> From: owner-openssl-us...@openssl.org On Behalf Of swapnil kamble
> Sent: Tuesday, 20 October, 2009 05:47
(This is almost certainly a -users questions, not -dev.)
> I want SSL client server communication between OpenSSL Server
with Java Client.
> My OpenSSL Server with OpenSSL Client works, Java Server with Java
Client works.
> But OpenSSL Server with Java Client fails in SSL_accept().gives
SSL_ERROR_SSL.
> I have first created a plain TCP socket, and after getting new fd
from accept()
> I associate it with SSL obj and waiting for handshaking in SSL_accept (),
where it fails ..
> sd = accept(ListenSocket, NULL, NULL); // Connected with TCP
> ssl = SSL_new (ctx); CHK_NULL(ssl);
> SSL_set_fd (ssl, sd);
> printf("waiting for ssl_connect\n");
> err = SSL_accept (ssl); // Fails Here.
Note: that printf is misleading.
After you get SSL_ERROR_SSL (always) either:
- call ERR_get_error() to get the specific error code (an unsigned long)
and display it, preferably with the explanation from ERR_error_string()
(assuming you have loaded appropriate error strings, most easily by
doing SSL_load_error_strings() once at startup), and repeat until 0
- or, if you have a suitable C FILE* (typically stderr) just call
ERR_print_errors(), which does the above for you
> // We call SSL_Connect from OpenSSL Client, in that case it works.
> What is similar to this in Java?
> My Java code
> Socket sClientSock = new Socket();
> sClientSock.connect(socAddress,5000); // Connected with TCP
> SSLSocketFactory sslsocketfactory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
> SSLSocket sslsocket = (SSLSocket)
sslsocketfactory.createSocket(sClientSock,"localhost", 9999,true);
>
Note: no need to do these separately; the inherited-from-SocketFactory
createSocket (hostname,port) or (hostaddr,port) will return in one step
a Socket that is an SSLSocket (more precisely an implementation of
SSLSocket,
down under sun.net.something) connected to that host&port and ready to
handshake.
Unless you are (deliberately?) cheating on the servername to be verified.
Do you have an exception handler around this, and the handshake or first
comms,
that displays at least e.getMessage() (I prefer all of e.toString())?
If so, what does it show? (If not, why not?)
My first guess would be verification. Your Java client uses the default
trustmanager and truststore; do you have these configured and how,
and does the result include the CA for your server's certificate
(which if selfsigned is the server cert itself)?
Is your OpenSSL client set to verify the server? The default is no.
AFAICS Java client SSLSocket verification can't be turned off directly,
though you can enable (and then force selection of) anonymous-DH suites
which have no cert to be verified.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
