[openssl-users] SSL_GET_SERVER_CERT_INDEX:internal error

Viktor Dukhovni openssl-users at dukhovni.org
Fri Dec 21 00:02:13 UTC 2018

> On Dec 20, 2018, at 6:43 PM, Jeremy Harris <jgh at wizmail.org> wrote:
> Thanks for the hint. You are correct, and a clear before that set
> of crypto operations gets me a far more reasonable message.

Makes sense.

> The error seems to be left around after SSL_accept(), and yet
> it does not appear in my SNI callback.  Worse, my verify callback
> (which I was expected to appear) does not seem to be being called.
> Yet the SSL_accept() succeeded.
> Any ideas on that?

You provide much too little detail.  This particular "error"
happens when a TLS 1.2 ciphersuite does not correspond to any
any public key type for which OpenSSL might have a certificate.

Perhaps another ciphersuite is then selected, as OpenSSL is trying
to find one that works?  Not all "errors" are actual problems, some
are resolved by taking an alternative code path.

Before beginning a new high-level operation in the SSL library it
is good to (at least periodically) clear the error stack.  Like
"errno" it is not cleared on function entry, and persists until
simply cleared or iteratively consumed for reporting.


More information about the openssl-users mailing list