possible reasons for SSL_connect() failure

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

possible reasons for SSL_connect() failure

Pjothi
Dear all,

I am trying to connect a tls enabled sip client(minisip: latest svn
extracted version) with a tls enabled SIP proxy - OpenSER.(listening
on port:5061). Its a simple LAN scenario.

Problem:

When (minisip) client tries to connect to the server(OpenSER), I get a
SSL_connect() failed exception. As I understand only after
SSL_connect(), the client ever checks the peer certificate. I cannot
understand, what could be the possible reasons for a SSL_connect()
failure. The server machine has Openssl installed (openssl 0.9.7g).
Since its failing and not refused by the server, I am confident it
tries in the correct post 5061 and a TCP socket is also being
established.

kindly let me know what could be the possible reasons of a SSL_connect
failure and suggestions to solve it

thanks and regards,
Pjothi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: possible reasons for SSL_connect() failure

Ambarish Mitra
Use: SSL_get_error(ssl, err);

This will give you more information on SSL_connect failure.

err = SSL_connect (ssl);
if (err <=0)
  {
         int errcode = SSL_get_error(ssl, err);
    switch(errcode)
     {
        case SSL_ERROR_NONE: break;        // Cannot happen if err <=0
        case SSL_ERROR_ZERO_RETURN: fprintf(stderr,"SSL connect returned
0.");break;
        case SSL_ERROR_WANT_READ: fprintf(stderr,"SSL connect: Read
Error.");break;
        case SSL_ERROR_WANT_WRITE: fprintf(stderr,"SSL connect: Write
Error.");break;
        case SSL_ERROR_WANT_CONNECT: fprintf(stderr,"SSL connect: Error
connect."); break;
        case SSL_ERROR_WANT_ACCEPT: fprintf(stderr,"SSL connect: Error
accept."); break;
        case SSL_ERROR_WANT_X509_LOOKUP: fprintf(stderr,"SSL connect error:
X509 lookup."); break;
        case SSL_ERROR_SYSCALL: fprintf(stderr,"SSL connect: Error in system
call."); break;
        case SSL_ERROR_SSL: fprintf(stderr,"SSL connect: Protocol Error.");
break;

        default: fprintf(stderr,"Failed SSL connect.");
     }
  }

Let the group know the result - they we can guide better.


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Pjothi
Sent: Tuesday, February 07, 2006 3:53 PM
To: [hidden email]
Subject: possible reasons for SSL_connect() failure


Dear all,

I am trying to connect a tls enabled sip client(minisip: latest svn
extracted version) with a tls enabled SIP proxy - OpenSER.(listening
on port:5061). Its a simple LAN scenario.

Problem:

When (minisip) client tries to connect to the server(OpenSER), I get a
SSL_connect() failed exception. As I understand only after
SSL_connect(), the client ever checks the peer certificate. I cannot
understand, what could be the possible reasons for a SSL_connect()
failure. The server machine has Openssl installed (openssl 0.9.7g).
Since its failing and not refused by the server, I am confident it
tries in the correct post 5061 and a TCP socket is also being
established.

kindly let me know what could be the possible reasons of a SSL_connect
failure and suggestions to solve it

thanks and regards,
Pjothi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: possible reasons for SSL_connect() failure

Pjothi
Dear Ambarish Mitra and others,

There is the following error in system call:

ipMessageTransport: sendMessage: creating new socket
Creating new SSL_CTX
SSL connect: Error in system call.
Could not get server certificate
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!
SipMessageTransport: sendMessage: exception thrown!

--------------------------------------------------------------------------------------------------------

regarding the certificates, using the scripts given in OpenSER, I
create a CA and with the same CA I created the following for server
and client

Server:

server-cert
server-privkey
server-calist

Client

client-cert
client-privkey
client-calist

and loaded the sever certs in the server config file and the client
certs in the client config file.....

wat am I missing here, why is it not able to get the server certificate ?

