Thank you Dave, this is really very informative answer.
Now the communication is working.Following chages were made in gsoap
stdsoap.cpp file before SSL_accept() call.
//Code-start:
u_long blocking = 0; \
ioctlsocket(fd, FIONBIO, &blocking);
//code-ends.
This communication happened with CLIENT_AUTHENTICATION is set to "ture" &
SERVER_AUTHENTICATION is set to "false".
I observed SSL_Connect is failing with Error "SSL certificate host name
mismatch in tcp_connect()" with SERVER_AUTHENTICATION set to "true" case.
I verified that host name and common name mismatch is the culprit.
But can you please clear me basic fundamentals.In soap_ssl_client_context
call, do we provide server certificate or client certificate.Sorry, I think,
I can debug this with further study thru the code.
Below are commands I used to generate cacert.pem file;
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
--------
openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey
rootkey.pem -out cacert.pem -days 1095.
As for testing purpose I used this same certificate file in both
soap_ssl_client_context() and soap_ssl_server_context() calls
Do I need to change any options in above commands to generate server side
certificate.
Thanks,
Pradeep reddy.
Dave Thompson-5 wrote:
>
>> From: [email protected] On Behalf Of pradeepreddy
>> Sent: Wednesday, 15 September, 2010 08:12
>
>> After some fight, I am able to make the connection.I have
>> taken both server
>> and client authentication as false
>> SOAP_SSL_REQUIRE_CLIENT_AUTHENTICATION &
>> SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION to false.But
>> SSL_Conect & SSL_accept
>> are failing with errors "***
>> error:00002733:lib(0):func(2):reason(1843)" &
>
> I bet this end (at least) is on Windows. Winsock errors don't
> fit in 12 bits so OpenSSL breaks them up inappropriately.
> 0x2733 = 10035 = WSAEWOULDBLOCK. This seems consistent with
> some problem with nonblocking sockets, but OpenSSL shouldn't
> be returning it as an ERR_ error, it should map it into
> SSL_get_error WANT_READ or WANT_WRITE as appropriate.
> Possibly your code (or gsoap) is incorrectly calling
> ERR_error_string* on errno/[WSA]GetLastError() .
>
>> "*** SSL_ERROR_SSL
>> *** SSL_ERROR_SSL
>> error:1408A0C1:lib(20):func(138):reason(193)
>> Error 30 fault: SOAP-ENV:Server [no subcode]
>> "Error observed by underlying BIO: No such file or directory"
>
> You can use commandline openssl errstr to find out 1408A0C1 is
> SSL3_GET_CLIENT_HELLO:no shared cipher. It's unclear what file
> got the "No such file" error, but generally the only files a
> server needs are its privatekey(s)+cert(s), DH/ECDH params
> if explicit, and maybe random seeding. I don't know if
> REQUIRE_SERVER_AUTH false in your software means it's not
> demanded by the client, or not supported by the server.
> All the ciphersuites enabled by default in OpenSSL do have
> server authentication; to use the "anonymous" suites you
> must explicitly enable them. If you run a server with no
> privkey+cert(s), it can't negotiate any suite allowed by a
> client using the default list, causing "no shared cipher".
>
>> Detail: SSL_accept() failed in soap_ssl_accept()"
>> respectively.I provided
>> client.pem keyfile, though it is not required as
>> authentication is set to
>> false.Please let me know your thoughts.
>>
>> pradeepreddy wrote:
>> >
>> > Hi,
>> >
>> > An update,
>> >
>> > SSL_connect is failing with SSL_ERROR_WANT_READ.I
>> understand that client
>> > is waiting on server to write some data.But I dont
>> understand what to
>> > change code in server side.
>> >
> Nothing. WANT_READ, and WANT_WRITE, require *local*
> handling of nonblocking sockets. If you (or gsoap)
> does want nonblocking sockets, see the man pages
> for SSL_read, SSL_write, and/or SSL_get_error.
> Except if you're on Windows, you probably don't
> have man pages. If you don't want nonblocking
> sockets, you apparently did something wrong
> and got them, so fix that.
>
> <snip some earlier>
>
>> >> I see server is ready to accept the connections, as I see below
>> >> connection established with netstat command:
>> >>
>> >> TCP cspxppgudepu:15000 cspxppgudepu.com:0 LISTENING
>> >> TCP cspxppgudepu:15000 localhost:2864 ESTABLISHED
>> >>
>> >> Above 15000 port is for server.
>> >>
>> >> Below is client connection:
>> >> TCP cspxppgudepu:16000 cspxppgudepu.com:0 LISTENING
>> >>
> That's not a connection, only an apparently listening socket.
> Generally a client shouldn't (also) be listening, but IME
> at least some versions of Winsock spuriously show LISTENING
> when you merely have the socket open (and maybe bound?).
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [email protected]
> Automated List Manager [email protected]
>
>
--
View this message in context:
http://old.nabble.com/OPENSSL-SSL_Connect-blocking-tp29708086p29739388.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
