Re: ssl client write / server accept seems broken
On 3/24/21 9:53 PM, Embedded Devel wrote:
On 3/23/21 11:06 PM, Matt Caswell wrote:
On 23/03/2021 15:47, Embedded Devel wrote:
Do you know if your application is statically linked or dynamically
linked to OpenSSL?
Ive attached the code in question if it helps
and nope still have the errors
original code was deprecated, and changed from
/* if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) ==
NULL) { */
if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
which also got added to the client side yet should have been
client should be
if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
not
if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
Looks like the original developer already tried to print the contents
of the OpenSSL error stack:
case SSL_ERROR_SSL:
LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d.
%s\n", custom_prefix, ret_val, custom_msg);
break;
}
ERR_print_errors_fp(stderr);fflush(stderr);
The errors seem to be going to "stderr" rather than via your "LOG"
function. You don't show what "LOG" does but if it goes somewhere
other than stderr then the errors are going somewhere different to
your log file. Are you able to show us the stderr output from running
your application?
just compiled with gcc, i see no -lstatic in the makefile ... ive
attached the ssl .c and .h files in question if you want to see them
What does "ldd" show you for the application binary? i.e.
ldd name-of-you-binary-here
Matt
Re: ssl client write / server accept seems broken
On Wed, Mar 24, 2021, 10:54 PM Embedded Devel wrote:
>
> On 3/23/21 11:06 PM, Matt Caswell wrote:
> >
> >
> > On 23/03/2021 15:47, Embedded Devel wrote:
> >>> Do you know if your application is statically linked or dynamically
> >>> linked to OpenSSL?
> >> Ive attached the code in question if it helps
>
> original code was deprecated, and changed from
>
> /* if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) == NULL)
> { */
> if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
>
> which also got added to the client side yet should have been
>
> client should be
>
> if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
>
> not
>
> if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
>
>
> >
> > Looks like the original developer already tried to print the contents
> > of the OpenSSL error stack:
> >
> > case SSL_ERROR_SSL:
> > LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d.
> > %s\n", custom_prefix, ret_val, custom_msg);
> > break;
> > }
> >
> > ERR_print_errors_fp(stderr);fflush(stderr);
> >
> > The errors seem to be going to "stderr" rather than via your "LOG"
> > function. You don't show what "LOG" does but if it goes somewhere
> > other than stderr then the errors are going somewhere different to
> > your log file. Are you able to show us the stderr output from running
> > your application?
> >
> >
> >> just compiled with gcc, i see no -lstatic in the makefile ... ive
> >> attached the ssl .c and .h files in question if you want to see them
> >
> > What does "ldd" show you for the application binary? i.e.
> >
> > ldd name-of-you-binary-here
> >
> >
> > Matt
>
Re: ssl client write / server accept seems broken
On 3/23/21 11:06 PM, Matt Caswell wrote:
On 23/03/2021 15:47, Embedded Devel wrote:
Do you know if your application is statically linked or dynamically
linked to OpenSSL?
Ive attached the code in question if it helps
original code was deprecated, and changed from
/* if ((ssl_con->ctx = SSL_CTX_new(TLSv1_server_method())) == NULL)
{ */
if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
which also got added to the client side yet should have been
client should be
if ((ssl_con->ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
not
if ((ssl_con->ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
Looks like the original developer already tried to print the contents
of the OpenSSL error stack:
case SSL_ERROR_SSL:
LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d.
%s\n", custom_prefix, ret_val, custom_msg);
break;
}
ERR_print_errors_fp(stderr);fflush(stderr);
The errors seem to be going to "stderr" rather than via your "LOG"
function. You don't show what "LOG" does but if it goes somewhere
other than stderr then the errors are going somewhere different to
your log file. Are you able to show us the stderr output from running
your application?
just compiled with gcc, i see no -lstatic in the makefile ... ive
attached the ssl .c and .h files in question if you want to see them
What does "ldd" show you for the application binary? i.e.