Kindly guide me,

thanks and regards,
Pjothi

On 2/7/06, Ambarish Mitra <[hidden email]> wrote:

> Use: SSL_get_error(ssl, err);
>
> This will give you more information on SSL_connect failure.
>
> err = SSL_connect (ssl);
> if (err <=0)
>  {
>         int errcode = SSL_get_error(ssl, err);
>    switch(errcode)
>     {
>        case SSL_ERROR_NONE: break;        // Cannot happen if err <=0
>        case SSL_ERROR_ZERO_RETURN: fprintf(stderr,"SSL connect returned
> 0.");break;
>        case SSL_ERROR_WANT_READ: fprintf(stderr,"SSL connect: Read
> Error.");break;
>        case SSL_ERROR_WANT_WRITE: fprintf(stderr,"SSL connect: Write
> Error.");break;
>        case SSL_ERROR_WANT_CONNECT: fprintf(stderr,"SSL connect: Error
> connect."); break;
>        case SSL_ERROR_WANT_ACCEPT: fprintf(stderr,"SSL connect: Error
> accept."); break;
>        case SSL_ERROR_WANT_X509_LOOKUP: fprintf(stderr,"SSL connect error:
> X509 lookup."); break;
>        case SSL_ERROR_SYSCALL: fprintf(stderr,"SSL connect: Error in system
> call."); break;
>        case SSL_ERROR_SSL: fprintf(stderr,"SSL connect: Protocol Error.");
> break;
>
>        default: fprintf(stderr,"Failed SSL connect.");
>     }
>  }
>
> Let the group know the result - they we can guide better.
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]]On Behalf Of Pjothi
> Sent: Tuesday, February 07, 2006 3:53 PM
> To: [hidden email]
> Subject: possible reasons for SSL_connect() failure
>
>
> Dear all,
>
> I am trying to connect a tls enabled sip client(minisip: latest svn
> extracted version) with a tls enabled SIP proxy - OpenSER.(listening
> on port:5061). Its a simple LAN scenario.
>
> Problem:
>
> When (minisip) client tries to connect to the server(OpenSER), I get a
> SSL_connect() failed exception. As I understand only after
> SSL_connect(), the client ever checks the peer certificate. I cannot
> understand, what could be the possible reasons for a SSL_connect()
> failure. The server machine has Openssl installed (openssl 0.9.7g).
> Since its failing and not refused by the server, I am confident it
> tries in the correct post 5061 and a TCP socket is also being
> established.
>
> kindly let me know what could be the possible reasons of a SSL_connect
> failure and suggestions to solve it
>
> thanks and regards,
> Pjothi
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: possible reasons for SSL_connect() failure

Kyle Hamilton
Did you add the CA certificate to both the client and server as a as a
trusted certificate for peer authentication?

Can you connect to the server on that port using openssl s_client?
Can you run an openssl s_server on the server's port to make sure that
the client is actually connecting?

-Kyle H

On 2/7/06, Pjothi <[hidden email]> wrote:

