<div dir="ltr">Hello Matt,<div><br></div><div>The socket descriptor is good and I verified using the socket directly. I do exchange data between client and server successfully before passing it the function to convert to a secure socket.</div><div>It fails at the same place as the SSL_accept() with the same error from the call back function</div><i><b>SSL_accept<br>SSL_CB_LOOP | SSL_accept:before SSL initialization<br><br>SSL_accept<br></b></i><div><i><b>SSL_accept:Error in before SSL initialization</b></i></div><div>On the client side the error is </div><div><i><b>SSL_connect<br>SSL_CB_LOOP | SSL_connect:before SSL initialization<br><br>SSL_connect<br>SSL_connect:Error in SSLv3/TLS write client hello</b></i><br></div><div>I used your example and wrapped the socket with the bio however I was not able to do a bio read(). I am getting a return of -1 from the bio_read and SSL_get_error() and ERR_prints_error does not print anything</div><div><br><div>Thanks</div><div>Kamala<br clear="all"><div><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:16px"><br></div></div></div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 4, 2022 at 1:20 PM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Are you sure that the socket descriptor in "*this" is good and works?<br>
<br>
You could test that by wrapping it in a BIO like this:<br>
<br>
BIO *bio = BIO_new(BIO_s_socket());<br>
<br>
if (bio == NULL)<br>
goto err;<br>
BIO_set_fd(bio, *this, BIO_NOCLOSE);<br>
<br>
and then attempting to read some data from it using BIO_read(). If the <br>
BIO_read call fails then it suggests the socket descriptor is bad.<br>
<br>
Matt<br>
<br>
<br>
<br>
On 04/02/2022 18:06, Kamala Ayyar wrote:<br>
> Hello Matt,<br>
> <br>
> I call the WSAGetLastError() for Windows and that returns 183 <br>
> (ERROR_ALREADY_EXISTS) //Cannot create a file when that file already exists<br>
> The SSL_get_error() gives us SSL_ERROR_SYSCALL<br>
> *Server *code is roughly like below<br>
> SSL_CTX *m_pCtx;<br>
> SSL *m_pSsl;<br>
> m_pCtx = SSL_CTX_new(TLS_server_method();<br>
> if ((dwRet = LoadCertificates()) != rSUCCESS)<br>
> throw dwRet;<br>
> if ((m_pSsl = SSL_new(m_pCtx)) != NULL)<br>
> {<br>
> if ((iRet = SSL_set_fd(m_pSsl, (*this)())) == 0) /* attach the <br>
> socket descriptor */<br>
> {<br>
> sslError = SSL_get_error(m_pSsl, iRet);<br>
> LOGERROR(szLine);<br>
> throw eSSL_ERROR;<br>
> }<br>
> SSL_set_info_callback(m_pSsl, apps_ssl_info_callback);<br>
> ERR_clear_error();<br>
> if ((sslError = SSL_accept(m_pSsl)) < 1)<br>
> {<br>
> sslError = SSL_get_error(m_pSsl, sslError);<br>
> dwRet = handleError(sslError, "SSL_accept failed with error ", <br>
> iRet);<br>
> throw dwRet;// eSSL_ERROR;<br>
> }<br>
> }<br>
> <br>
> Client<br>
> SSL_CTX *m_pCtx;<br>
> SSL *m_pSsl;<br>
> m_pCtx = SSL_CTX_new(TLS_client_method();<br>
> if ((dwRet = LoadCertificates(TRUE)) != rSUCCESS) //Trust certificates only<br>
> throw dwRet;<br>
> /* Set for server verification*/<br>
> SSL_CTX_set_verify(m_pCtx, SSL_VERIFY_PEER, NULL); //Work in progress<br>
> m_pSsl = SSL_new(m_pCtx);<br>
> if ((iRet = SSL_set_fd(m_pSsl, (*this)())) == 0) /* attach the socket <br>
> descriptor */<br>
> {<br>
> ssl_error = SSL_get_error(m_pSsl, iRet);<br>
> LOGERROR(szLine);<br>
> throw eSSL_ERROR;<br>
> }<br>
> SSL_set_info_callback(m_pSsl, apps_ssl_info_callback);<br>
> ERR_clear_error();<br>
> if ((iRet = SSL_connect(m_pSsl)) <= 0) /* perform the connection */<br>
> {<br>
> ssl_error = SSL_get_error(m_pSsl, iRet);<br>
> dwRet = handleError(iRet, "SSL_connect failed with error ", ssl_error);<br>
> throw eSSL_ERROR;<br>
> }<br>
> <br>
> ShowCerts();<br>
> }<br>
> <br>
> As mentioned before this code works fine when called by another <br>
