Error 00000006 lib 0 func 0 evp lib

Error connecting with ssl error 00000006 lib 0 func 0 evp lib

Опытный

Профиль
Группа: Участник
Сообщений: 734
Регистрация: 11.11.2003

Репутация: нет
Всего: -1

Всем привет. Нужно провести авторизацию на сайте по https, после поисков в сети нашел что это можно сделать с помощью Indy., код:

chiffa	Дата 16.12.2010, 18:25 (ссылка) | (нет голосов) Загрузка .

data:=tstringlist.create;
data.Add(‘login=chiffa’);
data.Add(‘pass=12’);
error:=false;
try
PageProfile:=IdHTTP1.Post(‘https://mysait.ru’, data);
except
error:=true;
end;

Data.Free;
end;

на форму просил IdSSLIOHandlerSocketOpenSSL1, связал с IdHTTP1 при конекте выдает ошибку:

Error connect whith SSL. error: 14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Прошу Вашей помощи! На Делфи пишу совсем ничего, поэтому если решение элементарное просьба сильно не пинать

Профиль
Группа: Участник
Сообщений: 7
Регистрация: 15.12.2010

Репутация: нет
Всего: нет

Ryhor	Дата 17.12.2010, 11:00 (ссылка) | (нет голосов) Загрузка .

Опытный

Профиль
Группа: Участник
Сообщений: 734
Регистрация: 11.11.2003

Репутация: нет
Всего: -1

Ryhor, а каким он должен быть? Какое значение?

Поставил — sslvSSLv2, стало выдавать: Error connection with SSL. error:00000006:lib(0):func(0):EVP lib

chiffa	Дата 17.12.2010, 13:16 (ссылка) | (нет голосов) Загрузка .

Профиль
Группа: Участник
Сообщений: 21
Регистрация: 27.2.2008

Репутация: нет
Всего: нет

Igor22	Дата 18.12.2010, 14:37 (ссылка) | (нет голосов) Загрузка .

begin
s_post:= TStringStream.create;

html := Form_main.IdHTTP.post(‘http://vkontakte.ru/mail.php’, s_post);

Профиль
Группа: Участник
Сообщений: 7
Регистрация: 31.1.2011

Репутация: нет
Всего: нет

У меня при подключении к GMAIL вылазит ошибка:

First chance exception at $7C812AEB. Exception class EIdOSSLConnectError with message
‘Error connecting with SSL.
error:00000006:lib(0):func(0):EVP lib’.

ssleay32 : 0.9.8r
libeay32 : 0.9.8r

IndyVersion: Builder XE версия Инди 10.5.7

Использую метод sslvSSLv3, хотя не работает с любыми методами

Sharkfire88	Дата 28.4.2011, 17:08 (ссылка) | (нет голосов) Загрузка .

Snowy

Дата 29.4.2011, 10:30 (ссылка) | (нет голосов) Загрузка .

Эксперт Профиль Группа: Модератор Сообщений: 11363 Регистрация: 13.10.2004 Где: Питер Репутация: 53 Всего: 484 1. Публиковать ссылки на вскрытые компоненты 2. Обсуждать взлом компонентов и делится вскрытыми компонентами Литературу по Дельфи обсуждаем здесь Действия модераторов можно обсудить здесь С просьбами о написании курсовой, реферата и т.п. обращаться сюда Вопросы по реализации алгоритмов рассматриваются здесь 90% ответов на свои вопросы можно найти в DRKB (Delphi Russian Knowledge Base) — крупнейшем в рунете сборнике материалов по Дельфи Если Вам помогли и атмосфера форума Вам понравилась, то заходите к нам чаще! С уважением, Snowy, Poseidon, MetalFan. 0 Пользователей читают эту тему (0 Гостей и 0 Скрытых Пользователей) 0 Пользователей: « Предыдущая тема | Delphi: Сети | Следующая тема » [ Время генерации скрипта: 0.1014 ] [ Использовано запросов: 21 ] [ GZIP включён ] Источник Читайте также:  Blackview x300 dual прошивка Adblock detector

Here the patch for master Libwebsockets version: 2.1.0 bzuber@iotalive1-v2.0.0-287-g2e1dcc5.
It took more time as expected. The whole SSL_shutdown process w/ non-blocking can be quite tricky, especially having SSL_ERROR_WANT_WRITE as result of SSL_shutdown. But you will see ;-). But it’s solved.
Now SSL_read (and SSL_write) properly handle the outcome n==0 and don’t write any DH lib or EVP lib errors anymore.
I introduced a new function lws_ssl_shutdown in place of SSL_shutdown. As said, a SSL_shutdown can get a SSL_ERROR_WANT_WRITE with errno=Resource temporarily unavailable (11). Sometimes this happened 20% of the time in my tests (test-client/test-server). I solved it with a while retry 5 times w/ a sleep of a second. In my tests when a SSL_ERROR_WANT_WRITE occured, after 2 seconds the SSL_shutdown was successful. Without the while, it would go in a TIMEDOUT WAITING, which can take ~20 seconds. Because I don’t know how to handle the SSL_ERROR_WANT_WRITE and prevent the following TIMEDOUT WAITING, I used the while which seems to me an acceptable solution for this case. But maybe you have a better solution.

