2\binopenssl
 OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key
 D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3
 verify depth is 2
 Enter pass phrase for D:\my_key.pem: my_pass_phrase
 Loading 'screen' into random state - done
 Using default temp DH parameters
 Using default temp ECDH parameters
 ACCEPT
 bad gethostbyaddr
 SSL_accept:before/accept initialization
 read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0))
 SSL_accept:failed in SSLv3 read client hello B
 
 This is your actual problem: you are not receiving the client hello.
 You appear to be getting a normal TCP shutdown instead i.e. FIN not RST.
 This might mean the client deliberately closed; on some system types
 it also occurs if the client fails e.g. segfault; it might also occur
 if something between you in the network like a firewall dislikes you.
 
 ERROR
 shutting down SSL
 CONNECTION CLOSED
 ACCEPT
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
 
 

-- 
View this message in context: 
http://www.nabble.com/-FWD--DNS-Error-while-doing-SSL-handshake---bad-gethostbyaddr-tp19918981p19950564.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr

2008-10-10 Thread Dave Thompson
 -Original Message-
 From: [EMAIL PROTECTED] On Behalf Of Lutz Jaenicke
 Sent: Friday, 10 October, 2008 09:03
 - Forwarded message from Joy, Byju (GE Healthcare,
 consultant) [EMAIL PROTECTED] -

 Subject: DNS Error while doing SSL handshake - bad gethostbyaddr
 Date: Fri, 10 Oct 2008 15:00:51 +0200
 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr
 thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw==
 From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]

 Dear OpenSSL experts,

 I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on
 Windows Server 2003 Standard Edition Version 5.2.3790. Could you please
 help me with bad gethostbyaddr error message while doing SSL
 handshake? Log is given below:

s_server calls do_server calls do_accept which, after the actual (TCP)
accept,
calls gethostbyaddr to try to get the client host's name. If your
system/network
doesn't have DNS set up to do reverse-mapping for that host, you get this
printed.
(That would include DNS not set up at all, but I don't think Svr03 can do
that.
It could include using a bad/wrong nameserver, or zone; or unreachable/down
one;
or using a good nameserver but the zone admin doesn't do reverse-mapping at
all
-- some don't; or didn't do it for that host -- particularly if it's a
dynamic
host e.g. a(nother) PC many admins don't consider it worth the trouble.)

But it causes no harm; it just passes back a nullptr for the hostname
string,
which the actual logic (sv_body or www_body) never uses. The connection can
still
be completed and used, at least through 0.9.8g and I doubt this would be
changed.
(If you actually want to fix the revlookup, you need to say more about the
type
and relative network location of the client machine, and if it's not
something
simple you'll probably need to go elsewhere to a network-mgt
group/list/forum.)


 D:\OpenSSL2\binopenssl
 OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key
 D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3
 verify depth is 2
 Enter pass phrase for D:\my_key.pem: my_pass_phrase
 Loading 'screen' into random state - done
 Using default temp DH parameters
 Using default temp ECDH parameters
 ACCEPT
 bad gethostbyaddr
 SSL_accept:before/accept initialization
 read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0))
 SSL_accept:failed in SSLv3 read client hello B

This is your actual problem: you are not receiving the client hello.
You appear to be getting a normal TCP shutdown instead i.e. FIN not RST.
This might mean the client deliberately closed; on some system types
it also occurs if the client fails e.g. segfault; it might also occur
if something between you in the network like a firewall dislikes you.

 ERROR
 shutting down SSL
 CONNECTION CLOSED
 ACCEPT


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]