On 11/22/04 02:20 PM, Louis LeBlanc sat at the `puter and typed:
Hey everyone. Been a long time since I've been able to spend much time
on SSL code, but here I am again.
My app is a client side HTTP/HTTPS application, and the problem that
recently showed up (more likely it was just recently noticed) is a
problem of sorts with SSL_read(). But only with some servers.
Connections to other servers work just fine.
Here's a snippet of the code giving problems:
n = SSL_read(c-data, c-buf+c-bufend, len);
if (n = 0)
{ int sslerr = ERR_get_error();
errcode = SSL_get_error(c-data, n);
if (errno) eptr = strerror(errno);
if (sslerr)
{ (void *)ERR_error_string(sslerr, errbuf); errptr = errbuf; }
switch(errcode)
{
case SSL_ERROR_SYSCALL:
/* Some kind of I/O error; */
if (DebugSSL)
{
if (sslerr) /* SSL IO error? */
{ /* SSL_13013:I:Problem in SSL_read():%s: %s:%d */
if (errptr *errptr)
ERROR(errmsgs[SSL_13013], errptr, __FILE__, __LINE__);
else
ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL ,
__FILE__, __LINE__);
}
else if (eptr *eptr) /* Some system error - check errno */
ERROR(errmsgs[SSL_13013], eptr, __FILE__, __LINE__);
else if (n == 0)
ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL/EOF ,
__FILE__, __LINE__); // XXX
else
ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL/SOCKET ,
__FILE__, __LINE__);
}
sslsock_shutdown(c);
return -1;
break;
. . . // leaving out unrelated error handling
}
}
The error being logged is SSL_ERROR_SYSCALL/EOF - the section marked
with XXX. Far as I can tell, this really shouldn't happen. There
appear to be no problems in the SSL_connect phase. This code snippet is
from the first read after the connection is established - the first
attempt to read the headers.
My first assumption was that I must have mishandled the error condition
somehow. I reread the manpages for SSL_read() and SSL_get_error(), and
unless I'm interpreting these pages incorrectly, I have it right in the
code above.
Also, I should note that regular browsers have no problem conecting to
the server, and my client app has no trouble connecting to other secure
servers. The problem has been occurring with my app linked to OpenSSL
0.9.7a, but is easily reproduced with 0.9.7e.
Here's the server string returned by the origin:
Server: IBM_HTTP_SERVER/1.3.19 Apache/1.3.20 (Unix)
Ok, I finally figured this one out.
It was the cipher list after all.
My initial configuration used the list [EMAIL PROTECTED], which was intended
to maximize the list of ciphers used while giving preference to weaker
ciphers - to minimize overhead. Problem is the server in question was
choking on one of them before it got the one it liked.
When I changed the cipher list to DEFAULT, it worked fine. Of course,
DEFAULT is normally defined as ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH. I
also tried a tweak to this list: ALL:RC4+RSA:+SSLv2:+ADH:@STRENGTH,
which also worked. So I'm speculating that there is some kind of hangup
with the ADH ciphers. I haven't kept up on them in the last several
years, but I seem to remember that they were nontrivial to generate
certs for and use.
So that's it. Configuration error, and nothing wrong with OpenSSL or my
code :)
Thanks Dr. Henson for providing feedback on this issue.
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
Live long and prosper.
-- Spock, Amok Time, stardate 3372.7
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
