My advise:
Try using wireshark or tcpdump or a similar tool to capture
the problematic server_hello packet from the network while
not single-stepping your code.
Then look at that packet (it is not encrypted) to find out
which SSL or TLS version it offers the client, and then
check if you have enabled that protocol.
If the server_hello message is fine, check if something in
your multi-threaded code is corrupting the packet or the
openssl-state due to incorrect synchronization.
If the server_hello message is indeed bad, look at the
client_hello package from the same capture and check if
it is also consistent with your expectations.
If client_hello is good but server_hello is bad on the wire,
the problem is on the server, not in your client code.
If client_hello is bad, look for synchronization errors
corrupting the packet or openssl state before sending.
On 03-08-2010 07:41, Shalem Raju wrote:
Hi,
We are using multithreaded client with libcurl to connect to tomcat 5.5
web server.
We are getting Error : SSL connect error,
detaild error : Unknown SSL protocol error in connection
to www.openssl.org:443
Further error details: err=-1, detail=5,
errnomsg=Resource temporarily unavailable
I found that this is error is coming during receving the server hello.
Surprisingly if I debug the program with break points at every step of
handshake it is working fine.
When we are using same source without any threads(commenting the
pthread_create call and calling the function normally ) it is working
fine.
Please help me in resolving this issue.
Thanks in advance.
*OS:* AIX
*openssl version:* openssl-0.9.8o
*openssl config details :* config threads no-shared -D_REENTRANT
*libcurl version :* curl-7.15.0
libcurl configuration details :
configure CC="xlC_r" --enable-static=yes --enable-shared=no --enable-thread
--enable-verbose --enable-debug --enable-cookies --enable-nonblocking
At tomcat serverl.xml is added with below configuration to enabled HTTPS
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Sample threaded code used:
#include<stdio.h>
#include<pthread.h>
#include<curl.h>
#define NUMT 1
/* we have this global to let the callback get easy access to it */
static pthread_mutex_t *lockarray;
#include<openssl/crypto.h>
static void lock_callback(int mode, int type, const char *file, int line)
{
(void)file;
(void)line;
if (mode& CRYPTO_LOCK) {
pthread_mutex_lock(&(lockarray[type]));
}
else {
pthread_mutex_unlock(&(lockarray[type]));
}
}
static unsigned long thread_id(void)
{
unsigned long ret;
ret=(unsigned long)pthread_self();
return(ret);
}
static void init_locks(void)
{
int i;
lockarray=(pthread_mutex_t *)OPENSSL_malloc(CRYPTO_num_locks() *
sizeof(pthread_mutex_t));
for (i=0; i<CRYPTO_num_locks(); i++) {
pthread_mutex_init(&(lockarray[i]),NULL);
}
CRYPTO_set_id_callback((unsigned long (*)())thread_id);
CRYPTO_set_locking_callback(lock_callback);
}
static void kill_locks(void)
{
int i;
CRYPTO_set_locking_callback(NULL);
for (i=0; i<CRYPTO_num_locks(); i++)
pthread_mutex_destroy(&(lockarray[i]));
OPENSSL_free(lockarray);
}
/* List of URLs to fetch.*/
const char * const urls[]= {
"https://www.openssl.org/";,
"https://www.openssl.org/";,
"https://www.sf.net/";,
"https://www.sf.net/";,
};
char curlError [CURL_ERROR_SIZE];
static void *pull_one_url(void *url)
{
CURL *curl;
CURLcode errornum;
const char *p;
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curlError);
curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1);
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER,0 );
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST,"ALL:!EXP");
errornum = curl_easy_perform(curl);
p = curl_easy_strerror(errornum );
fprintf(stderr, "operation reult : %s\n", p);
fprintf(stderr, "Detailed Error code: %s\n", curlError);
curl_easy_cleanup(curl);
return NULL;
}
int main(int argc, char **argv)
{
pthread_t tid[NUMT];
int i;
int error;
(void)argc; /* we don't use any arguments in this example */
(void)argv;
/* Must initialize libcurl before any threads are started */
curl_global_init(CURL_GLOBAL_ALL);
init_locks();
for(i=0; i< NUMT; i++) {
error = pthread_create(&tid[i],
NULL, /* default attributes please */
pull_one_url,
(void *)urls[i]);
if(0 != error)
fprintf(stderr, "Couldn't run thread number %d, errno %d\n", i,
error);
else
fprintf(stderr, "Thread %d, gets %s\n", i, urls[i]);
}
/* now wait for all threads to terminate */
for(i=0; i< NUMT; i++) {
error = pthread_join(tid[i], NULL);
fprintf(stderr, "Thread %d terminated\n", i);
}
kill_locks();
return 0;
}
Compiled using :
xlC_r -D_REENTRANT -DPOSIX_THREADS threaded-ssl.c -I
/XXX/libcurl/curl-7.15.9-ssl098/include/curl/ -I
/XXX/libcurl/openssl-0.9.8o-install/include/ -lpthread -L
/XXX/libcurl/curl-7.15.9-ssl098/lib -lcurl
-L/XXX/libcurl/openssl-0.9.8o-install/lib -lssl -lcrypto -lz -g -o
multithread
Output Result :
$: ./multithread
Thread 0, gets https://www.openssl.org/
operation reult : SSL connect error
Detailed Error code: Unknown SSL protocol error in connection to
www.openssl.org:443 err=-1, detail=5, errdetail=0, errnomsg=Resource
temporarily unavailable
Thread 0 terminated
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
