[openssl-users] ssl_accept failure

Jakob Bohm jb-openssl at wisemo.com
Thu Oct 25 17:58:39 UTC 2018

On 25/10/2018 00:34, Skip Carter wrote:
> I have a server-side application that fails when some clients connect:
> waiting for SSL accept()...
> SSL_accept() (0) failure -1
> SSL_accept() (1) failure 5
> [DEBUG]     Error string : error:00000005:lib(0):func(0):DH lib
> SSL_accept() sockerrno is: 0
> I think that something earlier failed silently and what I am looking at
> is a consequence.
> I need help with that error message.
> In general those "Error string : error:000000..." are pretty cryptic.
> I know from messing around that:
>        Error string : error:00000001:lib(0):func(0):reason(1)
> means that there was no cipher overlap between the client and server.
> For some clients, SSL_accept() succeeds and the rest of the application
> runs properly.  I have not been able to sort out what the difference
> is.
First, note the OpenSSL FAQ about how to turn on readable error messages.

Lack of cipher overlap is a pretty common failure and usually involves
conflicting cipher list configurations at server and client, thus some
clients may not be configured to allow any of the cipher suite values
(the ones that have names in the "openssl ciphers" command).

So if this is the error, the easiest test is to capture the failing
connections with Wireshark.  Wireshark's builtin SSL/TLS decoder will
directly tell you which cipher suites the failing clients allow (it's
in plaintext in the Server Hello message, so no need to provide
Wireshark with the private key).  Then check if you really have all
those disabled and decide which one (if any) you are willing to enable
to serve those clients.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list