> From: owner-openssl-us...@openssl.org On Behalf Of Prokash Sinha
> Sent: Friday, 24 April, 2009 16:45
> I'm trying to understand why this following code is failing
> the second or third time... Is it a good way ( meaning first accept()
> without ssl, then do those association, then SSL_Accept() ) ----
Yes this is the (or at least a) correct sequence.
By 'second or third [fails]' I guess you mean it always works for
the first connection in a given server process?
Code trimmed to vital bits because I'm having to quote by hand:
> sock = accept (tls_socket, (struct sockaddr *) &sa, &slen);
> if (!SSL_CTX_check_private_key (ssl_ctx)) ...error...
> ssl = SSL_new (ssl_ctx);
> if (ssl==NULL) ...error...
> if (!SSL_check_private_key (ssl)) ...error...
Aside: there should be no need to check_private_key if it was set from
a valid source in the first place, and definitely no need to check it
in an SSL if the parent CTX was just good. But it should do no harm.
> sbio = BIO_new_socket (sock, BIO_NOCLOSE);
> if (sbio == NULL) ...error...
> SSL_set_bio (ssl, sbio, sbio); /* cannot fail */
> i = SSL_accept (ssl); /** <<<<< here is the error ***>>>
> if (i<=0)
> {
> TRACE (trace (__FILE__, __LINE__, ERROR, NULL,
> "***SSL_accept() call failed\n"));
> i = SSL_get_error (ssl, i);
> print_ssl_error (i);
This gives only a high-level error (as you saw). In general
for more detailed info on an OpenSSL error, call ERR_get_error
and print the value returned (preferably in hex), or better
(assuming you've loaded error strings) the string provided by
ERR_error_string for that value. Best, do this in a loop until
you get zero, as there may be multiple codes for one problem.
But you indicate a problem only occurs on non-first connections.
How does your server handle multiple connections: Do you use threads?
Do you fork child processes? Do you just do one connection (for one
client) to completion before looking to accept() another? If threads,
are any of the variables shared? Is it possible you are clobbering
some memory during one connection that affects another(s)? Are you
leaving file(s) or other resources open that might cause a conflict?
(Although unless you're using client authentication against CApath,
which is rare, I can't think offhand of any that would break SSL_accept.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
