Requested privately, but since I can't do much I'm throwing out what I can for anyone else to add to.
> -----Original Message----- > From: Yan, Bob > Sent: Wednesday, October 24, 2012 1:48 PM > To: openssl-users@openssl.org > Subject: RE: SSL_do_handshake() failed on openssl version 1.0.1c > > Dear Sir/Madam, > > I have used SSL_negotiate() and SSL_do_handshake() function > to move the SSL connection into renegotiate state in my > server side code. It works fine in openssl 1.0.0.a release. > But after I upgraded the openssl library from version 1.0.0a > to 1.0.1c, this code does not work. Basically the second call > on SSL_do_handshake() function was failed with the error: > error:00000001:lib(0):func(0):reason(1). Following is my sample code: > There is no SSL_negotiate in 1.0.1c, or any other version I have. There is SSL_renegotiate (and SSL_renegotiate_abbreviated, and SSL_renegotiate_pending) but not documented and I haven't used them and I don't have time to go through the code. I do see s_server.c has two cases of SSL_renegotiate followed by SSL_do_handshake, one followed by SSL_write (which I'd guess forces any needed handshake as it does for initial) and one not obviously followed by anything. All in parts of the program where there is a connection, see below. > SSL *ssl_con = SSL_new(ssl_context); > SSL_negotiate(ssl_con); > SSL_do_handshake(ssl_con); > ssl_con->state = SSL_ST_ACCEPT; > SSL_do_handshake(ssl_con); ---- Failed: > error:00000001:lib(0):func(0):reason(1). > If that's actually SSL_renegotiate, it makes no sense. Renegotiation can only occur after a SSL connection exists, with a socket and an initial handshake. Directly changing things in an SSL object is almost always wrong. If there isn't an API that makes the change(s) you want, it probably is impossible, disallowed, unsupported or broken. That "error" doesn't look like an openssl error. It looks like a return code, or conceivably an OS/file error. > Could somebody please show me how to resolve this issue? > If it were me I'd look at -- and maybe debug -- s_server, which presumably works, to see what it does and how it works. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
