httpd/server.c contains the following:
ret = tls_accept_socket(srv->srv_tls_ctx, &clt->clt_tls_ctx,
clt->clt_s);
[...]
} else if (ret != 0) {
log_warnx("%s: TLS accept failed - %s", __func__,
tls_error(srv->srv_tls_ctx));
return;
Here the return value of tls_error(srv->srv_tls_ctx) may be incorrect if
tls_accept_socket() sets the error message in clt->clt_tls_ctx.
For instance, in my case, the above code snippet produces the following
log entries:
Mar 29 22:53:22 alpha httpd[6684]: server_accept_tls: TLS accept failed - (null)
Perhaps the following diff would be a good way to fix this.
Index: tls_server.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.5
diff -p -U5 -r1.5 tls_server.c
--- tls_server.c 7 Feb 2015 09:50:09 -0000 1.5
+++ tls_server.c 30 Mar 2015 17:28:33 -0000
@@ -133,10 +133,11 @@ tls_accept_socket(struct tls *ctx, struc
if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
err = tls_ssl_error(conn_ctx, ret, "accept");
if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
return (err);
}
+ tls_set_error(ctx, "%s", tls_error(conn_ctx));
goto err;
}
return (0);