ldd name-of-you-binary-here
Matt
Re: ssl client write / server accept seems broken
On 3/23/21 11:06 PM, Matt Caswell wrote: On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps Looks like the original developer already tried to print the contents of the OpenSSL error stack: case SSL_ERROR_SSL: LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; } ERR_print_errors_fp(stderr);fflush(stderr); The errors seem to be going to "stderr" rather than via your "LOG" function. You don't show what "LOG" does but if it goes somewhere other than stderr then the errors are going somewhere different to your log file. Are you able to show us the stderr output from running your application? logread Tue Mar 23 16:09:43 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:44 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:46 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:46 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:49 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:49 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:54 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:54 2021 user.info : ac_send_init(): Error Tue Mar 23 16:09:59 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:09:59 2021 user.info : ac_send_init(): Error Tue Mar 23 16:10:05 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 16:10:05 2021 user.info : ac_send_init(): Error client side console 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: 2011704912:error:140C5042:SSL routines:ssl_undefined_function:called a function you should not call:ssl/ssl_lib.c:3690: nothing on console / server side /var/log/message Mar 23 17:09:54 optim04 ac_server[617182]: ac_ssl_server_accept(): Error SSL_ERROR_SYSCALL - return code: -1. SSL_accept() Mar 23 17:09:54 optim04 ac_server[617182]: ac_ssl_server_accept(): Error code: -3 Mar 23 17:09:59 optim04 ac_server[617182]: ac_ssl_server_accept(): Error SSL_ERROR_SYSCALL - return code: -1. SSL_accept() Mar 23 17:09:59 optim04 ac_server[617182]: ac_ssl_server_accept(): Error code: -3 Mar 23 17:10:05 optim04 ac_server[617182]: ac_ssl_server_accept(): Error SSL_ERROR_SYSCALL - return code: -1. SSL_accept() Mar 23 17:10:05 optim04 ac_server[617182]: ac_ssl_server_accept(): Error code: -3 [root@optim04 ~]# just compiled with gcc, i see no -lstatic in the makefile ... ive attached the ssl .c and .h files in question if you want to see them What does "ldd" show you for the application binary? i.e. ldd name-of-you-binary-here client root@OpenWrt:~# ldd /usr/sbin/ac_client /lib/ld-musl-mips-sf.so.1 (0x77e2) libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x77da) libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x77bc6000) libaxl.so.0 => /usr/lib/libaxl.so.0 (0x77b6e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77b4a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77e2) server ldd /usr/bin/ac_server linux-vdso.so.1 (0x7fff2bd99000) libmariadb.so.3 => /lib64/libmariadb.so.3 (0x7f9e81fbb000) libpthread.so.0 => /lib64/libpthread.so.0 (0x7f9e81d9b000) libssl.so.1.1 => /lib64/libssl.so.1.1 (0x7f9e81b07000) libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x7f9e81621000) libaxl.so.0 => /lib64/libaxl.so.0 (0x7f9e813ef000) libc.so.6 =>
Re: ssl client write / server accept seems broken
On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps Looks like the original developer already tried to print the contents of the OpenSSL error stack: case SSL_ERROR_SSL: LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg); break; } ERR_print_errors_fp(stderr);fflush(stderr); The errors seem to be going to "stderr" rather than via your "LOG" function. You don't show what "LOG" does but if it goes somewhere other than stderr then the errors are going somewhere different to your log file. Are you able to show us the stderr output from running your application? just compiled with gcc, i see no -lstatic in the makefile ... ive attached the ssl .c and .h files in question if you want to see them What does "ldd" show you for the application binary? i.e. ldd name-of-you-binary-here Matt
Re: ssl client write / server accept seems broken
IM inclined top think the code for the certs is ok, but can really say,
and im not an openssl programmer by any means... just need someone to
put eyes on the code and fix it really.
The cert looks ok - at least nothing obviously wrong. 2048 bit RSA key.
yes freshly generated
when i run the client - i get an error on the client side Tue Mar 23
02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL -
return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init():
Error
It would be useful to see any errors on the OpenSSL error stack which
might provide more details about specifically what has failed. For
example you can call the `ERR_print_errors_fp` function to dump the
error stack to a `FILE *`. Or alternatively use the `ERR_*` functions
to examine the stack and print it to your log:
Yupp above my head :(
Ah. That's a shame - we could really use understanding the real error
behind this. "SSL_ERROR_SSL" just means "libssl encountered an error".
You have to modify your code to print more detailed error information
There doesn't look to be anything obviously wrong from the snippets of
code that you have shared. I suspect some kind of config issue - but
without more detailed error information its difficult to say for sure.