> application. So the certificates are all valid. I also tried this on <br>
> different machines but it did not work- I get the same error.<br>
> Thanks<br>
> Kamala<br>
> <br>
> On Fri, Feb 4, 2022 at 12:20 PM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>> wrote:<br>
> <br>
> Does errno give you anything?<br>
> <br>
> How did you create your BIOs for m_pSsl?<br>
> <br>
> Matt<br>
> <br>
> On 04/02/2022 16:25, Kamala Ayyar wrote:<br>
> > Hello Matt,<br>
> ><br>
> > The SSL_get_error() returns 5(SSL_ERROR_SYSCALL) It does not print<br>
> > anything for this error, just an empty string.<br>
> > I use the following to print error but nothing is printed<br>
> > if ((retVal = SSL_accept(m_pSsl)) < 1)<br>
> > {<br>
> > sslError = SSL_get_error(m_pSsl, retVal);<br>
> > LOGERROR(getOpenSSLError());<br>
> > throw dwRet;// eSSL_ERROR;<br>
> > }<br>
> > string getOpenSSLError()<br>
> > {<br>
> > BIO *bio = BIO_new(BIO_s_mem());<br>
> > ERR_print_errors(bio);<br>
> > char *buf;<br>
> > size_t len = BIO_get_mem_data(bio, &buf);<br>
> > string ret(buf, len);<br>
> > BIO_free(bio);<br>
> > return ret;<br>
> > }<br>
> ><br>
> > *Kamala Ayyar*<br>
> > 502 Claremont Ave.<br>
> > Teaneck NJ 07666-2563<br>
> > Tel: (201)530-0861<br>
> ><br>
> ><br>
> > On Fri, Feb 4, 2022 at 10:54 AM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> > <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>> wrote:<br>
> ><br>
> ><br>
> ><br>
> > On 04/02/2022 15:17, Kamala Ayyar wrote:<br>
> > ><br>
> > > Hello,<br>
> > ><br>
> > > We are facing a strange handshake failure issue with a test<br>
> > server and<br>
> > > client application using OpenSSL in Windows. We have<br>
> tried with<br>
> > both<br>
> > > 1.1.1g and 3.0.1 versions- same problem. We created a Dll to<br>
> > handle the<br>
> > > OpenSSL functions- where the SSL context, SSL object and<br>
> > certificates<br>
> > > are handled. The certificates are obtained from the<br>
> Windows store<br>
> > and<br>
> > > converted to cert and key using PKCS12_parse()<br>
> > > The server accepts non secure connection from the client<br>
> and then<br>
> > passes<br>
> > > the socket to the Dll that calls the TLS_server_method() and<br>
> > creates the<br>
> > > SSL context, SSL object and loads the certificates for use. It<br>
> > however<br>
> > > fails at SSL_accept(m_pSsl). We use a call<br>
> > > back SSL_set_info_callback(m_pSsl, apps_ssl_info_callback)<br>
> that<br>
> > gave us<br>
> > > the following error information<br>
> > > SSL_accept:Error in before SSL initialization<br>
> > > On the client side the same Dll is called with a client<br>
> > > method TLS_client_method() and the error displayed<br>
> > is SSL_connect:Error<br>
> > > in SSLv3/TLS write client hello<br>
> > > We have confirmed the certificates are good and valid.<br>
> > ><br>
> > > The same Dll called from a different heavily threaded<br>
> application<br>
> > with<br>
> > > over 2000+ clients works well and handshake connections<br>
> established<br>
> > > without issues on a different port number.<br>
> > ><br>
> > > We have also tried to use OpenSSL methods directly<br>
> without using<br>
> > the Dll<br>
> > > but we get the same failure. This was also used with<br>
> server and<br>
> > client<br>
> > > on the same machine as well as different machines with the<br>
> same<br>
> > > outcome. The non secure communication works fine between the<br>
> > server and<br>
> > > the client<br>
> ><br>
> > What does SSL_get_error() report after SSL_accept() fails?<br>
> ><br>
> > Also please dump the OpenSSL error stack when it fails, e.g.<br>
> using<br>
> > something like ERR_print_errors_fp(stdout);<br>
> ><br>
> > Matt<br>
> ><br>
> <br>
</blockquote></div>