Thanks a lot for the help.
Dave Thompson-5 wrote:
>
> Openssl can record multiple error 'items' so you should loop:
> while( (err = ERR_get_error()) != 0 )
> ERR_error_string(err, buf), puts (err); // or similar
> or just call ERR_print_errors[_fp] which does the loop for you
> as long as you want the output to a BIO or FILE*.
>
Thanks,good info to know.
Dave Thompson-5 wrote:
>
>
> Which end of the connection are you, what ciphersuite(s)
> are you selecting, are you using client-auth, what is at
> the other end, and which openssl version are you using?
>
> Can you try commandline openssl s_client to or s_server
> from the same peer(s?), with (at least) -msg, and see whether
> it gets the same error, and exactly where in the sequence?
>
There is no client auth on this. Actually this is is the second SSL
connection to the server. The first connection is ok. (s_client works here).
After I added more logging for SSL handshake thru the openssl callback by
using the following 2 calls:
if(!SSL_CTX_callback_ctrl(m_ctx, SSL_CTRL_SET_MSG_CALLBACK,
(void (*)(void))tls_trace)) {
return false;
}
else if(!SSL_CTX_ctrl(m_ctx, SSL_CTRL_SET_MSG_CALLBACK_ARG, 0,
this)) {
return false;
}
I was able to figure out that it is a bug in the XMPP SDK (SDK is using the
openssl) we are using, it would initiate the SSL handshake twice which
seems confusing the server. Here is the handshake sequence for the first
successful connection ("O>>>>" means the message is sent out by client,
"I<<<<" means the message is received by client):
O>>>>SSLv2, Client hello (1):
I<<<<SSLv3, TLS handshake, Server hello (2):
I<<<<SSLv3, TLS handshake, CERT (11):
I<<<<SSLv3, TLS handshake, Server key exchange (12):
I<<<<SSLv3, TLS handshake, Server finished (14):
O>>>>SSLv3, TLS handshake, Client key exchange (16):
O>>>>SSLv3, TLS change cipher, Client hello (1):
O>>>>SSLv3, TLS handshake, Finished (20):
I<<<<SSLv3, TLS change cipher, Client hello (1):
I<<<<SSLv3, TLS handshake, Finished (20):
Here is the second failed TLS handshake sequence:
O>>>>SSLv2, Client hello (1):
O>>>>SSLv2, Client hello (1):
I<<<<SSLv3, TLS handshake, Server hello (2):
I<<<<SSLv3, TLS handshake, CERT (11):
I<<<<SSLv3, TLS handshake, Server key exchange (12):
O>>>>SSLv3, TLS alert, Server hello (2):
O>>>>SSLv2, Client hello (1):
O>>>>SSLv2, Client hello (1):
O>>>>SSLv2, Client hello (1):
Note that there are 2 "client hello" in the beginning, and client is waiting
for the following message from server which client never gets it before it
bailed out:
I<<<<SSLv3, TLS handshake, Server finished (14):
--
View this message in context:
http://old.nabble.com/Any-idea-about-%22error%3A04091068%3Arsa-routines%3AINT_RSA_VERIFY%3Abad-signature%22--tp31071285p31138089.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
