> From: owner-openssl-us...@openssl.org On Behalf Of irivas > Sent: Monday, 04 October, 2010 16:36 (I changed the subject to be more descriptive.)
> I don't even know where those errors come from. As I said > before, the same code under Solaris runs alright. > > I'm only connecting to a regular webserver with ssl, nothing > more, nothing less. > > I'm not consciously using anything other than plain http-- > none of which is used up to that point. > > Calls made beforehand are: > > SSL_load_error_strings(); > ERR_load_BIO_strings(); Aside: this is redundant. SSL_load_error_strings includes ERR_load_crypto_strings which includes all active modules which includes BIO. But it does no harm. > OpenSSL_add_all_algorithms(); > ctx = SSL_CTX_new(SSLv23_client_method()); > SSL_CTX_load_verify_locations(ctx,NULL,"foldername);//ctx is > a SSL_CTX* I assume foldername (without the stray ") is a VMS directory, which to my recollection doesn't have folders. Does the rehash procedure or an equivalent work on VMS, and was it done here? If not, that will cause verification errors later (but at present you're not even getting to verification). > bio = BIO_new_ssl_connect(ctx);//bio is a BIO* > BIO_get_ssl(bio,&ssl); //ssl is a SSL* > SSL_set_mode(ssl,SSL_MODE_AUTO_RETRY); > BIO_set_conn_hostname(bio,buffer);//buffer is a string of the form > "host:portnumber" > > > Anything I should be doing? The error occurs immediately afterwards. Unless the webserver is selectively misencoding, which seems very unlikely, there may be a problem with ASN.1 decoding, or possibly TCP/IP (but I hope not). I should warn you there doesn't seem to be nearly as much usage of OpenSSL on VMS as on various Unices, Windows, and I think even Mac. It's possible bugs got into at least some version(s), although a problem in something as basic as this seems unlikely. I used VMS a little long ago, but not with OpenSSL or even TCP/IP. What version of OpenSSL are you using, and did you build it or who did and how? If you have the commandline aka monolith available (I hope you do), do "version -a". (On Unix you can give this on the command line like "/path/to/openssl version -a", but on VMS you may need to do it interactively, I'm not sure.) Also in commandline, try "s_client -connect server:port -msg" (and if it connects, immediately give it EOF or interrupt). This will confirm where the failed operation is occurring, and show the data it's using for manual inspection. Note this will probably produce many screenfuls of data; I vaguely recall there is a way to capture it with something like SET /LOG, or perhaps the terminal emulator you are using can log. You might also do "/path/openssl s_client -connect ..." from the good (Solaris) system for comparison. As an additional data point for ASN.1, if you have a known good certificate file -- and anything you put in your verify_location (trust) directory should have been known good -- do commandline "x509 -in certfile -noout" and check it doesn't give an error, and "x509 -in certfile -noout -text" displays lots of info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
