Discussion:
handshake failure in SSL_read occasionally
Ming Zeng
2002-06-21 00:36:55 UTC
Permalink
Hi,

I have a multithreade application which uses OpenSSL to get contents from
HTTPS server (here an IIS server). The HTTPS server requires client side
certificate.

My program uses:
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
so I do not need to handle SSL_ERROR_WANT_WRITE, SSL_ERROR_WANT_READ (even
though my code covers these logics).

My program calls SSL_set_connect_state(...) to tell its a SSL client, and it
uses SSL_connect(...) to connect to the HTTPS server.

In most times, my program works without any problem. But every couple of
hours (sometimes 2 hours, sometimes 3 or more), SSL_read gives me back
SSL_ERROR_SYSCALL error and the detail is:
error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

I have no clue on how to avoid this error, as I see no reasons that
handshake could fail after the success of SSL_connect(...).

Could any of you guys there share some lights on how to solve this problem?
We checked the HTTPS server (IIS) settings, and no clue there also.

Thanks in advance!

Mike


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Lutz Jaenicke
2002-06-21 08:02:47 UTC
Permalink
Post by Ming Zeng
I have a multithreade application which uses OpenSSL to get contents from
HTTPS server (here an IIS server). The HTTPS server requires client side
certificate.
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
so I do not need to handle SSL_ERROR_WANT_WRITE, SSL_ERROR_WANT_READ (even
though my code covers these logics).
My program calls SSL_set_connect_state(...) to tell its a SSL client, and
it uses SSL_connect(...) to connect to the HTTPS server.
In most times, my program works without any problem. But every couple of
hours (sometimes 2 hours, sometimes 3 or more), SSL_read gives me back
error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
And you don't get any more error entry than this single one?

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke-XTec+feGiB/2g9D+***@public.gmane.org
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Lutz Jaenicke
2002-06-21 14:51:14 UTC
Permalink
Maybe I am too stupid to figure out how to reply to your question from your
message directly, so I choose to do it my way.
Yes. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure is
the only error my program keeps logging every couple of hours. I have all
the error handling code in place, and this error only happens in the
SSL_read.
I did have a look into the ssl/* code. SSL_HANDSHAKE_FAILURE in ssl3_read_bytes
is only flagged, if the s->handshake function returns 0.
This means, that a handshake took place. If the connection was already open,
this means that a renegotiation took place (or at least was attempted).
If I didn't misunderstand ssl3_connect (which is the handshake function
for SSLv3), a return value of 0 should only appear, if 0 bytes where read
from the server: the server did simply close the connection.
(From the source it also seems to be consistent, that there is no error
logged, as I did not see any entry added to the error queue in this case
when looking over the code.)

I don't have an idea however, on what you could do against the problem...

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke-XTec+feGiB/2g9D+***@public.gmane.org
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Zeng, Ming
2002-06-21 14:18:51 UTC
Permalink
Hi Lutz

Thanks a lot for taking time reading my post and helping me figure out the
problem.

Maybe I am too stupid to figure out how to reply to your question from your
message directly, so I choose to do it my way.

Yes. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure is
the only error my program keeps logging every couple of hours. I have all
the error handling code in place, and this error only happens in the
SSL_read.

Thanks

Mike

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Ming Zeng
2002-06-21 18:12:22 UTC
Permalink
Thanks Lutz for the helpful information.

Could this be an IIS configuration issue?


Mike
Subject: Re: handshake failure in SSL_read occasionally
Date: Fri, 21 Jun 2002 16:51:14 +0200
Maybe I am too stupid to figure out how to reply to your question from
your
message directly, so I choose to do it my way.
Yes. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
is
the only error my program keeps logging every couple of hours. I have
all
the error handling code in place, and this error only happens in the
SSL_read.
I did have a look into the ssl/* code. SSL_HANDSHAKE_FAILURE in
ssl3_read_bytes
is only flagged, if the s->handshake function returns 0.
This means, that a handshake took place. If the connection was already
open,
this means that a renegotiation took place (or at least was attempted).
If I didn't misunderstand ssl3_connect (which is the handshake function
for SSLv3), a return value of 0 should only appear, if 0 bytes where read
from the server: the server did simply close the connection.
(From the source it also seems to be consistent, that there is no error
logged, as I did not see any entry added to the error queue in this case
when looking over the code.)
I don't have an idea however, on what you could do against the problem...
Best regards,
Lutz
--
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Jay States
2002-06-21 19:19:33 UTC
Permalink
I've just complied openssl-0.9.7-beta2 and now I'm getting a error in
SSH saying:

EVP_CipherInit: set key failed for none

I've search the web be nothing... any ideas?

Thanks

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Ken Hoo
2002-06-21 22:01:16 UTC
Permalink
I'm running Linux on a PC. Can anyone give me some help on how to
generate OpenSSL data (including handshaking) using this SW? Which
functions/library to use? What compile options to use for gcc? I
appreciate any help.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Lutz Jaenicke
2002-06-23 16:39:41 UTC
Permalink
Post by Jay States
I've just complied openssl-0.9.7-beta2 and now I'm getting a error in
EVP_CipherInit: set key failed for none
I've search the web be nothing... any ideas?
The EVP interface was adjusted between OpenSSL 0.9.6 and 0.9.7.
Please check out a recent version of OpenSSH.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke-XTec+feGiB/2g9D+***@public.gmane.org
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Lutz Jaenicke
2002-06-23 16:41:18 UTC
Permalink
Post by Ming Zeng
Could this be an IIS configuration issue?
I don't have any IIS around and no experience in operating it, so the
only answer I have for you is: "may be".
It may also be a bug in IIS. Or something completely different...

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke-XTec+feGiB/2g9D+***@public.gmane.org
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...