Here the 4 patch files:

diff --git a/lib/context.c b/lib/context.c
index d35b469..9518a80 100644
--- a/lib/context.c
+++ b/lib/context.c
@@ -924,7 +924,19 @@
 
 	while (m--) {
 		pt = &context->pt[m];
+#ifdef LWS_OPENSSL_SUPPORT
+		/* first send 'close notify' alert to all open wsi */
+		for (n = 0; (unsigned int)n < context->pt[m].fds_count; n++) {
+			struct lws *wsi = wsi_from_fd(context, pt->fds[n].fd);
+			if (!wsi)
+				continue;
 
+			if (lws_is_ssl(wsi) && wsi->ssl) {
+				lws_ssl_shutdown(wsi);
+			}
+		}
+#endif
+		/* proper close of wsi */
 		for (n = 0; (unsigned int)n < context->pt[m].fds_count; n++) {
 			struct lws *wsi = wsi_from_fd(context, pt->fds[n].fd);
 			if (!wsi)

###########################################################

diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index 7300e90..fca826b 100755
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -436,22 +436,17 @@
 	    reason != LWS_CLOSE_STATUS_NOSTATUS_CONTEXT_DESTROY &&
 	    !wsi->socket_is_permanently_unusable) {
 #ifdef LWS_OPENSSL_SUPPORT
-		if (lws_is_ssl(wsi) && wsi->ssl)
-               {
-                       lwsl_info("%s: shutting down SSL connection: %p (ssl %p, sock %d, state %d)n", __func__, wsi, wsi->ssl, (int)(long)wsi->sock, wsi->state);
-			n = SSL_shutdown(wsi->ssl);
-                       if (n == 0) /* Complete bidirectional SSL shutdown */
-                               n = SSL_shutdown(wsi->ssl);
-                       n = shutdown(wsi->sock, SHUT_WR);
-               }
+		if (lws_is_ssl(wsi) && wsi->ssl) {
+			lws_ssl_shutdown(wsi);
+		}
 		else
 #endif
 		{
 			lwsl_info("%s: shutting down connection: %p (sock %d, state %d)n", __func__, wsi, (int)(long)wsi->sock, wsi->state);
 			n = shutdown(wsi->sock, SHUT_WR);
+			if (n)
+				lwsl_debug("closing: shutdown (state %d) ret %dn", wsi->state, LWS_ERRNO);
 		}
-		if (n)
-			lwsl_debug("closing: shutdown (state %d) ret %dn", wsi->state, LWS_ERRNO);
 
 // This causes problems with disconnection when the events are half closing connection
 // FD_READ | FD_CLOSE (33)

###############################################

diff --git a/lib/ssl.c b/lib/ssl.c
index 8c0d92b..ec009fc 100644
--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -86,6 +86,58 @@
 	}
 }
 
+#ifdef LWS_OPENSSL_SUPPORT
+
+#ifdef _DEBUG
+#if defined(LWS_WITH_NO_LOGS)
+#define print_ssl_shutdown_state1(a,b,c)
+#define print_ssl_shutdown_state2(a,b)
+#define print_ssl_shutdown_outcome(a,b,c,d)
+#else
+#define print_ssl_shutdown_state1(a,b,c) _print_ssl_shutdown_state1(a,b,c)
+#define print_ssl_shutdown_state2(a,b) _print_ssl_shutdown_state2(a,b)
+#define print_ssl_shutdown_outcome(a,b,c,d) _print_ssl_shutdown_outcome(a,b,c,d)
+#endif
+#endif
+
+#ifdef _DEBUG
+
+void _print_ssl_shutdown_state1(int shutdown_state, const struct lws *wsi, const char funcName[]) {
+	if (shutdown_state & SSL_RECEIVED_SHUTDOWN) {
+		if(shutdown_state & SSL_SENT_SHUTDOWN) {
+			lwsl_info("%s SSL_get_shutdown (%d): SSL_RECEIVED_SHUTDOWN & SSL_SENT_SHUTDOWN (wsi=%p)n",funcName, shutdown_state, wsi);
+		}
+		else lwsl_info("%s SSL_get_shutdown (%d): SSL_RECEIVED_SHUTDOWN (wsi=%p)n",funcName, shutdown_state, wsi);
+	} else if(shutdown_state == 0) {
+		lwsl_info("%s SSL_get_shutdown (%d): No shutdown setting, yet. (wsi=%p)n",funcName, shutdown_state, wsi);
+	} else if(shutdown_state  & SSL_SENT_SHUTDOWN) {
+		lwsl_info("%s SSL_get_shutdown (%d): SSL_SENT_SHUTDOWN (wsi=%p)n",funcName, shutdown_state, wsi);
+	}
+}
+
+void _print_ssl_shutdown_state2(const struct lws *wsi, const char funcName[]) {
+	int shutdown_state = SSL_get_shutdown(wsi->ssl);
+	_print_ssl_shutdown_state1(shutdown_state, wsi, funcName);
+}
+
+void _print_ssl_shutdown_outcome(int outcome, int shutdown_errno, const struct lws *wsi, const char funcName[]) {
+	if (outcome == 0) lwsl_info("%s: SSL_shutdown (%d) notify alert sent successfully, awaiting response from peer (wsi=%p)n",funcName, outcome, wsi);
+	if (outcome == 1) lwsl_info("%s: 2nd SSL_shutdown (%d) notify alert sent successfully, after receiving notify alert response from peer (wsi=%p)n",funcName, outcome, wsi);
+	if (outcome < 0) {
+		lwsl_info("%s: SSL_shutdown=%d error (wsi=%p)n",funcName, outcome, wsi);
+		int sslErr = SSL_get_error(wsi->ssl, outcome);
+		if (sslErr > SSL_ERROR_NONE && sslErr < SSL_ERROR_WANT_ACCEPT) {
+			char *sslErrStr[] = {"SSL_ERROR_NONE","SSL_ERROR_SSL","SSL_ERROR_WANT_READ","SSL_ERROR_WANT_WRITE","SSL_ERROR_WANT_X509_LOOKUP","SSL_ERROR_SYSCALL","SSL_ERROR_ZERO_RETURN","SSL_ERROR_WANT_CONNECT","SSL_ERROR_WANT_ACCEPT"};
+			lwsl_info("%s: SSL_shutdown: %s (%d); errno=%s (%d) (wsi=%p)n",funcName, sslErrStr[sslErr], sslErr, strerror(shutdown_errno), shutdown_errno, wsi);
+		} else {
+			lwsl_err("%s failed: %sn",funcName,	ERR_error_string(sslErr, NULL));
+			lws_decode_ssl_error();
+		}
+	}
+}
+#endif
+#endif
+
 static int
 lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userdata)
 {
@@ -237,12 +289,34 @@
 	n = SSL_read(wsi->ssl, buf, len);
 
