Here's a lengthy description of a situation where
a better error message would be nice.
I have a program that was working fine with OpenSSL 0.9.4
on both Linux and Solaris. I updated to OpenSSL 0.9.6
and it still works fine on Linux, but failed on Solaris.
The program uses nonblocking I/O. The problem happened on the client side,
while trying to establish the connection.
The symptom was, SSL_write returned -1. SSL_get_error returned 1 (SSL_ERROR_SSL).
ERR_error_string returned "error:FFFFFFFF:lib(255):func(4095):reason(4095)".
Tracing through using printf, I saw the error seemed to come from
the following code in ssl3_connect:
case SSL3_ST_CW_KEY_EXCH_A:
case SSL3_ST_CW_KEY_EXCH_B:
ret=ssl3_send_client_key_exchange(s);
if (ret <= 0) goto end;
Tracing back further in ssl3_send_client_key_exchange(),
tmp_buf[0]=s->client_version>>8;
tmp_buf[1]=s->client_version&0xff;
if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
goto err;
Turns out this is covered by the FAQ,
http://www.openssl.org/support/faq.html#USER1
So it looks like it's caused by my Solaris environment not setting up
the random number generator. Cool, the new checking in 0.9.6 found a bug
in my app! I 'fixed' it by using RAND_add to jam in a little entropy,
and checking RAND_status explicitly.
Hey, it'd be great if ERR_error_string said something like
"error:you need to seed your random number generator, you fool!"
Thanks,
Dan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