Would you be able to get a packet capture of a failing connection?
That might give us some kind of clue.
Do you know if your application is statically linked or dynamically
linked to OpenSSL?
Ive attached the code in question if it helps
just compiled with gcc, i see no -lstatic in the makefile ... ive
attached the ssl .c and .h files in question if you want to see them
as for a packet capture i can try, they are both remote systems
and lastly if it helps
Unfortunately, not really. This appears to show a working TLSv1.3
connection.
Matt
#include
#include
/* Transforms the error code from SSL function to more meaningful message - check man SSL_get_error */
int ac_ssl_handle_err(ac_ssl_conn_t *ssl_con, int ret_val, const char* custom_prefix, const char* custom_msg)
{
int err_code;
if (!ret_val)
return 0;
err_code = SSL_get_error(ssl_con->ssl, ret_val);
switch(err_code) {
case SSL_ERROR_NONE:
return 0;
case SSL_ERROR_ZERO_RETURN:
LOG(LOG_ERR, "%s: Error SSL_ERROR_ZERO_RETURN - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
case SSL_ERROR_WANT_READ:
LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_READ - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
case SSL_ERROR_WANT_WRITE:
LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_WRITE - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
case SSL_ERROR_WANT_CONNECT:
LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_CONNECT - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
case SSL_ERROR_WANT_ACCEPT:
LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_ACCEPT - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
case SSL_ERROR_WANT_X509_LOOKUP:
LOG(LOG_ERR, "%s: Error SSL_ERROR_WANT_X509_LOOKUP - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
case SSL_ERROR_SYSCALL:
LOG(LOG_ERR, "%s: Error SSL_ERROR_SYSCALL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
case SSL_ERROR_SSL:
LOG(LOG_ERR, "%s: Error SSL_ERROR_SSL - return code: %d. %s\n", custom_prefix, ret_val, custom_msg);
break;
}
ERR_print_errors_fp(stderr);fflush(stderr);
return 1;
}
#ifndef _AC_SSL_H_
#define _AC_SSL_H_
#include
#include
#include
#include
#include
#include
typedef struct _ssl_conn {
int socket;
SSL_CTX *ctx;
SSL *ssl;
char* server;
int port;
char* key_file;
char* key_pass;
char* cert_file;
char* ca_file;
} ac_ssl_conn_t;
int ac_ssl_client_init(ac_ssl_conn_t *ssl_con);
int ac_ssl_client_connect(ac_ssl_conn_t *ssl_con);
int ac_ssl_client_read(ac_ssl_conn_t *ssl_con, void *buf, int buf_len);
int ac_ssl_client_write(ac_ssl_conn_t *ssl_con, void *buf, int buf_len);
int ac_ssl_client_close(ac_ssl_conn_t *ssl_con);
int ac_ssl_server_init(ac_ssl_conn_t *ssl_con);
int ac_ssl_server_accept(ac_ssl_conn_t *ssl_con);
int ac_ssl_server_peer_name(ac_ssl_conn_t *ssl_con, char *cname, int cname_len);
int ac_ssl_server_read(ac_ssl_conn_t *ssl_con, void *buf, int buf_len);
int ac_ssl_server_write(ac_ssl_conn_t *ssl_con, void *buf, int buf_len);
int ac_ssl_server_close(ac_ssl_conn_t *ssl_con);
/* this is common function for both server and client, but it's declared in ac_client.c I think it's useless for now to move it in its own source file */
int ac_ssl_handle_err(ac_ssl_conn_t *ssl_con, int ret_val, const char* custom_prefix, const char* custom_msg);
#endif
#include
#include
#include
#include
#include
#include
#include
#include
/* Initialize SSL Library */
int ac_ssl_client_init(ac_ssl_conn_t *ssl_con)
{
SSL_library_init();
return 0;
}
/* Create Client Socket */
int
Re: ssl client write / server accept seems broken