 	/* manpage: returning 0 means connection shut down */
-	if (!n) {
-		lwsl_err("%s failed: %sn",__func__,
-			 ERR_error_string(lws_ssl_get_error(wsi, 0), NULL));
-		lws_decode_ssl_error();
-
+	if (n == 0) {
+#ifndef _DEBUG
+		int err = SSL_get_error(wsi->ssl, n);
+		if (err > SSL_ERROR_NONE && err < SSL_ERROR_WANT_ACCEPT) {
+			return LWS_SSL_CAPABLE_ERROR;
+		} else {
+			lwsl_err("%s failed: %sn",__func__,
+					ERR_error_string(err, NULL));
+			lws_decode_ssl_error();
+		}
 		return LWS_SSL_CAPABLE_ERROR;
+#else
+		int errno_ssl_read = errno;
+		int err = SSL_get_error(wsi->ssl, n);
+		if (err == SSL_ERROR_ZERO_RETURN) {
+			print_ssl_shutdown_state2(wsi, __func__);
+			lwsl_info("%s: SSL_read: SSL_ERROR_ZERO_RETURN (%d); (wsi=%p)n",__func__, SSL_ERROR_ZERO_RETURN, wsi);
+			return LWS_SSL_CAPABLE_ERROR;
+		} else if (err > SSL_ERROR_NONE && err < SSL_ERROR_WANT_ACCEPT) {
+			char *sslErrStr[] = {"SSL_ERROR_NONE","SSL_ERROR_SSL","SSL_ERROR_WANT_READ","SSL_ERROR_WANT_WRITE","SSL_ERROR_WANT_X509_LOOKUP","SSL_ERROR_SYSCALL","SSL_ERROR_ZERO_RETURN","SSL_ERROR_WANT_CONNECT","SSL_ERROR_WANT_ACCEPT"};
+			lwsl_info("%s: SSL_read: %s (%d); errno=%s (%d) (wsi=%p)n",__func__, sslErrStr[err], err, strerror(errno_ssl_read), errno_ssl_read, wsi);
+		} else {
+			lwsl_err("%s failed1: %sn",__func__,
+					ERR_error_string(err, NULL));
+			lws_decode_ssl_error();
+		}
+		return LWS_SSL_CAPABLE_ERROR;
+#endif
 	}
 
