SSL handshake hanging
Helde, Paavo
Paavo.Helde at PERKINELMER.COM
Tue Apr 18 09:31:54 UTC 2023
We are using openssl for client-side HTTP connections. Sometimes they get randomly hanging during SSL handshake. It looks like there are some network or server-side problems, earlier the same server was responding with an error like:
SSL_write() failed with error code: SSL_ERROR_SYSCALL
According to google this means: The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected EOF from the peer.
Later another request is made to the same server, which hangs indefinitely. Stack backtrace in gdb:
#0 0x00007ff999c54ab4 in read ()
#1 0x00007ff97c9f91b6 in sock_read ()
#2 0x00007ff97c9f7b70 in bread_conv ()
#3 0x00007ff97c9f67d1 in bio_read_intern ()
#4 0x00007ff97c9f68be in BIO_read ()
#5 0x00007ff97c983ff9 in ssl3_read_n ()
#6 0x00007ff97c9887fb in ssl3_get_record ()
#7 0x00007ff97c986aa1 in ssl3_read_bytes ()
#8 0x00007ff97c9c62c6 in tls_get_message_header ()
#9 0x00007ff97c9b7135 in read_state_machine ()
#10 0x00007ff97c9b6dec in state_machine ()
#11 0x00007ff97c9b68f2 in ossl_statem_connect ()
#12 0x00007ff97c9a14eb in SSL_do_handshake ()
#13 0x00007ff97c99d54c in SSL_connect ()
My question is, what I can do on the client side to debug the problem, or at least to avoid such hanging? I guess I can set socket read timeout beforehand, and reset it after handshake, or is there a better way? This is openssl 1.1, would it make sense to switch over to openssl 3.0? Or maybe I have missed some client-side configuration? Currently I'm using just these calls to add SSL capability to an open TCP socket (error handling left out from here for brevity):
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
const SSL_METHOD *method = TLS_client_method();
auto context_ = SSL_CTX_new(method);
SSL_CTX_set_default_verify_paths(context_);
SSL_CTX_set_verify(context_, SSL_VERIFY_PEER, MySSLVerifyCallback);
auto ssl_ = SSL_new(context_);
SSL_set_tlsext_host_name(ssl_, host.c_str());
SSL_set_fd(ssl_, socketHandle);
SSL_connect(ssl_);
Any advice?
TIA
Paavo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230418/2288cc4d/attachment.htm>
More information about the openssl-users
mailing list