On 11/22/04 02:20 PM, Louis LeBlanc sat at the `puter and typed:
> Hey everyone. Been a long time since I've been able to spend much time
> on SSL code, but here I am again.
>
> My app is a client side HTTP/HTTPS application, and the problem that
> recently showed up (more likely it was just recently noticed) is a
> problem of sorts with SSL_read(). But only with some servers.
> Connections to other servers work just fine.
>
> Here's a snippet of the code giving problems:
>
> n = SSL_read(c->data, c->buf+c->bufend, len);
>
> if (n <= 0)
> { int sslerr = ERR_get_error();
> errcode = SSL_get_error(c->data, n);
> if (errno) eptr = strerror(errno);
> if (sslerr)
> { (void *)ERR_error_string(sslerr, errbuf); errptr = errbuf; }
> switch(errcode)
> {
> case SSL_ERROR_SYSCALL:
> /* Some kind of I/O error; */
> if (DebugSSL)
> {
> if (sslerr) /* SSL IO error? */
> { /* SSL_13013:I:Problem in SSL_read():%s: %s:%d */
> if (errptr && *errptr)
> ERROR(errmsgs[SSL_13013], errptr, __FILE__, __LINE__);
> else
> ERROR(errmsgs[SSL_13013], "SSL_ERROR_SYSCALL" ,
> __FILE__, __LINE__);
> }
> else if (eptr && *eptr) /* Some system error - check errno */
> ERROR(errmsgs[SSL_13013], eptr, __FILE__, __LINE__);
> else if (n == 0)
> ERROR(errmsgs[SSL_13013], "SSL_ERROR_SYSCALL/EOF" ,
> __FILE__, __LINE__); // XXXXXXX
> else
> ERROR(errmsgs[SSL_13013], "SSL_ERROR_SYSCALL/SOCKET" ,
> __FILE__, __LINE__);
> }
> sslsock_shutdown(c);
> return -1;
> break;
>
> . . . // leaving out unrelated error handling
>
> }
> }
>
> The error being logged is SSL_ERROR_SYSCALL/EOF - the section marked
> with "XXXXXXX". Far as I can tell, this really shouldn't happen. There
> appear to be no problems in the SSL_connect phase. This code snippet is
> from the first read after the connection is established - the first
> attempt to read the headers.
>
> My first assumption was that I must have mishandled the error condition
> somehow. I reread the manpages for SSL_read() and SSL_get_error(), and
> unless I'm interpreting these pages incorrectly, I have it right in the
> code above.
>
> Also, I should note that regular browsers have no problem conecting to
> the server, and my client app has no trouble connecting to other secure
> servers. The problem has been occurring with my app linked to OpenSSL
> 0.9.7a, but is easily reproduced with 0.9.7e.
>
> Here's the server string returned by the origin:
> Server: IBM_HTTP_SERVER/1.3.19 Apache/1.3.20 (Unix)
Ok, I finally figured this one out.
It was the cipher list after all.
My initial configuration used the list [EMAIL PROTECTED], which was intended
to maximize the list of ciphers used while giving preference to weaker
ciphers - to minimize overhead. Problem is the server in question was
choking on one of them before it got the one it liked.
When I changed the cipher list to DEFAULT, it worked fine. Of course,
DEFAULT is normally defined as ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH. I
also tried a tweak to this list: ALL:RC4+RSA:+SSLv2:+ADH:@STRENGTH,
which also worked. So I'm speculating that there is some kind of hangup
with the ADH ciphers. I haven't kept up on them in the last several
years, but I seem to remember that they were nontrivial to generate
certs for and use.
So that's it. Configuration error, and nothing wrong with OpenSSL or my
code :)
Thanks Dr. Henson for providing feedback on this issue.
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
Live long and prosper.
-- Spock, "Amok Time", stardate 3372.7
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