 	if (n < 0) {
@@ -326,12 +400,153 @@
 			lws_set_blocking_send(wsi);
 		return LWS_SSL_CAPABLE_MORE_SERVICE;
 	}
+	if (n > SSL_ERROR_NONE && n < SSL_ERROR_WANT_ACCEPT) {
+		return LWS_SSL_CAPABLE_ERROR;
+	} else {
 		lwsl_err("%s failed: %sn",__func__,
-				 ERR_error_string(lws_ssl_get_error(wsi, 0), NULL));
-			lws_decode_ssl_error();
-
-
+				ERR_error_string(n, NULL));
+		lws_decode_ssl_error();
+	}
 	return LWS_SSL_CAPABLE_ERROR;
+}
+
+/*
+// precond: lws_is_ssl(wsi) > 0
+// return 1: success
+// retrun 0: failure, try again
+// return -1: failure, wsi == 0 || wsi->ssl == 0
+*/
+LWS_VISIBLE int
+lws_ssl_shutdown(struct lws *wsi)
+{
+#ifndef LWS_OPENSSL_SUPPORT
+	return 1;
+#endif
+
+	if (wsi == NULL || wsi->ssl == NULL) return -1;
+
+#ifndef _DEBUG
+	lws_rx_flow_control(wsi, 0);	/* stop rx inflow */
+	int shutdown_state = SSL_get_shutdown(wsi->ssl);
+
+	if (shutdown_state == 0) {	/* no shutdown sent or received yet; as initiator send a shutdown */
+		int ret = SSL_shutdown(wsi->ssl);	/* first shutdown, if successful it will return 0, in case of error -1 */
+		if (ret == 0) {
+			lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+			return 1;
+		}
+		SSL_set_shutdown(wsi->ssl, 0); 	/* reset state; note: even a failed SSL_shutdown (== -1) sets state to SSL_SENT_SHUTDOWN */
+		// if SSL_ERROR_WANT_WRITE: retry 5 times every second again to sent
+		int repeat = 5;
+		int sslErr = SSL_get_error(wsi->ssl, ret);
+		while (ret != 0 && sslErr == SSL_ERROR_WANT_WRITE && repeat--) {
+			sleep(1);
+			errno_shutdown = 0;
+			ret = SSL_shutdown(wsi->ssl);
+			errno_shutdown = errno;
+			sslErr = SSL_get_error(wsi->ssl, ret);
+		}
+		lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+		if (ret != 0) {
+			return 0;
+		} else {	// success
+			return 1;
+		}
+	} else if ((shutdown_state & SSL_RECEIVED_SHUTDOWN) && !(shutdown_state & SSL_SENT_SHUTDOWN)) {	/* just received (in SSL_read) a 'close notifiy' alert (=SSL_RECEIVED_SHUTDOWN) from our peer, but havent't sent yet a 'close notifiy' alert reply back (SSL_SENT_SHUTDOWN) */
+		int ret = SSL_shutdown(wsi->ssl);	/* success: 1; failure: -1; ignore outcome, peer could already teared down the socket; note: SSL_RECEIVED_SHUTDOWN already fulfills SSL/TLS protocol specification, 2nd step is optional (only mandatory if same ssl-socket-fd will be reused, what libwebsocket is not doing) */
+		errno_shutdown = errno;
+		if (ret == 1) {
+			lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+			return 1;
+		}
+		SSL_set_shutdown(wsi->ssl, SSL_RECEIVED_SHUTDOWN); 	/* set state back to SSL_RECEIVED_SHUTDOWN; note: even a failed SSL_shutdown (== -1) sets state SSL_SENT_SHUTDOWN */
+		/* if SSL_ERROR_WANT_WRITE: retry 5 times every second again to sent */
+		int repeat = 5;
+		int sslErr = SSL_get_error(wsi->ssl, ret);
+		while (ret != 1 && sslErr == SSL_ERROR_WANT_WRITE && repeat--) {
+			sleep(1);
+			errno_shutdown = 0;
+			ret = SSL_shutdown(wsi->ssl);
+			errno_shutdown = errno;
+			sslErr = SSL_get_error(wsi->ssl, ret);
+		}
+		/* don't checking ret means the chance to silently accept a failed SSL_shutdonw here
+		 * but even with error: received 'close notifiy' alert from peer already fulfills SSL/TLS specification */
+	}
+	lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+	return 1;
+#else
+
+	lws_rx_flow_control(wsi, 0);	/* stop rx inflow */
+	int shutdown_state = SSL_get_shutdown(wsi->ssl);
+
+	int errno_shutdown = 0;
+	if (shutdown_state == 0) {	/* no shutdown sent or received yet; as initiator send a shutdown */
+		int ret = SSL_shutdown(wsi->ssl);	/* first shutdown, if successful it will return 0, in case of error -1 */
+		errno_shutdown = errno;
+		if (ret == 0) {
+			lwsl_info("%s: successfully sent initiating 'close notifiy' alert to peer (wsi=%p)n",__func__, wsi);
+			lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+			return 1;
+		}
+		SSL_set_shutdown(wsi->ssl, 0); 	/* reset state; note: even a failed SSL_shutdown (== -1) sets state to SSL_SENT_SHUTDOWN */
+		print_ssl_shutdown_outcome(ret, errno_shutdown, wsi,__func__);
+		/* if SSL_ERROR_WANT_WRITE: retry 5 times every second again to sent */
+		int repeat = 5;
+		int sslErr = SSL_get_error(wsi->ssl, ret);
+		while (ret != 0 && sslErr == SSL_ERROR_WANT_WRITE && repeat--) {
+			sleep(1);
+			errno_shutdown = 0;
+			ret = SSL_shutdown(wsi->ssl);
+			errno_shutdown = errno;
+			sslErr = SSL_get_error(wsi->ssl, ret);
+			print_ssl_shutdown_outcome(ret, errno_shutdown, wsi,__func__);
+		}
+		lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+		if (ret != 0) {
+			lwsl_info("%s: failed to send initiating 'close notifiy' alert to peer (wsi=%p)n",__func__, wsi);
+			return 0;
+		} else {
+			lwsl_info("%s: successfully sent initiating 'close notifiy' alert to peer (wsi=%p)n",__func__, wsi);
+			return 1;
+		}
+	} else if ((shutdown_state & SSL_RECEIVED_SHUTDOWN) && !(shutdown_state & SSL_SENT_SHUTDOWN)) {	/* just received (in SSL_read) a 'close notifiy' alert (=SSL_RECEIVED_SHUTDOWN) from our peer, but havent't sent yet a 'close notifiy' alert reply back (SSL_SENT_SHUTDOWN) */
+		lwsl_info("%s: (shutdown_state & SSL_RECEIVED_SHUTDOWN) && !(shutdown_state & SSL_SENT_SHUTDOWN) (wsi=%p)n",__func__, wsi);
+		int ret = SSL_shutdown(wsi->ssl);	/* success: 1; failure: -1; ignore outcome, peer could already teared down the socket; note: SSL_RECEIVED_SHUTDOWN already fulfills SSL/TLS protocol specification, 2nd step is optional (only mandatory if same ssl-socket-fd will be reused, what libwebsocket is not doing) */
+		errno_shutdown = errno;
+		if (ret == 1) {
+			lwsl_info("%s: shutdown process successfully finished (wsi=%p)n",__func__, wsi);
+			lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+			return 1;
+		}
+		SSL_set_shutdown(wsi->ssl, SSL_RECEIVED_SHUTDOWN); 	/* set state back to SSL_RECEIVED_SHUTDOWN; note: even a failed SSL_shutdown (== -1) sets state SSL_SENT_SHUTDOWN */
+		print_ssl_shutdown_outcome(ret, errno_shutdown, wsi,__func__);
+		/* if SSL_ERROR_WANT_WRITE: retry 5 times every second again to sent */
+		int repeat = 5;
+		int sslErr = SSL_get_error(wsi->ssl, ret);
+		while (ret != 1 && sslErr == SSL_ERROR_WANT_WRITE && repeat--) {
+			sleep(1);
+			errno_shutdown = 0;
+			ret = SSL_shutdown(wsi->ssl);
+			errno_shutdown = errno;
+			sslErr = SSL_get_error(wsi->ssl, ret);
+			print_ssl_shutdown_outcome(ret, errno_shutdown, wsi,__func__);
+		}
+		if (ret == 1)
+			lwsl_info("%s: shutdown process successfully finished (wsi=%p)n",__func__, wsi);
+		else
+			lwsl_info("%s: shutdown process successfully finished (even with error: received 'close notifiy' alert from peer already fulfills SSL/TLS specification) (wsi=%p)n",__func__, wsi);
+	} else {
+		print_ssl_shutdown_state1(shutdown_state, wsi, __func__);
+		if ((shutdown_state & SSL_RECEIVED_SHUTDOWN) && (shutdown_state & SSL_SENT_SHUTDOWN))
+			lwsl_info("%s: nothing to do; shutdown process successfuly finished (wsi=%p)n",__func__, wsi);
+		else if (!(shutdown_state & SSL_RECEIVED_SHUTDOWN) && (shutdown_state & SSL_SENT_SHUTDOWN))
+			lwsl_info("%s: no 'close notifiy' alert from peer yet; shutdown process still ongoing (note: successfully sent'close notifiy' alert to peer already fulfills SSL/TLS specification) (wsi=%p)n",__func__, wsi);
+	}
+	lws_rx_flow_control(wsi, 1);	/* enable rx inflow */
+	return 1;
+
+#endif
 }
 
