SSL_connect error with openSSL 1.1.1
Matt Caswell
matt at openssl.org
Fri Apr 28 14:38:40 UTC 2023
On 28/04/2023 15:25, Samiya Khanum via openssl-users wrote:
> //err2 = SSL_get_error(con, err);
> printf("\r\nSSL_connect err = %s", ERR_error_string(err2, 0));
You are handling errors incorrectly.
SSL_get_error() returns a number of error codes as described on the man
page:
https://www.openssl.org/docs/man3.1/man3/SSL_get_error.html
This error code is not something you can pass directly to
ERR_error_string() - hence the error strings you are getting out are
nonsensical.
However I can see that they correspond to codes 1 and 5 which are
SSL_ERROR_SSL and SSL_ERROR_SYSCALL respectively.
For SSL_ERROR_SSL you need to inspect the OpenSSL error stack to get
human readable diagnostic information. For example:
ERR_print_errors_fp(stdout);
SYS_ERROR_SYSCALL means that OpenSSL got an error code back when trying
to read/write to the underlying socket. Inspect errno for further
information.
Your code does not set any SNI hostname information via
`SSL_set_tlsext_host_name` which some servers can be sensitive to and
could plausibly cause problems:
https://www.openssl.org/docs/man3.1/man3/SSL_set_tlsext_host_name.html
Matt
More information about the openssl-users
mailing list