openssl SSL_Connect with err 2
Iam a new member into this forum.
Issue:
I have to integrate openssl in my project.project is implemented with gsoap.
in "r = SSL_connect(soap->ssl)) <= 0)" SSL_connect call is unable to make a connection to the server.Both server and cli开发者_如何转开发ent are in local host
I see server is ready to accept the connections, as I see below connection established with netstat command:
TCP cspxppgudepu:15000 cspxppgudepu.com:0 LISTENING TCP cspxppgudepu:15000 localhost:2864 ESTABLISHED
Above 15000 port is for server.
Below is client connection: TCP cspxppgudepu:16000 cspxppgudepu.com:0 LISTENING
But SSL_connect is unable to connect.It is always failing with return code -1 & err 2.
With out SSL connection,simple TCP conection, both ends are able to connect and communicate. Below network configuration settings for without SSL
My network configuration settings for with openssl:
<NetworkConfig>
<Server Location="https://127.0.0.1:15000" />
<Client Location="https://127.0.0.1:16000" />
I have taken both client & server authentication to false.
Thanks in advance. Pradeep Reddy.
An update,
SSL_connect is failing with SSL_ERROR_WANT_READ.I understand that client is waiting on server to write some data.But I dont understand what to change code in server side.
please let me know, how to go from this.
SSL communcation is working fine now if I give root certificate cacert.pem on both server and client and authentication is set to true.Instead of giving the same root certificate cacert.pem I have given clientcert.pem and servercert.pem in soap_ssl_client_context() and soap_ssl_server_context() calls respectively. This time Handshake is failed with below error at client side:"error:14090086:lib(20):func(144):reason(134)" and server side "error:14094418:lib(20):func(148):reason(1048)"
But both client certificate and server certificate are generated from root certificate "cacert.pem" below comands.
Command:openssl x509 -req -in clientreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem -days 1095 and Command:openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem -days 1095 error I understood as "error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca". But both certificates are from same root CA cacertpem. Please provide if you have any fix. I could not edit the post, so posting the answer. Thanks, Pradeep.
Firstly, you must establish the TCP connection before you call SSL_connect()
. SSL_connect()
just sets up the SSL session, and it expects that the file descriptor you set with SSL_set_fd()
is already connected to the other side.
Secondly, you must call SSL_accept()
on the server side (again, after the underlying TCP connection has already been set up).
Did you set that the CA is trusted on your client code with:
SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath)
You can find at OpenSSL documentation about how to use that method - it's pretty straightforward:
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
精彩评论