ssl_accept failure

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl_accept failure

Skip Carter
I have a server-side application that fails when some clients connect:

waiting for SSL accept()...
SSL_accept() (0) failure -1
SSL_accept() (1) failure 5
[DEBUG]     Error string : error:00000005:lib(0):func(0):DH lib
SSL_accept() sockerrno is: 0

I think that something earlier failed silently and what I am looking at
is a consequence.

I need help with that error message.  
In general those "Error string : error:000000..." are pretty cryptic.
I know from messing around that:
      Error string : error:00000001:lib(0):func(0):reason(1)
means that there was no cipher overlap between the client and server.

For some clients, SSL_accept() succeeds and the rest of the application
runs properly.  I have not been able to sort out what the difference
is.

--
Skip Carter
Taygeta Scientific Inc.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_accept failure

OpenSSL - User mailing list
On 25/10/2018 00:34, Skip Carter wrote:

> I have a server-side application that fails when some clients connect:
>
> waiting for SSL accept()...
> SSL_accept() (0) failure -1
> SSL_accept() (1) failure 5
> [DEBUG]     Error string : error:00000005:lib(0):func(0):DH lib
> SSL_accept() sockerrno is: 0
>
> I think that something earlier failed silently and what I am looking at
> is a consequence.
>
> I need help with that error message.
> In general those "Error string : error:000000..." are pretty cryptic.
> I know from messing around that:
>        Error string : error:00000001:lib(0):func(0):reason(1)
> means that there was no cipher overlap between the client and server.
>
> For some clients, SSL_accept() succeeds and the rest of the application
> runs properly.  I have not been able to sort out what the difference
> is.
>
First, note the OpenSSL FAQ about how to turn on readable error messages.

Lack of cipher overlap is a pretty common failure and usually involves
conflicting cipher list configurations at server and client, thus some
clients may not be configured to allow any of the cipher suite values
(the ones that have names in the "openssl ciphers" command).

So if this is the error, the easiest test is to capture the failing
connections with Wireshark.  Wireshark's builtin SSL/TLS decoder will
directly tell you which cipher suites the failing clients allow (it's
in plaintext in the Server Hello message, so no need to provide
Wireshark with the private key).  Then check if you really have all
those disabled and decide which one (if any) you are willing to enable
to serve those clients.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_accept failure

Skip Carter
On Thu, 2018-10-25 at 19:58 +0200, Jakob Bohm via openssl-users wrote:

> First, note the OpenSSL FAQ about how to turn on readable error
> messages.

I am already using the ERR_error_string(), but the result is still
opaque to me.

Error string : error:00000005:lib(0):func(0):DH lib 

The FAQ says this is the format is:
[pid]:error:[error code]:[library name]:[function name]:[reason
string]:[file name]:[line]:[optional text message]

Which I interpret to mean:
    error: 5
    library: 0
    function: 0
    reason: DH lib

which I don't find to be helpful at all.

--
Skip Carter
Taygeta Scientific Inc.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_accept failure

Matt Caswell-2
In reply to this post by Skip Carter


On 24/10/2018 23:34, Skip Carter wrote:
> I have a server-side application that fails when some clients connect:
>
> waiting for SSL accept()...
> SSL_accept() (0) failure -1
> SSL_accept() (1) failure 5

How did you obtain the error number 5? Is this the return value from
SSL_get_error()? If so that means SSL_ERROR_SYSCALL which has this
description in the docs:

    Some non-recoverable I/O error occurred.
    The OpenSSL error queue may contain more information on the error.
    For socket I/O on Unix systems, consult B<errno> for details.

    This value can also be returned for other errors, check the error
    queue for details.

> [DEBUG]     Error string : error:00000005:lib(0):func(0):DH lib
> SSL_accept() sockerrno is: 0

How did you generate this error string? It looks like you might have
taken the return value (5) from SSL_get_error() and stuffed it into
ERR_error_string() or a similar function. That would give you output
like this - but is the incorrect way of doing things.

Matt


>
> I think that something earlier failed silently and what I am looking at
> is a consequence.
>
> I need help with that error message.  
> In general those "Error string : error:000000..." are pretty cryptic.
> I know from messing around that:
>       Error string : error:00000001:lib(0):func(0):reason(1)
> means that there was no cipher overlap between the client and server.
>
> For some clients, SSL_accept() succeeds and the rest of the application
> runs properly.  I have not been able to sort out what the difference
> is.
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_accept failure

Skip Carter
On Fri, 2018-10-26 at 10:07 +0100, Matt Caswell wrote:

> How did you generate this error string? It looks like you might have
> taken the return value (5) from SSL_get_error() and stuffed it into
> ERR_error_string() or a similar function. That would give you output
> like this - but is the incorrect way of doing things.
>

Yeah, thats what I did.  After looking at the docs more carefully, I
think I am now handling the error properly.  But I am still stuck:

   ret = ERR_get_error();

is returning 0, so there is no error queue to interpret, and errno is
0.


--
Skip Carter
Taygeta Scientific Inc.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users