If ns_httpsget generated the error, then $response never got set. I suspect your connection is failing in the SSL handshake portion. Check obvious things like are you connecting to the correct IP and Port, is that port running SSL, etc. You didn't specify what version of nsopenssl you're running.
freebsd 4.9-stable aolserver3.4.2 (version correction) nsopenssl 2.1a openacs4.6.3
history:
the server crashed a day ago, with the following error in the last line of error.log (after a series of intermittent, but increasing openssl unknown errors): assertion "md_c[1] == md_count[1]" failed: file "/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rand/md_rand.c", line 312
I found this url:
http://lists.freebsd.org/pipermail/freebsd-bugs/2003-April/000362.html
..rebuilt with a slightly different set of CFLAGS, since -DOPENSSL_THREADS appears to have been replaced by -DOPENSSL_THREAD_DEFINES
Here's an abbreviated test response to the connecting IP/PORT:
openssl s_client -connect secure.ezic.com:1402
CONNECTED(00000006)
depth=0 /C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network
Operations/CN=secure.ezic.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network
Operations/CN=secure.ezic.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network
Operations/CN=secure.ezic.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network
Operations/CN=secure.ezic.com
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Server CA/[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
.....4P2Xrup9LRhyR50+ciOBA0s6v4GHJmHdrCs+RwT0Jwcsq1Qo6a/nbcJHtBzJG+Y=
-----END CERTIFICATE-----
subject=/C=US/ST=Illinois/L=Vernon Hills/O=Ezic, Inc./OU=Network
Operations/CN=secure.ezic.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Server CA/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 959 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 40157CFCFBCF833C44F89265105436E14AB0A3CAFD0D774E9C7A9F3D1EE206D3
Session-ID-ctx:
Master-Key: .......
Key-Arg : None
Start Time: 1075150076
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0Thanks for your assistance. Any other suggestions appreciated.
Torben
On Jan 26, 2004, at 7:39 AM, Torben Brosten wrote:
This is essentially cross posted at: http://openacs.org/forums/message-view?message_id=158383
What is the meaning of this "Unknown error"[1] from using ns_httpsget with openssl (running openacs 4.6.3)?
What is the nature of it? How is it resolved?
Here's how I'm using it (on freebsd stable, aolserver3.4.2oacs1):
from authorize-gateway/tcl/authorize-gateway-procs.tcl: if {[catch {set response [ns_httpsget $full_url 30 0 $header]} error_message]} {
Related observation. I get a request error: can't read "response" : no such variable..
when I place this following line directly after the above line:
ns_log Notice "The response is: [value_if_exists $response]"
I have read the thread at: http://www.mail-archive.com/[EMAIL PROTECTED]/msg06033.html but do not see how it was resolved --if it was.
If not, is it possible to bypass using ns_httpsget with openssl?
Some example variations of the error message:
error reading "openssl253": Unknown error: 175547536
error reading "openssl233": Unknown error: 175550432
error reading "openssl221": Unknown error: 182587232
error reading "openssl206": Unknown error: 175170816
error reading "openssl83": Unknown error: 167534432
error reading "openssl55": Unknown error: 187695504
error reading "openssl101": Unknown error: 177231376
Thanks in advance,
Torben
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