 LWS_VISIBLE int
@@ -342,8 +557,8 @@
 	if (!wsi->ssl)
 		return 0; /* not handled */
 
+	lws_ssl_shutdown(wsi);
 	n = SSL_get_fd(wsi->ssl);
-	SSL_shutdown(wsi->ssl);
 	compatible_close(n);
 	SSL_free(wsi->ssl);
 	wsi->ssl = NULL;
@@ -466,7 +681,7 @@
 				*/
 				wsi->use_ssl = 0;
 
-				SSL_shutdown(wsi->ssl);
+				lws_ssl_shutdown(wsi);
 				SSL_free(wsi->ssl);
 				wsi->ssl = NULL;
 				if (lws_check_opt(context->options,

#######################################################

diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h
index 640e56a..0f30f43 100644
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@@ -1755,6 +1755,7 @@
 #define lws_ssl_capable_write lws_ssl_capable_write_no_ssl
 #define lws_ssl_pending lws_ssl_pending_no_ssl
 #define lws_server_socket_service_ssl(_b, _c) (0)
+#define lws_ssl_shutdown(_a) (0)
 #define lws_ssl_close(_a) (0)
 #define lws_ssl_context_destroy(_a)
 #define lws_ssl_SSL_CTX_destroy(_a)
@@ -1773,6 +1774,8 @@
 lws_context_init_ssl_library(struct lws_context_creation_info *info);
 LWS_EXTERN int LWS_WARN_UNUSED_RESULT
 lws_server_socket_service_ssl(struct lws *new_wsi, lws_sockfd_type accept_fd);
+LWS_VISIBLE int
+lws_ssl_shutdown(struct lws *wsi);
 LWS_EXTERN int
 lws_ssl_close(struct lws *wsi);
 LWS_EXTERN void

Как правильно настроить сертификат для работы Asterisk на CentOS?

Пытаюсь построить связь WebRTC с сервером Asterisk.
Имею Asterisk 13.19 на CentOS который нормально функционирует через SIP клиенты. Произвел настройку по мануалу:
wiki.asterisk.org
В результате при попытках подключиться получаю ошибку:

Смотрю на баги подключения:

получаю следующий вывод:

и там дальше сертификат и тд
Судя по первой ошибке я так решил что соединение не может пройти из-за баженного сертификата.
Вопрос заключается вот в чем:
1) Как можно решить эту проблему самоподписанным сертификатом? потому что назначение проекта в личных целях, а не для публичного доступа
2) Решит ли данную проблему платный сертификат?

• Вопрос задан более трёх лет назад
• 3349 просмотров

Тут как раз недавно обсуждали такую проблему. Самоподписанный сертификат, который не проходит валидацию. Для прохождения валидации нужно одно из двух:
— поместить сертификат в хранилище (обычно /etc/ssl/certs, но например в центосе в /etc/pki/tls/certs) и создать на него линк специального вида:

— получить сертификат от мирового СA (за деньги, но можно попробовать LE)

попробовал первый вариант, результат остался тем же, релоаднул астериск, даже ребутнул vds, не помогло к тому же пути в настройках астериска переписал на новое место. Все то же самое.

