[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS negotiation failure
On Thu, Sep 10, 2009 at 02:51:34PM +0000, Emmanuel Dreyfus wrote:
> I tried looping on SSL_accept() until it succeed, in tlso_session_accept().
> It often has to try between 400 and 800 times before getting a
> success.
The statement above should be discarded, as I overlooked a few things.
Here is my latest analysis of the problem:
- here is the code path leading to the error:
ldap_pct_tls_accepts -> tlso_session_accept -> SSL_accept
- During SSL_accept(), the tlso_info_cb() callback is invoked only
oncen as reported by LDAP_DEBUG_TRACE output:
TLS trace: SSL_accept:before/accept initialization
There is no "TLS trace: SSL_accept:SSLv3 read client hello A", as
we have in normal sessions.
- When SSL_accept() returns, it has:
SSL_accept return value = 0
SSL_get_error() returns SSL_ERROR_SYSCALL
ERR_get_error() returns 0
errno is set to 0.
- Reading SSL_get_error(3), I would be in the "EOF was observed that
violates the procol" situation:
SSL_ERROR_SYSCALL
Some I/O error occurred. The OpenSSL error queue may contain more
information on the error. If the error queue is empty (i.e.
ERR_get_error() returns 0), ret can be used to find out more about
the error: If ret == 0, an EOF was observed that violates the pro-
tocol. If ret == -1, the underlying BIO reported an I/O error (for
socket I/O on Unix systems, consult errno for details).
But I have trouble to claim the client is the culprit, since it
happens wirh a rich mixture of clients: NetBSD, Linux, MacOS X.
--
Emmanuel Dreyfus
manu@netbsd.org