On 23/03/2021 15:02, Embedded Devel wrote: IM inclined top think the code for the certs is ok, but can really say, and im not an openssl programmer by any means... just need someone to put eyes on the code and fix it really. The cert looks ok - at least nothing obviously wrong. 2048 bit RSA key. when i run the client - i get an error on the client side Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error It would be useful to see any errors on the OpenSSL error stack which might provide more details about specifically what has failed. For example you can call the `ERR_print_errors_fp` function to dump the error stack to a `FILE *`. Or alternatively use the `ERR_*` functions to examine the stack and print it to your log: Yupp above my head :( Ah. That's a shame - we could really use understanding the real error behind this. "SSL_ERROR_SSL" just means "libssl encountered an error". You have to modify your code to print more detailed error information There doesn't look to be anything obviously wrong from the snippets of code that you have shared. I suspect some kind of config issue - but without more detailed error information its difficult to say for sure. Would you be able to get a packet capture of a failing connection? That might give us some kind of clue. Do you know if your application is statically linked or dynamically linked to OpenSSL? and lastly if it helps Unfortunately, not really. This appears to show a working TLSv1.3 connection. Matt
Re: ssl client write / server accept seems broken
On 3/23/21 9:31 PM, Matt Caswell wrote: On 23/03/2021 02:37, Embedded Devel wrote: I have an application previously written for us 10+ years ago that no longer seems to be happy Has something happened that might have caused this? Did you upgrade OpenSSL, or do some other kind of update to your code? Which version of OpenSSL are you using? surely an openssl upgrade, this code is maybe 7-8 years old OpenSSL 1.1.1g FIPS 21 Apr 2020 Centos 7 and the original dev is no longer available, so who can i pay to bang this out and make it happy, or who can guide me through getting it functional... basic info below. I have a client process which is supposed to speak to a server via ssl, and then send data Ive created a "CA" and generated the CSR / and certs for both the client and the server. What kind of certs did you generate? How big are the keys? Are you able to share the certs (not the keys)? original expired certs -rw-r--r-- 1 root root 1424 Mar 22 16:59 ac_ca_cert.pem -rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_ca_key.pem -rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_client_cert.pem -rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_client_key.pem -rw-r--r-- 1 root root 1168 Mar 22 16:59 ac_server_cert.pem -rw-r--r-- 1 root root 1675 Mar 22 16:59 ac_server_key.pem -rw--- 1 root root 1204 Mar 22 18:24 ca.crt -rw--- 1 root root 1766 Mar 22 18:23 ca.key new certs -rw-r--r-- 1 root root 1529 Mar 22 17:45 myCA.pem -rw-r--r-- 1 root root 1566 Mar 22 18:04 portaladmin.domain.com.crt -rw-r--r-- 1 root root 1115 Mar 22 18:04 portaladmin.domain.com.csr -rw-r--r-- 1 root root 216 Mar 22 18:04 portaladmin.domain.com.ext -rw--- 1 root root 1675 Mar 22 18:04 portaladmin.domain.com.key i can share the certs -BEGIN CERTIFICATE- MIIEVjCCAz6gAwIBAgIUUfHyC4C5rTOHqYIC2WAmV7t06jowDQYJKoZIhvcNAQEL BQAwga0xCzAJBgNVBAYTAk5MMRUwEwYDVQQIDAxTJ0dyYXZlbmhhZ2UxFDASBgNV BAcMC1NHcmF2ZW5oYWdlMR0wGwYDVQQKDBRPcHRpbSBFbnRlcnByaXNlcyBCVjER MA8GA1UECwwIV2lyZWxlc3MxGjAYBgNVBAMMEWNhLm9wdGltY2xvdWQuY29tMSMw IQYJKoZIhvcNAQkBFhRhZG1pbkBvcHRpbWNsb3VkLmNvbTAeFw0yMTAzMjIxNzA0 MDlaFw0yMzA2MjUxNzA0MDlaMIG3MQswCQYDVQQGEwJOTDEVMBMGA1UECAwMUydH cmF2ZW5oYWdlMRUwEwYDVQQHDAxTJ0dyYXZlbmhhZ2UxHTAbBgNVBAoMFE9wdGlt IEVudGVycHJpc2VzIEJWMREwDwYDVQQLDAhXaXJlbGVzczEjMCEGA1UEAwwacG9y dGFsYWRtaW4ub3B0aW1jbG91ZC5jb20xIzAhBgkqhkiG9w0BCQEWFGFkbWluQG9w