> Dear Ambarish Mitra and others,
>
> There is the following error in system call:
>
> ipMessageTransport: sendMessage: creating new socket
> Creating new SSL_CTX
> SSL connect: Error in system call.
> Could not get server certificate
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: exception thrown!
> SipMessageTransport: sendMessage: exception thrown!
>
> --------------------------------------------------------------------------------------------------------
>
> regarding the certificates, using the scripts given in OpenSER, I
> create a CA and with the same CA I created the following for server
> and client
>
> Server:
>
> server-cert
> server-privkey
> server-calist
>
> Client
>
> client-cert
> client-privkey
> client-calist
>
> and loaded the sever certs in the server config file and the client
> certs in the client config file.....
>
> wat am I missing here, why is it not able to get the server certificate ?
>
> Kindly guide me,
>
> thanks and regards,
> Pjothi
>
> On 2/7/06, Ambarish Mitra <[hidden email]> wrote:
> > Use: SSL_get_error(ssl, err);
> >
> > This will give you more information on SSL_connect failure.
> >
> > err = SSL_connect (ssl);
> > if (err <=0)
> >  {
> >         int errcode = SSL_get_error(ssl, err);
> >    switch(errcode)
> >     {
> >        case SSL_ERROR_NONE: break;        // Cannot happen if err <=0
> >        case SSL_ERROR_ZERO_RETURN: fprintf(stderr,"SSL connect returned
> > 0.");break;
> >        case SSL_ERROR_WANT_READ: fprintf(stderr,"SSL connect: Read
> > Error.");break;
> >        case SSL_ERROR_WANT_WRITE: fprintf(stderr,"SSL connect: Write
> > Error.");break;
> >        case SSL_ERROR_WANT_CONNECT: fprintf(stderr,"SSL connect: Error
> > connect."); break;
> >        case SSL_ERROR_WANT_ACCEPT: fprintf(stderr,"SSL connect: Error
> > accept."); break;
> >        case SSL_ERROR_WANT_X509_LOOKUP: fprintf(stderr,"SSL connect error:
> > X509 lookup."); break;
> >        case SSL_ERROR_SYSCALL: fprintf(stderr,"SSL connect: Error in system
> > call."); break;
> >        case SSL_ERROR_SSL: fprintf(stderr,"SSL connect: Protocol Error.");
> > break;
> >
> >        default: fprintf(stderr,"Failed SSL connect.");
> >     }
> >  }
> >
> > Let the group know the result - they we can guide better.
> >
> >
> > -----Original Message-----
> > From: [hidden email]
> > [mailto:[hidden email]]On Behalf Of Pjothi
> > Sent: Tuesday, February 07, 2006 3:53 PM
> > To: [hidden email]
> > Subject: possible reasons for SSL_connect() failure
> >
> >
> > Dear all,
> >
> > I am trying to connect a tls enabled sip client(minisip: latest svn
> > extracted version) with a tls enabled SIP proxy - OpenSER.(listening
> > on port:5061). Its a simple LAN scenario.
> >
> > Problem:
> >
> > When (minisip) client tries to connect to the server(OpenSER), I get a
> > SSL_connect() failed exception. As I understand only after
> > SSL_connect(), the client ever checks the peer certificate. I cannot
> > understand, what could be the possible reasons for a SSL_connect()
> > failure. The server machine has Openssl installed (openssl 0.9.7g).
> > Since its failing and not refused by the server, I am confident it
> > tries in the correct post 5061 and a TCP socket is also being
> > established.
> >
> > kindly let me know what could be the possible reasons of a SSL_connect
> > failure and suggestions to solve it
> >
> > thanks and regards,
> > Pjothi
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
> >
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
> >
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: possible reasons for SSL_connect() failure

Pjothi
I just added the

Server certificate
Server Private key
and CA-list

I didnt add the CA certificate on the server side, I didnt see any
such option in the configuration file of the OpenSER, should I do that
too ? can anyone pls post the configuration file of OpenSER with TLS ?

thanks and regards,
Pjothi

On 2/7/06, Kyle Hamilton <[hidden email]> wrote:

