[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS negotiation failure



On Thu, Sep 10, 2009 at 02:51:34PM +0000, Emmanuel Dreyfus wrote:
> I tried looping on SSL_accept() until it succeed, in tlso_session_accept().
> It often has to try between 400 and 800 times before getting a 
> success.

The statement above should be discarded, as I overlooked a few things. 
Here is my latest analysis of the problem:

- here is the code path leading to the error:
     ldap_pct_tls_accepts -> tlso_session_accept -> SSL_accept


- During SSL_accept(), the tlso_info_cb() callback is invoked only
oncen as reported by LDAP_DEBUG_TRACE output:
     TLS trace: SSL_accept:before/accept initialization
There is no "TLS trace: SSL_accept:SSLv3 read client hello A", as 
we have in normal sessions.


- When SSL_accept() returns, it has:
     SSL_accept return value = 0
     SSL_get_error() returns SSL_ERROR_SYSCALL
     ERR_get_error() returns 0
     errno is set to 0.



- Reading SSL_get_error(3), I would be in the "EOF was observed that 
violates the procol" situation:
    SSL_ERROR_SYSCALL
        Some I/O error occurred.  The OpenSSL error queue may contain more
        information on the error.  If the error queue is empty (i.e.
        ERR_get_error() returns 0), ret can be used to find out more about
        the error: If ret == 0, an EOF was observed that violates the pro-
        tocol.  If ret == -1, the underlying BIO reported an I/O error (for
        socket I/O on Unix systems, consult errno for details).


But I have trouble to claim the client is the culprit, since it 
happens wirh a rich mixture of clients: NetBSD, Linux, MacOS X.

-- 
Emmanuel Dreyfus
manu@netbsd.org