On Tue, Mar 06, 2001 at 11:57:01AM -0800, Dan Kegel wrote: > Here's a lengthy description of a situation where > a better error message would be nice. See below. > I have a program that was working fine with OpenSSL 0.9.4 > on both Linux and Solaris. I updated to OpenSSL 0.9.6 > and it still works fine on Linux, but failed on Solaris. > The program uses nonblocking I/O. The problem happened on the client side, > while trying to establish the connection. > > The symptom was, SSL_write returned -1. SSL_get_error returned 1 (SSL_ERROR_SSL). > ERR_error_string returned "error:FFFFFFFF:lib(255):func(4095):reason(4095)". Hmm.... > Tracing through using printf, I saw the error seemed to come from > the following code in ssl3_connect: > > case SSL3_ST_CW_KEY_EXCH_A: > case SSL3_ST_CW_KEY_EXCH_B: > ret=ssl3_send_client_key_exchange(s); > if (ret <= 0) goto end; > > Tracing back further in ssl3_send_client_key_exchange(), > tmp_buf[0]=s->client_version>>8; > tmp_buf[1]=s->client_version&0xff; > if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0) > goto err; > > Turns out this is covered by the FAQ, > http://www.openssl.org/support/faq.html#USER1 > > So it looks like it's caused by my Solaris environment not setting up > the random number generator. Cool, the new checking in 0.9.6 found a bug > in my app! I 'fixed' it by using RAND_add to jam in a little entropy, > and checking RAND_status explicitly. > > Hey, it'd be great if ERR_error_string said something like > "error:you need to seed your random number generator, you fool!" Hmm, my version of RAND_bytes (actually ssleay_rand_bytes) does contain: crypto/rand/md_rand.c:474 RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED); ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " "http://www.openssl.org/support/faq.html"); You do perform a SSL_load_error_strings(), do you? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
