Handling BIO errors

João Santos jps at xce.pt
Tue Nov 17 02:33:30 UTC 2020

I'm writing a daemon that talks to a server using HTTP/2 over TLS 1.2+ and leveraging OpenSSL 1.1.1h to provide the TLS support.

At the moment I think that I have the whole TLS part figured, and I could probably have the project running by now if I used SSL_set_fd to assign a connected socket to the underlying BIO of an SSL object, but I want to simplify the code as much as possible by using the highest level interfaces at my disposal, which in the case of OpenSSL means using BIO objects.

Unfortunately I'm having a problem which is that I can't figure out how to convert error codes returned by ERR_get_error and split by ERR_GET_LIB, ERR_GET_FUNC, and ERR_GET_REASON into constants that I can use in a switch statement to react to BIO errors.  This is not a problem for SSL filter BIOs since those have their own error reporting functions, but is a problem for Internet socket source BIOs since BIO_do_connect in particular can fail due to a system call error, a DNS error,, or even an error generated by lower level OpenSSL functions and other BIOs in the chain, and I cannot find any manual pages documenting these error constants, if they even exist.

Here's a small working example that illustrates the problem that I'm having:

#include <stdio.h>
#include <openssl/bio.h>
#include <openssl/err.h>

int main(void) {
    BIO *bio = BIO_new_connect("wwx.google.com:80");
    printf("Connected: %ld\n", BIO_do_connect(bio));
    return 0;

Running this code, which has a misspelled hostname on purpose so that it can fail, results in the following printed out to the console:

Connected: -1
4667342272:error:2008F002:BIO routines:BIO_lookup_ex:system lib:crypto/bio/b_addr.c:726:nodename nor servname provided, or not known

What could I do in that code to use a switch statement on the kind of information printed by ERR_print_errors_fp?  I know that, in this example, the error is from getaddrinfo, since I recognize the error message, but assuming that I want to handle that specific error, what can I match the library, function, and reason error codes against?

Thanks in advance!

More information about the openssl-users mailing list