i’m trying to write simple C openssl client and server. Here is client’s code:
int main() {
int err;
SSL_CTX * ctx = init_ctx("client-cert.pem", "client-private.pem", "certs/cacert.pem", "clientpass");
if (!ctx) {
fprintf(stderr, "couldn't init ctx\n");
exit(1);
}
int sock = tcp_connect("localhost", 4443);
/* Connect the SSL socket */
SSL * ssl = SSL_new(ctx);
BIO * sbio = BIO_new_socket(sock,BIO_NOCLOSE);
SSL_set_bio(ssl,sbio,sbio);
if((err = SSL_connect(ssl)) != 1) {
switch(SSL_get_error(ssl, err)) {
case SSL_ERROR_NONE:
fprintf(stderr, "error SSL_ERROR_NONE\n");
break;
case SSL_ERROR_ZERO_RETURN:
fprintf(stderr, "errorSSL_ERROR_ZERO_RETURN \n");
break;
case SSL_ERROR_WANT_READ:
fprintf(stderr, "error SSL_ERROR_WANT_READ\n");
break;
case SSL_ERROR_WANT_WRITE:
fprintf(stderr, "error SSL_ERROR_WANT_WRITE\n");
break;
case SSL_ERROR_WANT_CONNECT:
fprintf(stderr, "error SSL_ERROR_WANT_CONNECT\n");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
fprintf(stderr, "error SSL_ERROR_WANT_X509_LOOKUP\n");
break;
case SSL_ERROR_SYSCALL:
fprintf(stderr, "error SSL_ERROR_SYSCALL\n");
break;
case SSL_ERROR_SSL:
fprintf(stderr, "error SSL_ERROR_SSL\n");
break;
default:
fprintf(stderr, "error f****** s***!!!\n");
break;
}
fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
ERR_print_errors_fp(stderr);
//exit(1);
}
check_cert(ssl, "host.com");
fprintf(stderr, "%d bytes sent\n", send_request(ssl, "come with me, we'll go dreaming"));
/* shutdown ssl connection */
err = SSL_shutdown(ssl);
if (err < 0) {
ERR_print_errors_fp(stderr);
exit(1);
}
close(sock);
SSL_free(ssl);
SSL_CTX_free(ctx);
return 0;
}
ssize_t send_request(SSL * ssl, const char * req) {
fprintf(stderr, "sending request...\n");
ssize_t size = SSL_write(ssl, req, strlen(req));
if (size < 0) {
ERR_print_errors_fp(stderr);
}
return size;
}
SSL_get_error(ssl, err) returns SSL_ERROR_SYSCALL and send_request returns following error: 5269:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:. Private keys secured with passwords, i’m setting pem_password_cb callback:
SSL_CTX_set_default_passwd_cb(ctx, passwd_func);
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)password);
. Using v23 methods… and i don’t know the reason of this handshake fail…
I’ve tried to debug such way: openssl s_client -connect localhost:4443 -cert sberbank-cert.pem -key sberbank-private.pem -verify 1 -CAfile cacert.pem -prexit -msg and i have following result:
milo@milonote:~/src/tests/ssl$ openssl s_client -connect localhost:4443 -cert sberbank-cert.pem -key sberbank-private.pem -verify 1 -CAfile cacert.pem -prexit -msg
verify depth is 1
CONNECTED(00000003)
>>> TLS 1.0 Handshake [length 005a], ClientHello
01 00 00 56 03 01 4d ed fc 5e a7 d7 56 6a 70 40
0c a6 19 d0 06 23 08 28 65 07 53 46 d1 87 c0 c2
a2 27 d8 5b ad ac 00 00 28 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00
15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00
ff 02 01 00 00 04 00 23 00 00
5825:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 95 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
here is the source of tcp_connect. i’m sure that it not fails because it returns fd (not -1):
int tcp_connect(const char *host, int port) {
struct hostent *hp;
struct sockaddr_in addr;
int sock;
if(!(hp=gethostbyname(host)))
return -1;
memset(&addr,0,sizeof(addr));
addr.sin_addr=*(struct in_addr*)
hp->h_addr_list[0];
addr.sin_family=AF_INET;
addr.sin_port=htons(port);
if((sock=socket(AF_INET,SOCK_STREAM, IPPROTO_TCP))<0)
return -1;
if(connect(sock,(struct sockaddr *)&addr, sizeof(addr))<0)
return -1;
return sock;
}
i’ve solved my problem! it wasn’t the client side, but server side! server shutdown tcp connection while getting SSL_WANT_READ error insted of repeating to SSL_accept. Thanks for participating!