> Did you add the CA certificate to both the client and server as a as a
> trusted certificate for peer authentication?
>
> Can you connect to the server on that port using openssl s_client?
> Can you run an openssl s_server on the server's port to make sure that
> the client is actually connecting?
>
> -Kyle H
>
> On 2/7/06, Pjothi <[hidden email]> wrote:
> > Dear Ambarish Mitra and others,
> >
> > There is the following error in system call:
> >
> > ipMessageTransport: sendMessage: creating new socket
> > Creating new SSL_CTX
> > SSL connect: Error in system call.
> > Could not get server certificate
> > SipMessageTransport: sendMessage: exception thrown!
> > SipMessageTransport: sendMessage: exception thrown!
> > SipMessageTransport: sendMessage: exception thrown!
> > SipMessageTransport: sendMessage: exception thrown!
> > SipMessageTransport: sendMessage: exception thrown!
> > SipMessageTransport: sendMessage: exception thrown!
> > SipMessageTransport: sendMessage: exception thrown!
> >
> > --------------------------------------------------------------------------------------------------------
> >
> > regarding the certificates, using the scripts given in OpenSER, I
> > create a CA and with the same CA I created the following for server
> > and client
> >
> > Server:
> >
> > server-cert
> > server-privkey
> > server-calist
> >
> > Client
> >
> > client-cert
> > client-privkey
> > client-calist
> >
> > and loaded the sever certs in the server config file and the client
> > certs in the client config file.....
> >
> > wat am I missing here, why is it not able to get the server certificate ?
> >
> > Kindly guide me,
> >
> > thanks and regards,
> > Pjothi
> >
> > On 2/7/06, Ambarish Mitra <[hidden email]> wrote:
> > > Use: SSL_get_error(ssl, err);
> > >
> > > This will give you more information on SSL_connect failure.
> > >
> > > err = SSL_connect (ssl);
> > > if (err <=0)
> > >  {
> > >         int errcode = SSL_get_error(ssl, err);
> > >    switch(errcode)
> > >     {
> > >        case SSL_ERROR_NONE: break;        // Cannot happen if err <=0
> > >        case SSL_ERROR_ZERO_RETURN: fprintf(stderr,"SSL connect returned
> > > 0.");break;
> > >        case SSL_ERROR_WANT_READ: fprintf(stderr,"SSL connect: Read
> > > Error.");break;
> > >        case SSL_ERROR_WANT_WRITE: fprintf(stderr,"SSL connect: Write
> > > Error.");break;
> > >        case SSL_ERROR_WANT_CONNECT: fprintf(stderr,"SSL connect: Error
> > > connect."); break;
> > >        case SSL_ERROR_WANT_ACCEPT: fprintf(stderr,"SSL connect: Error
> > > accept."); break;
> > >        case SSL_ERROR_WANT_X509_LOOKUP: fprintf(stderr,"SSL connect error:
> > > X509 lookup."); break;
> > >        case SSL_ERROR_SYSCALL: fprintf(stderr,"SSL connect: Error in system
> > > call."); break;
> > >        case SSL_ERROR_SSL: fprintf(stderr,"SSL connect: Protocol Error.");
> > > break;
> > >
> > >        default: fprintf(stderr,"Failed SSL connect.");
> > >     }
> > >  }
> > >
> > > Let the group know the result - they we can guide better.
> > >
> > >
> > > -----Original Message-----
> > > From: [hidden email]
> > > [mailto:[hidden email]]On Behalf Of Pjothi
> > > Sent: Tuesday, February 07, 2006 3:53 PM
> > > To: [hidden email]
> > > Subject: possible reasons for SSL_connect() failure
> > >
> > >
> > > Dear all,
> > >
> > > I am trying to connect a tls enabled sip client(minisip: latest svn
> > > extracted version) with a tls enabled SIP proxy - OpenSER.(listening
> > > on port:5061). Its a simple LAN scenario.
> > >
> > > Problem:
> > >
> > > When (minisip) client tries to connect to the server(OpenSER), I get a
> > > SSL_connect() failed exception. As I understand only after
> > > SSL_connect(), the client ever checks the peer certificate. I cannot
> > > understand, what could be the possible reasons for a SSL_connect()
> > > failure. The server machine has Openssl installed (openssl 0.9.7g).
> > > Since its failing and not refused by the server, I am confident it
> > > tries in the correct post 5061 and a TCP socket is also being
> > > established.
> > >
> > > kindly let me know what could be the possible reasons of a SSL_connect
> > > failure and suggestions to solve it
> > >
> > > thanks and regards,
> > > Pjothi
> > > ______________________________________________________________________
> > > OpenSSL Project                                 http://www.openssl.org
> > > User Support Mailing List                    [hidden email]
> > > Automated List Manager                           [hidden email]
> > >
> > > ______________________________________________________________________
> > > OpenSSL Project                                 http://www.openssl.org
> > > User Support Mailing List                    [hidden email]
> > > Automated List Manager                           [hidden email]
> > >
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
> >
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]