[jira] Closed: (AXIS2C-728) SSL client authenticate failed

[tsunoda norihiko (JIRA)]

     [ 
https://issues.apache.org/jira/browse/AXIS2C-728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

tsunoda norihiko closed AXIS2C-728.
-----------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 1.1.0)

Thank you for your cooperation.

The reason why SSL_ERROR_WANT_READ was returned in SSL_get_error(),
Re-negotiation occurred at the client certification.
Because SSLVerifyClient type was stronger in per-directory than per-sever, 
Re-negotiation occurred.

--ex: httpd.conf--
SSLVerifyClient none
<Location "/test">
    SSLVerifyClient require
</Location>


> SSL client authenticate failed
> ------------------------------
>
>                 Key: AXIS2C-728
>                 URL: https://issues.apache.org/jira/browse/AXIS2C-728
>             Project: Axis2-C
>          Issue Type: Bug
>          Components: core/transport
>    Affects Versions: 1.1.0
>         Environment: OS:RedHar Linux v5
>            Reporter: tsunoda norihiko
>         Attachments: diff.txt
>
>
> I make a client program to perform SSL client authentication/server 
> authentication using Axis2/C.
> In the environment only for the server authentication, the program worked 
> normally.
> But I cannot receive the response message in the client authentication 
> environment and detected error code 82 - "Input stream is NULL in msg_ctx".
> When I confirm  server side.
> SSL handshake and message transmission to the client worked normally.
> I found that an error occurred in axis2_ssl_stream_read() when I debugged a 
> client program.
> ${axis2c_src}/src/core/transport/http/sender/ssl/ssl_stream.c
> >>>
>     146 int AXIS2_CALL
>     147 axis2_ssl_stream_read(
>     148     axutil_stream_t *stream,
>     149     const axutil_env_t *env,
>     150     void *buffer,
>     151     size_t count
>     152     )
>     153 {
>     154     ssl_stream_impl_t *stream_impl = NULL;
>     155     int read = -1;
>     156     int len = -1;
>     157
>     158     AXIS2_ENV_CHECK(env, AXIS2_CRITICAL_FAILURE);
>     159
>     160     stream_impl = AXIS2_INTF_TO_IMPL(stream);
>     161
>     162     read = SSL_read(stream_impl->ssl , buffer, count);
>     163     switch (SSL_get_error(stream_impl->ssl , read))
>     164     {
>     165         case SSL_ERROR_NONE:
>     166             len = read;
>     167             break;
>     168         case SSL_ERROR_ZERO_RETURN:
>     169             len = -1;
>     170             break;
>     171         case SSL_ERROR_SYSCALL:
>     172             AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
>     173                     "SSL Error: Premature close");
>     174             len = -1;
>     175             break;
>     176         default:
>     177             len = -1;
>     178             break;
>     179     }
>     180     return len;
>     181 }
> <<<
> At the default case in the switch online 176, the value of len should not be 
> "-1".
> SSL_get_error() return SSL_ERROR_WANT_READ.
> The specifications of SSL_read() seem to be as follows.
> >>>
> In this case a call to SSL_get_error(3) with the return value of SSL_read()
>  will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
> As at any time a re-negotiation is possible, a call to SSL_read() can also 
> cause write operations!
> The calling process then must repeat the call after taking appropriate action 
> to satisfy the needs of SSL_read().
> <<<
> (http://www.openssl.org/docs/ssl/SSL_read.html#NOTES)
> I could get a response message when I debug as follows.
> ${axis2c_src}/src/core/transport/http/sender/http_client.c
> >>>
>      413     /* read the status line */
>      414     do
>      415     {
>      416         memset(str_status_line, 0, 512);
>      417         while ((read = axutil_stream_read(client->data_stream, env, 
> tmp_buf,
>      418                 1)) > 0)
>      419         {
>      420             tmp_buf[read] = '\0';
>      421             strcat(str_status_line, tmp_buf);
>      422             if (0 != strstr(str_status_line, AXIS2_HTTP_CRLF))
>      423             {
>      424                 end_of_line = AXIS2_TRUE;
>      425                 break;
>      426             }
>      427         }
> +    428 /* debug */
> +    429 #if 0
>      430         if (read < 0)
>      431         {
>      432             AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[axis2c] http 
> client , response timed out"        );
>      433             AXIS2_ERROR_SET(env->error,
>      434                     AXIS2_ERROR_RESPONSE_TIMED_OUT,
>      435                     AXIS2_FAILURE);
>      436             return -1;
>      437         }
>      438         else if (read == 0)
> +    439 #endif
> +    440         if(read == 0)
>      441         {
>      442             AXIS2_ERROR_SET(env->error,
>      443                             AXIS2_ERROR_RESPONSE_SERVER_SHUTDOWN,
>      444                             AXIS2_FAILURE);
>      445             AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "Response error, 
> Server Shutdown");
>      446             return 0;
>      447         }
> <<<
> However, this is my temporary modification.
> What kind of method will be appropriate?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]