Получил сертификат через sslforfree
но еще не устанавливал на сервер потому что домен на который получил сертификат не используется еще на сервере да и борьба с сертификатами на таком уровне для меня новинка, при настройке nginx подобных проблем не встречал

Источник

SSL_Read failed with SSL_ERROR_SYSCALL when read timeout #12416

Comments

zaher commented Jul 10, 2020

I use OpenSSL 1.1.1g connected to my socket client on Windows 8.1, I set read timeout (1 second) using

SSL_read when timeout, return with -1 SSL_get_error return SSL_ERROR_SYSCALL , return message is

How do I know it is a timeout not a real error? read timout allow me to make ping and ping or checking thread etc (just an example) then back to read again, it is not error to close the socket and end it.

I expected SSL_Read return somthing like SSL_ERROR_WANT_READ to allow me to recall SSL_Read
also there is kind of bug in SSL_get_error it reset error to 0 for WSAGetLastError

The text was updated successfully, but these errors were encountered:

mattcaswell commented Jul 20, 2020

This doesn’t look like a real error — rather it looks like an attempt the error value 5 (which is the value of SSL_ERROR_SYSCALL).

If you’re getting 0 from WSAGetLastError, then this is most likely due to an unexpected EOF occurring on the socket, i.e. the client has gracefully closed the connection without sending a close_notify alert.

zaher commented Jul 20, 2020

I tested it with my client socket, i sat 10 seconds for reading timeout, then i wait 10 second, SSL_Read return with SSL_ERROR_SYSCALL = 5
and WSAGetLastError return zero, i tested same my framwork but wihtou openssl, WSAGetLastError return the right error TIMEOUT.

now, If SSL_Read failed to read cause of timeout, what error we have, how can i detect it, because if it TIMEOUT i will reread again.

zaher commented Jul 21, 2020

not direct, i used SSL_CTX_new(); on TLS method then SSL_new(CTX)
then SSL_set_fd(ssl, socket_handle);

zaher commented Sep 7, 2020 •

Let us considerate it is not a «question», it is Feature Request
Feature Request: add new result like SSL_ERROR_TIMEOUT = 6

or it is kind of bug it is the clear state of WSAGetLastError , i want this value after SSL_read and other functions.

jveazey commented Sep 17, 2020 •

I’ve seen SSL_ERROR_SYSCALL , especially with setsockopt and have special handling for it. I don’t know if this is the proper way to handle it, but it’s worked well for me.

First thing. If at all possible, switch to select instead of setsockopt . It’ll give you much more graceful timeout handling, before OpenSSL gets involved. If you do use select make sure to call SSL_pending before SSL_read . If SSL_pending returns >0 skip select and just assume SSL_read is ready to go.

Even with select , I occasionally (rarely) see SSL_ERROR_SYSCALL . So, I perform several checks.

1. Check WSAGetLastError .
2. If that returns a success, try pulling the error from getsockopt . According to Microsoft, WSAGetLastError is based on the thread, while getsockopt is on the socket. So, if there are multiple sockets in a thread, WSAGetLastError may not be giving the correct value.
3. Finally, if the previous two return a success, check ERR_get_error .

If everything passes, I treat it as SSL_ERROR_NONE and just keep going. If something really did go wrong, either one of those checks will start to fail or I’ll see SSL_ERROR_SSL or SSL_ERROR_ZERO_RETURN , which is where my code gives up and shuts down the connection.

zaher commented Sep 18, 2020

First thing. If at all possible, switch to select instead of setsockopt . It’ll give you much more graceful timeout handling, before OpenSSL gets involved. If you do use select make sure to call SSL_pending before SSL_read . If SSL_pending returns >0 skip select and just assume SSL_read is ready to go.

Yes that what I did, using select and pending insead of setting socket option for reading.
I have only one socket in each thread.
I will try to check error from getsockopt

zaher commented Sep 21, 2020

no, even getsockopt(socket, . SO_ERROR retrieve 0
It also reseted by SSL_READ

jveazey commented Sep 21, 2020

Check errno , as well. I have seen errno==ENOENT even when I don’t see errors elsewhere. Although, the only time I’ve seen that is from a handshake failure.

A few more questions for you.

How big is the payload you are reading? Have you tried increasing the timeout to 5 or 10 or 30 seconds, just to see if it works? If you are using select with a 1 second timeout, how often are you seeing it time out there? Any chance you can post the select code you are using?

zaher commented Sep 22, 2020

I don’t use select before read, I set SO_RCVTIMEO timeout to the socket options.
in normal socket, (no ssl) recv return after 1000ms with timeout , when i wrap it with SSL, SSL_Read also return but with SSL_ERROR_SYSCALL.

I used for example 1000ms as timeout and 1500 or 5000ms for sleeping respond from server to test it.
https://github.com/parmaja/minilib/blob/master/lib/demos/streams/TestStream.lpr#L105

jveazey commented Sep 23, 2020 •

Looking at, I do see mnOpenSSL.pas where a socket is passed in, but you don’t do anything with it outside of SSL_set_fd and GetSocketError .

