Interesting Handshake behaviour

Anonymous Fri, 25 Jun 1999 09:35:02 -0700
Hi 

I have been looking at this problem for a week now and am at my wits
end. 
I'm sure it's something trivial but I certainly can't find the solution.

I'm afraid it's an old version of ssleay, 0.8.1, but up until now this
has been stable and caused no problems.

So here is the description of the problem:

Client: ssleay 0.8.1 running on NT4 
Server: proxy server using ssleay 0.8.1 library

SSL related server code:

initialisation -

SSL_METHOD *meth=SSLv23_server_method();
SSLeay_add_all_algorithms();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);  
SSL_CTX_use_certificate_file(ctx,certificate_file_buf.c_str(),
                                   SSL_FILETYPE_PEM) <= 0)
SSL_CTX_use_PrivateKey_file(ctx,key_file_buf.c_str(),
                                  SSL_FILETYPE_PEM) <= 0)
SSL_CTX_check_private_key(ctx)
SSL_CTX_set_cipher_list(ctx,cipherlist);

After the socket accept -

ssl = SSL_new (ctx);
SSL_clear(ssl);
SSL_set_accept_state(ssl);
SSL_set_fd (ssl, sd);


When we have a read event on the socket -

if(!SSL_is_init_finished(ssl))
{
    acceptval = SSL_accept(ssl);
    if(acceptval <= 0)
    {
      if (BIO_sock_should_retry(acceptval))
        {
          // return to the eventloop and wait for another event
        }
      else
        {
          // drop the connection : failure
        }
    } 

    // return to the eventloop
}

// handshake was a success, so read the data
res=SSL_read(ssl,(char *)p,buflen);


When I set the socket to be blocking, everything works fine (ie. the
SSL_accept function is only called once and the server blocks until the
handshake is complete).
BUT
When I set the socket to be non-blocking (I use my own callbacks and
FD's etc and not BIO in ssleay) SSL_accept is called twice.
The first time it returns with -1 and should_retry is true, the second
time it returns with 0, should_retry is false and the error string is
"digest check failed", this error is generated in ssl/s3_both.c in the
ssl3_get_finished() function.

It appears that all the cert and cipher info has been transfered
correctly.
I am completely stuck. 
So here's the challenge: does anybody have any idea why the handshake
fails?

cheers,
Sarah

-- 
     Have you seen the fnords?
Sarah Bateman([EMAIL PROTECTED]), Software Engineer
Client Integration Development, SCO, Vision Park, Cambridge
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Interesting Handshake behaviour

Reply via email to
