On Tuesday 31 March 2015, Tim van der Molen wrote: > httpd/server.c contains the following: > > ret = tls_accept_socket(srv->srv_tls_ctx, &clt->clt_tls_ctx, > clt->clt_s); > [...] > } else if (ret != 0) { > log_warnx("%s: TLS accept failed - %s", __func__, > tls_error(srv->srv_tls_ctx)); > return; > > Here the return value of tls_error(srv->srv_tls_ctx) may be incorrect if > tls_accept_socket() sets the error message in clt->clt_tls_ctx. > > For instance, in my case, the above code snippet produces the following > log entries: > > Mar 29 22:53:22 alpha httpd[6684]: server_accept_tls: TLS accept failed - > (null)
Thanks for flagging this - the real issue is that the error was being assigned to the connection context, rather than the server context. I've just submitted a diff that changes this behaviour. This means we now get actual errors: server_accept_tls: TLS accept failed - accept failed: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request > Perhaps the following diff would be a good way to fix this. > > Index: tls_server.c > =================================================================== > RCS file: /cvs/src/lib/libtls/tls_server.c,v > retrieving revision 1.5 > diff -p -U5 -r1.5 tls_server.c > --- tls_server.c 7 Feb 2015 09:50:09 -0000 1.5 > +++ tls_server.c 30 Mar 2015 17:28:33 -0000 > @@ -133,10 +133,11 @@ tls_accept_socket(struct tls *ctx, struc > if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) { > err = tls_ssl_error(conn_ctx, ret, "accept"); > if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { > return (err); > } > + tls_set_error(ctx, "%s", tls_error(conn_ctx)); > goto err; > } > > return (0); -- "Action without study is fatal. Study without action is futile." -- Mary Ritter Beard