Hi,
I have written a C++ xpcom component that makes SSL connections with a
given host-port combination using a specific SSL cipher. The purpose of
the component is to test whether the host supports SSL with the
supplied cipher, and this is determined by checking whether the SSL
handshake succeeds.
I have come across a strange problem - the SSL connections seem to
succeed with a given host if the ciphers are supported on that host,
however, if I test a different host with the same XPCOM component, the
SSL connections fail, even though the host does support the cipher that
is used for the connection. Now if I restart the client application, I
can successfully test the host which I could not test before, however I
cannot test any other hosts because the SSL connections fail again.
Thus, it seems that the SSL connections succeed only with the first
host that is tested after the application is restarted, and the
connections fail for other hosts. (The SSL_ForceHandshake() call
returns error code -12268.)
This could be a problem due to the way SSL is configured in my code,
and I was wondering if anyone has any opinions about the cause of this
problem. I have used mostly code from sslstrength.c in
mozilla\security\nss\cmd\sslstrength, and have included the code below
that attempts to make an SSL connection.
Please do let me know if you have any comments.
Thanks,
Abhijit
**************CODE starts here:************
if (!certdir) {
rv = NSS_NoDB_Init(NULL);
if (rv != SECSuccess)
{
PRErrorCode retError = PR_GetError();
return retError;
}
}
/* Lookup host */
r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp);
if (r) {
//PrintErrString(progname,"Host Name lookup failed");
return(1);
}
/* should the third field really be 0? */
PR_EnumerateHostEnt(0,&hp,0,&na);
PR_InitializeNetAddr(PR_IpAddrNull,portnum,&na);
/* Create socket */
fd = PR_NewTCPSocket();
if (fd == NULL) {
//PrintErrString(progname, "error creating socket");
return -1;
}
s = SSL_ImportFD(NULL,fd);
if (s == NULL) {
//PrintErrString(progname, "error creating socket");
return -1;
}
rv = SSL_OptionSet(s, SSL_SECURITY, PR_TRUE);
rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
if (rv < 0) {
//PrintErrString(progname, "error enabling socket");
return -1000001;
}
whichCiphers = NSS_SetDomesticPolicy();
if (whichCiphers != SECSuccess)
{
//ciphers not set
return -1;
}
// SSLChecks: important - clear cache in order to change cipher
settings
SSL_ClearSessionCache();
if (policy) {
SetPolicy(currentCipher,policy);
}
rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
if (rv < 0) {
//PrintErrString(progname, "error enabling client handshake");
return -1;
}
//OutputDebugString("sslpolicy: Test message from SSL Checks
component");
if (SSL_AuthCertificateHook(s, MyAuthCertificateHook, (void *)handle)
!= SECSuccess)
{
PRErrorCode retError = PR_GetError();
sprintf(errorBuff,"sslpolicy:AuthCertificateHook problem..
%d",retError);
OutputDebugString(errorBuff);
OutputDebugString("sslpolicy: auth cert hook() issues");
}
if (SSL_BadCertHook(s,MyBadCertHandler,NULL) != SECSuccess)
{
PRErrorCode retError = PR_GetError();
sprintf(errorBuff,"sslpolicy:BadCertHandler problem.. %d",retError);
OutputDebugString(errorBuff);
OutputDebugString("sslpolicy: bad cert hook() issues");
}
r = PR_Connect(s, &na, PR_TicksPerSecond()*100);
if (r < 0) {
//PrintErrString(progname, "unable to connect");
return -1;
}
rv = SSL_ForceHandshake(s);
/* Abhijit: This is where the connection fails and the error code
returned by PR_GetError() is -12268
*/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