You need to use SSL_has_pending and select before calling SSL_read . Here’s a C++ example for using select to check for a read timeout. I’m not familiar enough to translate it to Delphi.

zaher commented Sep 23, 2020

Yes I added option int my lib to wait before read (using select)

and that changed my scenario to use it

In my old scenario I use socket read timeout itself without select before reading.

BTW thank you for your time for writing your example 🙂

jveazey commented Sep 24, 2020 •

I guess my question is more along the lines about how mnSockets.pas ties together with mnOpenSSL.pas .

In mnOpenSSL.pas , I see a method called TBIOStream.Read , but the only thing in it is SSL_read and I in mnSockets.pas I see a method called TmnSocketStream.WaitToRead . Where in the code can I see these two interact?

Edit2: I see where select is called, but there are problems with the code.

Do not set both TimeVal.tv_sec and TimeVal.tv_usec . Use one or the other.

The code for determining a timeout does not match the C++ code I provided.

1. The call to select passes an fd_set into PSetRead and PsWrite . You need to pass in nil instead of PSetWrite . We aren’t testing whether you can write to the socket.
2. The 4th parameter, you pass in nil , instead of an fd_set . You need to pass something in here, since this parameter is how we can determine whether an error of some kind actually occurred (I’ll assume it is called PSetError ).
3. Once select finishes, you need to call FD_ISSET for PSetRead and PSetError .
4. If FD_ISSET(socket, &read) returns true, there is no timeout.
5. if FD_ISSET(socket, &error) returns true, use getsockopt and/or WSAGetLastError and/or errno . If none of these returns useful information, assume WSAECONNRESET .
6. If select returns zero, FD_ISSET(socket, &read) returns false, and FD_ISSET(socket, &error) returns false, assume WSAETIMEDOUT

Источник

strange errors: lws_ssl_capable_read failed w/ DH lib and w/ EVP lib #802

Comments

namowen commented Feb 18, 2017

I just cloned master and run test-server and test-client.

1. error, alway repeating:
   lwsts[125413]: lws_ssl_capable_read failed: error:00000005:lib(0):func(0):DH lib
   2 error in server log when client exits (sometimes shows once, sometimes twice):
   lwsts[125413]: lws_ssl_capable_read failed: error:00000006:lib(0):func(0):EVP lib

Client started w/: libwebsockets-test-client —ssl localhost
Here the log of the server, started w/ libwebsockets-test-server —ssl

lwsts[125413]: libwebsockets test server — license LGPL2.1+SLE
lwsts[125413]: (C) Copyright 2010-2016 Andy Green andy@warmcat.com
Using resource path «/usr/local/share/libwebsockets-test-server»
lwsts[125413]: Initial logging level 7
lwsts[125413]: Libwebsockets version: 2.1.0 bzuber@iotalive1-v2.0.0-270-gc7c4ae0
lwsts[125413]: IPV6 compiled in and enabled
lwsts[125413]: libev support not compiled in
lwsts[125413]: libuv support not compiled in
lwsts[125413]: Threads: 1 each 1024 fds
lwsts[125413]: mem: platform fd map: 8192 bytes
lwsts[125413]: Compiled with OpenSSL support
lwsts[125413]: Doing SSL library init
lwsts[125413]: Creating Vhost ‘default’ port 7681, 5 protocols, IPv6 on
lwsts[125413]: SSL ciphers: ‘ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!HMAC_SHA1:!SHA1:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA256:!AES128-GCM-SHA25
lwsts[125413]: Using SSL mode
lwsts[125413]: SSL ECDH curve ‘prime256v1’
lwsts[125413]: Listening on port 7681
lwsts[125413]: mem: per-conn: 568 bytes + protocol rx buf
lwsts[125413]: canonical_hostname = iotalive1
lwsts[125413]: SNI: Unknown ServerName: localhost
lwsts[125413]: SNI: Unknown ServerName: localhost
get = /
host: = localhost
connection: = Upgrade
upgrade: = websocket
origin: = http://localhost
sec-websocket-extensions: = permessage-deflate; client_max_window_bits
sec-websocket-protocol: = dumb-increment-protocol
http/1.1 = HTTP/1.1
pragma: = no-cache
cache-control: = no-cache
sec-websocket-key: = ro/P7p8IWFRb+VbL27QUqw==
sec-websocket-version: = 13
lwsts[125413]: permessage-deflate requires the protocol (dumb-increment-protocol) to have an RX buffer >= 128
lwsts[125413]: ext permessage-deflate failed construction
get = /
host: = localhost
connection: = Upgrade
upgrade: = websocket
origin: = http://localhost
sec-websocket-extensions: = permessage-deflate; client_max_window_bits
sec-websocket-protocol: = lws-mirror-protocol
http/1.1 = HTTP/1.1
pragma: = no-cache
cache-control: = no-cache
sec-websocket-key: = vm3UvsBNiKWUCTux/AUe3Q==
sec-websocket-version: = 13
lwsts[125413]: Capping pmd rx to 128
lwsts[125413]: lws_ssl_capable_read failed: error:00000005:lib(0):func(0):DH lib
lwsts[125413]: SNI: Unknown ServerName: localhost
get = /
host: = localhost
connection: = Upgrade
upgrade: = websocket
origin: = http://localhost
sec-websocket-extensions: = permessage-deflate; client_max_window_bits
sec-websocket-protocol: = lws-mirror-protocol
http/1.1 = HTTP/1.1
pragma: = no-cache
cache-control: = no-cache
sec-websocket-key: = 2G+G6NTEBH7QVPS4D3U2UA==
sec-websocket-version: = 13
lwsts[125413]: Capping pmd rx to 128
lwsts[125413]: lws_ssl_capable_read failed: error:00000005:lib(0):func(0):DH lib
lwsts[125413]: SNI: Unknown ServerName: localhost
get = /
host: = localhost
connection: = Upgrade
upgrade: = websocket
origin: = http://localhost
sec-websocket-extensions: = permessage-deflate; client_max_window_bits
sec-websocket-protocol: = lws-mirror-protocol
http/1.1 = HTTP/1.1
pragma: = no-cache
cache-control: = no-cache
sec-websocket-key: = tXna55Bgr42O/NSjK6CqXA==
sec-websocket-version: = 13
lwsts[125413]: Capping pmd rx to 128
lwsts[125413]: lws_ssl_capable_read failed: error:00000006:lib(0):func(0):EVP lib
lwsts[125413]: lws_ssl_capable_read failed: error:00000006:lib(0):func(0):EVP lib
^Clwsts[125413]: lws_context_destroy: ctx 0x6c5010
lwsts[125413]: callback_lws_mirror: mirror protocol cleaning up
lwsts[125413]: lws_context_destroy2: ctx 0x6c5010
lwsts[125413]: libwebsockets-test-server exited cleanly

