Query regarding SSL_ERROR_SSL during SSL handshake

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Query regarding SSL_ERROR_SSL during SSL handshake

Mahendra SP
Hi All,

We are using Openssl version 1.0.2h. When we call SSL_do_handshake, sometimes we notice that handshake fails with error SSL_ERROR_SSL. 
As per the documentation for this error, it is non recoverable and fatal error.  Documentation also mentions to check the error queue for further details. Does it mean, calling SSL_get_error after SSL_ERROR_SSL will give exact reason for this failure? 

Could you please let me know ways to identify the cause of this error?

Thanks
Mahendra


Reply | Threaded
Open this post in threaded view
|

Re: Query regarding SSL_ERROR_SSL during SSL handshake

Matt Caswell-2


On 19/02/2020 05:16, Mahendra SP wrote:
> Hi All,
>
> We are using Openssl version 1.0.2h. When we call SSL_do_handshake,
> sometimes we notice that handshake fails with error SSL_ERROR_SSL. 
> As per the documentation for this error, it is non recoverable and fatal
> error.  Documentation also mentions to check the error queue for further
> details. Does it mean, calling SSL_get_error after SSL_ERROR_SSL will
> give exact reason for this failure?

OpenSSL has its own error stack. SSL_ERROR_SSL means that you should
look at that error stack for further details about what caused the
problem. For example you can use ERR_print_errors_fp() to print all the
error descriptions to stdout/stderr:

https://www.openssl.org/docs/man1.1.1/man3/ERR_print_errors_fp.html

You can get more fine grained control of the error stack using the
various ERR_* functions available. See:

https://www.openssl.org/docs/man1.1.1/man3/

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Query regarding SSL_ERROR_SSL during SSL handshake

Mahendra SP
Hi Matt,

Thank you for the inputs. 
I have one more query. Is it appropriate to check for the errno in this case and take action based on the errno values ?

Thanks
Mahendra

On Wed, Feb 19, 2020 at 3:09 PM Matt Caswell <[hidden email]> wrote:


On 19/02/2020 05:16, Mahendra SP wrote:
> Hi All,
>
> We are using Openssl version 1.0.2h. When we call SSL_do_handshake,
> sometimes we notice that handshake fails with error SSL_ERROR_SSL. 
> As per the documentation for this error, it is non recoverable and fatal
> error.  Documentation also mentions to check the error queue for further
> details. Does it mean, calling SSL_get_error after SSL_ERROR_SSL will
> give exact reason for this failure?

OpenSSL has its own error stack. SSL_ERROR_SSL means that you should
look at that error stack for further details about what caused the
problem. For example you can use ERR_print_errors_fp() to print all the
error descriptions to stdout/stderr:

https://www.openssl.org/docs/man1.1.1/man3/ERR_print_errors_fp.html

You can get more fine grained control of the error stack using the
various ERR_* functions available. See:

https://www.openssl.org/docs/man1.1.1/man3/

Matt
Reply | Threaded
Open this post in threaded view
|

Re: Query regarding SSL_ERROR_SSL during SSL handshake

Matt Caswell-2


On 24/02/2020 03:49, Mahendra SP wrote:
> Hi Matt,
>
> Thank you for the inputs. 
> I have one more query. Is it appropriate to check for the errno in this
> case and take action based on the errno values ?

No, errno should not be checked unless SSL_get_error returns
SSL_ERROR_SYSCALL.

Matt


>
> Thanks
> Mahendra
>
> On Wed, Feb 19, 2020 at 3:09 PM Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 19/02/2020 05:16, Mahendra SP wrote:
>     > Hi All,
>     >
>     > We are using Openssl version 1.0.2h. When we call SSL_do_handshake,
>     > sometimes we notice that handshake fails with error SSL_ERROR_SSL. 
>     > As per the documentation for this error, it is non recoverable and
>     fatal
>     > error.  Documentation also mentions to check the error queue for
>     further
>     > details. Does it mean, calling SSL_get_error after SSL_ERROR_SSL will
>     > give exact reason for this failure?
>
>     OpenSSL has its own error stack. SSL_ERROR_SSL means that you should
>     look at that error stack for further details about what caused the
>     problem. For example you can use ERR_print_errors_fp() to print all the
>     error descriptions to stdout/stderr:
>
>     https://www.openssl.org/docs/man1.1.1/man3/ERR_print_errors_fp.html
>
>     You can get more fine grained control of the error stack using the
>     various ERR_* functions available. See:
>
>     https://www.openssl.org/docs/man1.1.1/man3/
>
>     Matt
>