SSL_accept errors
Doug Hardie
bc979 at lafn.org
Tue Apr 9 15:43:39 UTC 2024
I have a server that is "working", but there are several issues with connections. The server requires client certificates. If I use openssl s_client and give it the proper certificate, I see one connection that makes the request and returns the response. There are no errors indicated by the server and the response time is almost instantaneous. All the involved systems are on the same LAN.
However, if I use one of the various clients to make the same request, the results are quite different. There are a number of connections made that fail and then finally they make the proper connection and everything works. The time it takes to get through all of that is quite long - around 5 seconds. The server is recording the following errors from SSL_accept:
Connection 1 - session id context uninitialized
Connection 2 - session id context uninitialized
Connection 3 - sslv3 alert certificate unknown
Connection 4 - sslv3 alert certificate unknown
and then Connection 5 sees the proper client certificate, authenticates and produces output.
How can I figure out what is causing these multiple connections and the resulting errors. I have tcpdump and ssldump output but nothing there gives me any ideas. I can provide either of those if needed, but they are large. Unfortunately I have not figured out how to get ssldump to decode the application data. As best as I can tell, the negotiated cipher cannot be handled by ssldump.
I don't have access to any of the client's source code. The session id in the error messages indicates that perhaps there is something I need to do with establishing sessions, but I haven't found any examples of what that would entail. The clients each have the same 2 client certificates. They ask which one to use, but perhaps they are trying both? However, it doesn't appear that there are any certificates being passed in either direction for the first 4 sessions. I see them in the 5th session.
-- Doug
More information about the openssl-users
mailing list