Hey all. I'm back on the list with a little bit of confusion.
For reference, my app is using OpenSSL 0.9.6.
The problem I'm seeing is apparently caused by a read or write attempt
returning SSL_ERROR_WANT_X509_LOOKUP. My understanding of this was
that I should simply try the read or write again. Apparently I was
mistaken because the app seems to get sucked into a loop where it
continually returns the same error and continues to loop. Needless to
say, the result is a very ugly, resource gobbling, and quite painful
decline into oblivion.
Here is a little snippet:
while (len)
{
n = SSL_write(c->data, buf+p, len);
if (n <= 0)
{
errcode = SSL_get_error(c->data, n);
eptr = strerror(errno);
switch(errcode)
{
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_X509_LOOKUP:
/* No error, we should try the write again. */
break;
. . .
}
}
len -= n;
p += n;
}
return p;
And the verify callback routine:
int verify_callback(int ok, X509_STORE_CTX *ctx)
{
char buffer[256], errbuf[1024];
char *buf = buffer;
X509 *err_cert;
int err,depth;
int verify_error=X509_V_OK;
if (!ok)
{
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
sprintf(errbuf,"depth=%d %s\n",depth,buf);
log_error(errbuf);
sprintf(errbuf, "verify error:num=%d:%s", err,
X509_verify_cert_error_string(err));
log_error(errbuf);
if (SSLVerifyDepth < depth)
{
verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
sprintf(errbuf,"verify error:%s\n",
X509_verify_cert_error_string(verify_error));
log_error(errbuf);
}
switch (ctx->error)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
sprintf(errbuf,"issuer= %s",buf);
log_error(errbuf);
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
sprintf(errbuf,"notBefore=");
MII_ASN1_TIME_print(buf, X509_get_notBefore(ctx->current_cert));
strcat(errbuf, buf);
log_error(errbuf);
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
sprintf(errbuf,"notAfter=");
MII_ASN1_TIME_print(buf, X509_get_notAfter(ctx->current_cert));
strcat(errbuf, buf);
log_error(errbuf);
break;
}
}
return(ok);
}
You probably get the idea. I am using it the same way in the read.
So, what exactly is the correct method of handling this error? The
definition I was able to find is that the verification callback wants
to be called again, but I have verified the certificate, and it is
fine. The only thing I can see out of the ordinary is that it isn't a
PEM cert. It's DER encoded. Not that it should have anything to do
with that.
Anyone have any other ideas? If there is some other little tidbit of
info that might help, but I've not included, please let me know.
Thanks.
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
Spence's Admonition:
Never stow away on a kamikaze plane.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
