[openssl-users] API SSL_Connect fails and always returns SSL_ERROR_WANT_READ causes infinite loop in application

mahesh gs mahesh116 at gmail.com
Fri Nov 17 06:42:13 UTC 2017


Hi Matt,

Thanks for the response,

I added a log as suggested by you. I don't see the call entering the above
mentioned code block.

Logs on server side:

[10/15/0117 10:34:43]         803F1700 Link-2 (SSL_accept) Failed to accept
new connection,  Socket Id 65, Return Value 1
[10/15/0117 10:34:43]         803F1700 Link-2 SSL File :
ssl/statem/statem_srvr.c , Line number : 2882 , Linux Error Code 0

Logs on client side:

[10/15/0117 10:34:43]         7DDE1700 Link-1 SSL_connect() fails to
connect need to retry, returned error code 2 , retry ? true
[10/15/0117 10:34:43]         7DDE1700 Link-1 SSL_connect() fails to
connect need to retry, returned error code 2 , retry ? true
[10/15/0117 10:34:43]         7DDE1700 Link-1 SSL_connect() fails to
connect need to retry, returned error code 2 , retry ? true
[10/15/0117 10:34:43]         7DDE1700 Link-1 SSL_connect() fails to
connect need to retry, returned error code 2 , retry ? true
[10/15/0117 10:34:43]         7DDE1700 Link-1 SSL_connect() fails to
connect need to retry, returned error code 2 , retry ? true
[10/15/0117 10:34:43]         7DDE1700 Link-1 SSL_connect() fails to
connect need to retry, returned error code 2 , retry ? true


We observe from wireshark capture, client sending out the certificate with
length = 0 (because we have not configured the public key on client side)
and also server sends handshake failure "Alert" to client. Why does client
respond with "Client key exchange" even if the the handshake failure alert
is sent from server?

Openssl version used is 01.01.00g. I am also attaching the latest pcap file
for your reference.


On Tue, Nov 14, 2017 at 4:35 PM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 14/11/17 10:44, mahesh gs wrote:
>
> > case SSL_ERROR_SYSCALL:
> >
> > if (EWOULDBLOCK == errno || EAGAIN == errno)
> > {
> >   /* Nothing to do, retry to connect again */
> > }
>
> This doesn't look right. If SSL_connect() fails due to an NBIO event
> then you should get SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE back. If
> you get SSL_ERROR_SYSCALL then something bad happened and you should not
> retry. Could you add some logging here? I'm wondering whether you are
> ending up here but missing it and looping around again.
>
> Matt
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171117/ed50322f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4.pcap
Type: application/octet-stream
Size: 13929 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171117/ed50322f/attachment-0001.obj>


More information about the openssl-users mailing list