<div dir="ltr"><div>Hello Matt,</div><div><br></div>I call the WSAGetLastError() for Windows and that returns 183 (ERROR_ALREADY_EXISTS) //Cannot create a file when that file already exists<div>The SSL_get_error() gives us
SSL_ERROR_SYSCALL</div><div><b>Server </b>code is roughly like below</div><div>SSL_CTX *m_pCtx;<br> SSL *m_pSsl;<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:16px">m_pCtx = SSL_CTX_new(TLS_server_method();<br>if ((dwRet = LoadCertificates()) != rSUCCESS)<br> throw dwRet;<br>if ((m_pSsl = SSL_new(m_pCtx)) != NULL)<br>{<br> if ((iRet = SSL_set_fd(m_pSsl, (*this)())) == 0) /* attach the socket descriptor */<br> {<br> sslError = SSL_get_error(m_pSsl, iRet);<br> LOGERROR(szLine);<br> throw eSSL_ERROR;<br> }<br> SSL_set_info_callback(m_pSsl, apps_ssl_info_callback);<br> ERR_clear_error();<br> if ((sslError = SSL_accept(m_pSsl)) < 1)<br> {<br> sslError = SSL_get_error(m_pSsl, sslError);<br> dwRet = handleError(sslError, "SSL_accept failed with error ", iRet);<br> throw dwRet;// eSSL_ERROR;<br> }<br>}<br><br>Client</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:16px">SSL_CTX *m_pCtx;<br> SSL *m_pSsl;<br>m_pCtx = SSL_CTX_new(TLS_client_method();<br>if ((dwRet = LoadCertificates(TRUE)) != rSUCCESS) //Trust certificates only<br> throw dwRet;<br>/* Set for server verification*/<br>SSL_CTX_set_verify(m_pCtx, SSL_VERIFY_PEER, NULL); //Work in progress<br>m_pSsl = SSL_new(m_pCtx);<br>if ((iRet = SSL_set_fd(m_pSsl, (*this)())) == 0) /* attach the socket descriptor */<br>{<br> ssl_error = SSL_get_error(m_pSsl, iRet); <br> LOGERROR(szLine);<br> throw eSSL_ERROR;<br>}<br>SSL_set_info_callback(m_pSsl, apps_ssl_info_callback);<br>ERR_clear_error();<br>if ((iRet = SSL_connect(m_pSsl)) <= 0) /* perform the connection */<br>{<br> ssl_error = SSL_get_error(m_pSsl, iRet);<br> dwRet = handleError(iRet, "SSL_connect failed with error ", ssl_error); <br> throw eSSL_ERROR;<br> }<br><br> ShowCerts();<br>}<br></div></div></div></div><br></div><div>As mentioned before this code works fine when called by another application. So the certificates are all valid. I also tried this on different machines but it did not work- I get the same error.</div><div>Thanks</div><div>Kamala</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 4, 2022 at 12:20 PM Matt Caswell <<a href="mailto:matt@openssl.org">matt@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Does errno give you anything?<br>
<br>
How did you create your BIOs for m_pSsl?<br>
<br>
Matt<br>
<br>
On 04/02/2022 16:25, Kamala Ayyar wrote:<br>
> Hello Matt,<br>
> <br>
> The SSL_get_error() returns 5(SSL_ERROR_SYSCALL) It does not print <br>
> anything for this error, just an empty string.<br>
> I use the following to print error but nothing is printed<br>
> if ((retVal = SSL_accept(m_pSsl)) < 1)<br>
> {<br>
> sslError = SSL_get_error(m_pSsl, retVal);<br>
> LOGERROR(getOpenSSLError());<br>
> throw dwRet;// eSSL_ERROR;<br>
> }<br>
> string getOpenSSLError()<br>
> {<br>
> BIO *bio = BIO_new(BIO_s_mem());<br>
> ERR_print_errors(bio);<br>
> char *buf;<br>
> size_t len = BIO_get_mem_data(bio, &buf);<br>
> string ret(buf, len);<br>
> BIO_free(bio);<br>
> return ret;<br>
> }<br>
> <br>
> *Kamala Ayyar*<br>
> 502 Claremont Ave.<br>
> Teaneck NJ 07666-2563<br>
> Tel: (201)530-0861<br>
> <br>
> <br>
> On Fri, Feb 4, 2022 at 10:54 AM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>> wrote:<br>
> <br>
> <br>
> <br>
> On 04/02/2022 15:17, Kamala Ayyar wrote:<br>
> ><br>
> > Hello,<br>
> ><br>
> > We are facing a strange handshake failure issue with a test<br>
> server and<br>
> > client application using OpenSSL in Windows. We have tried with<br>
> both<br>
> > 1.1.1g and 3.0.1 versions- same problem. We created a Dll to<br>
> handle the<br>
> > OpenSSL functions- where the SSL context, SSL object and<br>
> certificates<br>
> > are handled. The certificates are obtained from the Windows store<br>
> and<br>
> > converted to cert and key using PKCS12_parse()<br>
> > The server accepts non secure connection from the client and then<br>
> passes<br>
> > the socket to the Dll that calls the TLS_server_method() and<br>
> creates the<br>
> > SSL context, SSL object and loads the certificates for use. It<br>
> however<br>
> > fails at SSL_accept(m_pSsl). We use a call<br>
> > back SSL_set_info_callback(m_pSsl, apps_ssl_info_callback) that<br>
> gave us<br>
> > the following error information<br>
> > SSL_accept:Error in before SSL initialization<br>
> > On the client side the same Dll is called with a client<br>
> > method TLS_client_method() and the error displayed<br>
> is SSL_connect:Error<br>
> > in SSLv3/TLS write client hello<br>
> > We have confirmed the certificates are good and valid.<br>
> ><br>
> > The same Dll called from a different heavily threaded application<br>
> with<br>
> > over 2000+ clients works well and handshake connections established<br>
> > without issues on a different port number.<br>
> ><br>
> > We have also tried to use OpenSSL methods directly without using<br>
> the Dll<br>
> > but we get the same failure. This was also used with server and<br>
> client<br>
> > on the same machine as well as different machines with the same<br>
> > outcome. The non secure communication works fine between the<br>
> server and<br>
> > the client<br>
> <br>
> What does SSL_get_error() report after SSL_accept() fails?<br>
> <br>
> Also please dump the OpenSSL error stack when it fails, e.g. using<br>
> something like ERR_print_errors_fp(stdout);<br>
> <br>
> Matt<br>
> <br>
</blockquote></div>