dGltY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUqI 0sHGKXuSMuEVOvJzPDmMX8HLhIA1qXlBbanEMfdMMTwXelZrQYMYj0D9eiuXfWLE ddawppFbhFgLpVBG4sG0G9Asm92Knk/9XCONqblvTSIWL1b24LiGQ45At/IeQE7j UVXoCsivZds2rUQFIWa6ctXZBBCDxBp/RmHZYvaNKuP21mapRh7//eWmzrA5kSgG 4YhGUys38bqsuTJu7I5lDxT1FcJKpYlQn6EZyGPlplYI6JindGUNZVbvHKQlaQ/a Mom+nJDcbl01G4+AukKcu+AXBCFAA0FDax64bu3EX5phmSSPZymX+RcmJUEU/kxb /sRUcCwHxtgLXOGwrQIDAQABo2IwYDAfBgNVHSMEGDAWgBSyC0km1cK4ENeQhkI5 VN/hEFcBVDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAlBgNVHREEHjAcghpwb3J0 YWxhZG1pbi5vcHRpbWNsb3VkLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAEto6D/Gt rTR6Qf3cCrwosI9PpnIRD+Sp3QceMTevuajdCKGU58dTG0MNvqAmr/CmJ4ih9UBi IBAyR+QxT47PC8bZFSJMI6a3FesTEpAkQnmwkEr3dZ1zns0+651HwsUMuOkAKnYr 4JId48f8NAuSnDKUZeUytAr7lJ+DN32Qa8HQXb78bXuElMjYzUwapMNwJ9NrQjIQ bUbvByGHFq67maP+/UuxnIJB7vIs9W1Krxx9ewXdKdDpHCyWynnxnWvefVx6aBFR eIOySv/Wf2rjFvRRS/kdYKXbzj5eUzdRVrka21AfpBqB/ZHFCHCy47PyUYurln30 hd/EInnSdA1pmg== -END CERTIFICATE- IM inclined top think the code for the certs is ok, but can really say, and im not an openssl programmer by any means... just need someone to put eyes on the code and fix it really. when i run the client - i get an error on the client side Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error It would be useful to see any errors on the OpenSSL error stack which might provide more details about specifically what has failed. For example you can call the `ERR_print_errors_fp` function to dump the error stack to a `FILE *`. Or alternatively use the `ERR_*` functions to examine the stack and print it to your log: Yupp above my head :( and lastly if it helps ❯ openssl s_client -connect 46.23.86.244:3490 CONNECTED(0003) Can't use SSL_get_servername depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = ad...@optimcloud.com verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 C = NL, ST = S'Gravenhage, L = SGravenhage, O = Optim Enterprises BV, OU = Wireless, CN = ca.optimcloud.com, emailAddress = ad...@optimcloud.com verify return:1 depth=0 C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com, emailAddress = ad...@optimcloud.com verify return:1 --- Certificate chain 0 s:C = NL, ST = S'Gravenhage, L = S'Gravenhage, O = Optim Enterprises BV, OU = Wireless, CN = portaladmin.optimcloud.com, emailAddress = ad...@optimcloud.com i:C =
Re: ssl client write / server accept seems broken
On 23/03/2021 02:37, Embedded Devel wrote: I have an application previously written for us 10+ years ago that no longer seems to be happy Has something happened that might have caused this? Did you upgrade OpenSSL, or do some other kind of update to your code? Which version of OpenSSL are you using? and the original dev is no longer available, so who can i pay to bang this out and make it happy, or who can guide me through getting it functional... basic info below. I have a client process which is supposed to speak to a server via ssl, and then send data Ive created a "CA" and generated the CSR / and certs for both the client and the server. What kind of certs did you generate? How big are the keys? Are you able to share the certs (not the keys)? when i run the client - i get an error on the client side Tue Mar 23 02:13:58 2021 user.err : ac_ssl_client_write(): Error SSL_ERROR_SSL - return code: -1. Tue Mar 23 02:13:58 2021 user.info : ac_send_init(): Error It would be useful to see any errors on the OpenSSL error stack which might provide more details about specifically what has failed. For example you can call the `ERR_print_errors_fp` function to dump the error stack to a `FILE *`. Or alternatively use the `ERR_*` functions to examine the stack and print it to your log: https://www.openssl.org/docs/man1.1.1/man3/ Matt
