SSL_connect error with openSSL 1.1.1

Matt Caswell matt at openssl.org
Fri Apr 28 14:38:40 UTC 2023



On 28/04/2023 15:25, Samiya Khanum via openssl-users wrote:
> //err2 = SSL_get_error(con, err);
>       printf("\r\nSSL_connect err = %s", ERR_error_string(err2, 0));

You are handling errors incorrectly.

SSL_get_error() returns a number of error codes as described on the man 
page:

https://www.openssl.org/docs/man3.1/man3/SSL_get_error.html

This error code is not something you can pass directly to 
ERR_error_string() - hence the error strings you are getting out are 
nonsensical.

However I can see that they correspond to codes 1 and 5 which are 
SSL_ERROR_SSL and SSL_ERROR_SYSCALL respectively.

For SSL_ERROR_SSL you need to inspect the OpenSSL error stack to get 
human readable diagnostic information. For example:

ERR_print_errors_fp(stdout);

SYS_ERROR_SYSCALL means that OpenSSL got an error code back when trying 
to read/write to the underlying socket. Inspect errno for further 
information.

Your code does not set any SNI hostname information via 
`SSL_set_tlsext_host_name` which some servers can be sensitive to and 
could plausibly cause problems:

https://www.openssl.org/docs/man3.1/man3/SSL_set_tlsext_host_name.html

Matt



More information about the openssl-users mailing list