[openssl-users] Intermittent SSL_shutdown error

Sahib Jakhar sahib.jakhar at gmail.com
Wed Feb 17 20:07:34 UTC 2016


I am trying to create a SSL connection (call it connection 2) inside
another SSL connection (call it connection 1). Connection 2 is used to
connect to a machine which is hidden behind the machine to which I
connect using connection 1. Once Connection 2 is established (i.e. SSL
handshake finishes) I close connection 1.

The problem I am facing is SSL_shutdown is returning error (return
code < 0). Most of the time it works, and I am successfully able to
communicate over connection 2 after connection 1 has been closed. But
suddenly once out of the blue it returns error. Subsequent SSL_read on
connection 2 fail with error.

**SSL_get_error returns: 2**

**ERR_error_string returns: error:00000002:lib(0):func(0):system lib**

Note connection 1 is with a java server and connection 2 is with a
openssl based server. Can somebody please help me identify what could
be going wrong over here?

Here is some code for your reference to help you understand what I am doing:

    SSL *ssl; // connection 1
    SSL *ssl2; //connection 2

    // ssl is already established at this point
    // i.e. connection 1 already exists.

    BIO *rbio = BIO_new (BIO_s_mem());
    BIO *wbio = BIO_new (BIO_s_mem());

    SSL_set_bio (ssl, rbio, wbio);
    SSL_set_connect_state (ssl);

    while (!SSL_is_init_finished(ssl))
        ret = SSL_do_handshake (ssl);
        if (ret == 1) /* Handshake was successful */

        ssl_error = SSL_get_error (ssl, ret);

        if (ssl_error != SSL_ERROR_WANT_READ
        && ssl_error != SSL_ERROR_WANT_WRITE)
            // report failed

        size = BIO_ctrl_pending (wbio);
        if (size > 0)
            size = BIO_read (wbio, buff, size);
            if (size <= 0)
                // report failed this shouldn't happen

            // Write using SSL_WRITE to connection 1

        /* Read only if SSL_do_handshake expects */
        if (ssl_error == SSL_ERROR_WANT_READ)
            // read into buff from SSL_READ from connection 1
            // continue if noting available

            BIO_write (rbio, buff, size);
            free (buff);

    // Write to SSL connection 1 handshake is successful
    // to let Javaserver know that it should close ssl part of connection 1

    SSL_set_quiet_shutdown (ssl, 0);
    ret = SSL_shutdown (ssl);
    if (ret == 0)
        ret = SSL_shutdown (ssl);
    if (ret < 0)
        /* FAILS HERE: This is where it fails sometimes
        (may be once or twice out of 10)*/

    // Some clean up

    /* We are done with cleanup of old SSL connection,
     * and establishing new SSL connection to the new
     * one. Now let's start communicating using connection 2.
     * But before that we need to do a few things. */

    sock_bio = BIO_new_socket (INTERNAL (agentbi)->sock_fd, BIO_NOCLOSE);
    SSL_set_bio (ssl2, sock_bio, sock_bio);

    // From this point onwards we use connection 2 to communicate as
    // connection 1 has been reduced to tcp only.

On the java side I can see close_notify being sent and received:
I call close on SSLSocket once client tells that its SSL handshake for
connection 2 is complete.

More information about the openssl-users mailing list