On Tuesday 31 March 2015, Tim van der Molen wrote:
> httpd/server.c contains the following:
>
> ret = tls_accept_socket(srv->srv_tls_ctx, &clt->clt_tls_ctx,
> clt->clt_s);
> [...]
> } else if (ret != 0) {
> log_warnx("%s: TLS accept failed - %s", __func__,
> tls_error(srv->srv_tls_ctx));
> return;
>
> Here the return value of tls_error(srv->srv_tls_ctx) may be incorrect if
> tls_accept_socket() sets the error message in clt->clt_tls_ctx.
>
> For instance, in my case, the above code snippet produces the following
> log entries:
>
> Mar 29 22:53:22 alpha httpd[6684]: server_accept_tls: TLS accept failed -
> (null)
Thanks for flagging this - the real issue is that the error was being assigned
to the connection context, rather than the server context. I've just
submitted a diff that changes this behaviour. This means we now get actual
errors:
server_accept_tls: TLS accept failed - accept failed: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request
> Perhaps the following diff would be a good way to fix this.
>
> Index: tls_server.c
> ===================================================================
> RCS file: /cvs/src/lib/libtls/tls_server.c,v
> retrieving revision 1.5
> diff -p -U5 -r1.5 tls_server.c
> --- tls_server.c 7 Feb 2015 09:50:09 -0000 1.5
> +++ tls_server.c 30 Mar 2015 17:28:33 -0000
> @@ -133,10 +133,11 @@ tls_accept_socket(struct tls *ctx, struc
> if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
> err = tls_ssl_error(conn_ctx, ret, "accept");
> if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) {
> return (err);
> }
> + tls_set_error(ctx, "%s", tls_error(conn_ctx));
> goto err;
> }
>
> return (0);
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
