Hello Dave,
Please find my reply inline
On Mon, Sep 10, 2012 at 1:52 PM, Dave Thompson <dthomp...@prinpay.com>wrote:
> >From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
> >Sent: Monday, 10 September, 2012 01:56
>
> Answering -users only, this isn't a -dev question.
>
> >I have a challenge befor me where i have to debug a SSL handshake
> >failure. Client has OpenSSL libraries and Server is Microsoft
> >SQL Server. I cant sniff the packets using WireShark nor can i
> >enable server logs. All i can do i enable client logging. Any
> >suggestions how to enable OpenSSL logging?
>
> 1. Are you not permitted to use WireShark, or just having
> difficulty doing so? If the latter, maybe we can help.
> WireShark's decoding is much easier than doing it by hand.
>
> Mithun>> Yes i am not allowed to use WireShark.
> 2. If it's a handshake failure, can you use commandline
> s_client? That has logging builtin, use -msg and/or -debug .
>
Mithun>>Last time i used i got the below
soniclx24(misingh): openssl s_client -connect NC-WIN2008X64:1433 -state
-debug -msg -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 08A018A8 [08A0B660] (100 bytes => 100 (0x64))
0000 - 16 03 00 00 5f 01 00 00-5b 03 00 50 3f fb 58 60 ...._...[..P?.X`
0010 - 71 d6 9f 3c a6 fb 60 79-8a 31 fe 39 68 46 0e a0 q..<..`y.1.9hF..
0020 - 3f 0d c8 08 d9 62 da c6-17 fc 8d 00 00 34 00 39 ?....b.......4.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./
0040 - 00 66 00 05 00 04 00 63-00 62 00 61 00 15 00 12 .f.....c.b.a....
0050 - 00 09 00 65 00 64 00 60-00 14 00 11 00 08 00 06 ...e.d.`........
0060 - 00 03 01 ...
0064 - <SPACES/NULS>
>>> SSL 3.0 Handshake [length 005f], ClientHello
01 00 00 5b 03 00 50 3f fb 58 60 71 d6 9f 3c a6
fb 60 79 8a 31 fe 39 68 46 0e a0 3f 0d c8 08 d9
62 da c6 17 fc 8d 00 00 34 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00
04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00
64 00 60 00 14 00 11 00 08 00 06 00 03 01 00
SSL_connect:SSLv3 write client hello A
read from 08A018A8 [08A06E50] (5 bytes => 0 (0x0))
SSL_connect:failed in SSLv3 read server hello A
12542:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:
I see your reply
*Read count 0 nominally means the server closed the TCP connection, neither
continuing the handshake (with ServerHello)nor cleanly aborting (with
alert). A compliant server shouldn't do this, but some do, especially if it
judges you shouldn't be allowed to connect e.g. blacklisted IPaddr, too
many attempts too fast, etc. Ask the server operator(s) why it
didn't/doesn't like you.
Alternatively, there is a remote possibility some middlebox in your network
path such as a firewall is doing the close. However middleboxes usually do
this earlier: on the TCP connection (SYN) not during SSL handshake, which
is "just" data to the TCP/IP level. *
Any work around that you suggest ?
> 3. Look at the code for s_client (and s_cb.c) and do in your
> app what it does: write a message callback and attach it
> to SSL and/or a BIO callback and attach it to the line BIO.
> You can probably omit some of the decoding, but
> you still need probably 20-50 lines or so.
>
> >I have enabled API calls "err_error_string_n" and
> >"err_peek_error_line_data" to get the error information. Any suggestions?
>
> By "enabled" you mean you call them after an error occurs?
> These routines begin with ERR_ (case matters in C). Many
> errors have more than one entry in the error queue; to see
> all of them you need to use _get_ not _peek_.
>
Mithun>> I am using API ERR_peek_error_line_data()
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