[2017/02/18 13:12:38:7130] NOTICE: libwebsockets test client — license LGPL2.1+SLE
[2017/02/18 13:12:38:7130] NOTICE: (C) Copyright 2010-2016 Andy Green andy@warmcat.com
[2017/02/18 13:12:38:7130] NOTICE: Using SSL
[2017/02/18 13:12:38:7130] NOTICE: Selfsigned certs allowed
[2017/02/18 13:12:38:7131] NOTICE: Skipping peer cert hostname check
[2017/02/18 13:12:38:7131] NOTICE: Initial logging level 7
[2017/02/18 13:12:38:7131] NOTICE: Libwebsockets version: 2.1.0 bzuber@iotalive1-v2.0.0-270-gc7c4ae0
[2017/02/18 13:12:38:7131] NOTICE: IPV6 compiled in and enabled
[2017/02/18 13:12:38:7131] NOTICE: libev support not compiled in
[2017/02/18 13:12:38:7131] NOTICE: libuv support not compiled in
[2017/02/18 13:12:38:7131] NOTICE: Threads: 1 each 1024 fds
[2017/02/18 13:12:38:7131] NOTICE: mem: platform fd map: 8192 bytes
[2017/02/18 13:12:38:7131] NOTICE: Compiled with OpenSSL support
[2017/02/18 13:12:38:7131] NOTICE: Doing SSL library init
[2017/02/18 13:12:38:7146] NOTICE: Creating Vhost ‘default’ port -1, 2 protocols, IPv6 on
[2017/02/18 13:12:38:7149] NOTICE: mem: per-conn: 568 bytes + protocol rx buf
[2017/02/18 13:12:38:7149] NOTICE: canonical_hostname = iotalive1
[2017/02/18 13:12:38:7149] NOTICE: using mode (ws)
[2017/02/18 13:12:38:7149] NOTICE: dumb: connecting
[2017/02/18 13:12:38:7149] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:38:7155] NOTICE: mirror: connecting
[2017/02/18 13:12:38:7156] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:38:7158] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:38:7170] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:38:7181] NOTICE: accepting self-signed certificate (verify_callback)
[2017/02/18 13:12:38:7190] NOTICE: lws_ssl_client_connect2: SSL_connect says -1
[2017/02/18 13:12:38:7192] NOTICE: accepting self-signed certificate (verify_callback)
[2017/02/18 13:12:38:7199] NOTICE: lws_ssl_client_connect2: SSL_connect says -1
[2017/02/18 13:12:38:7201] NOTICE: lws_ssl_client_connect2: SSL_connect says 1
[2017/02/18 13:12:38:7206] NOTICE: lws_ssl_client_connect2: SSL_connect says 1
[2017/02/18 13:12:38:7220] NOTICE: checking client ext permessage-deflate
[2017/02/18 13:12:38:7220] NOTICE: instantiating client ext permessage-deflate
[2017/02/18 13:12:38:7220] ERR: Capping pmd rx to 128
[2017/02/18 13:12:38:7220] NOTICE: mirror: LWS_CALLBACK_CLIENT_ESTABLISHED
[2017/02/18 13:12:41:5836] NOTICE: mirror: LWS_CALLBACK_CLOSED mirror_lifetime=0
[2017/02/18 13:12:41:5837] NOTICE: mirror: connecting
[2017/02/18 13:12:41:5837] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:41:5839] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:41:5849] NOTICE: accepting self-signed certificate (verify_callback)
[2017/02/18 13:12:41:5862] NOTICE: checking client ext permessage-deflate
[2017/02/18 13:12:41:5863] NOTICE: instantiating client ext permessage-deflate
[2017/02/18 13:12:41:5863] ERR: Capping pmd rx to 128
[2017/02/18 13:12:41:5863] NOTICE: mirror: LWS_CALLBACK_CLIENT_ESTABLISHED
[2017/02/18 13:12:45:1181] NOTICE: mirror: LWS_CALLBACK_CLOSED mirror_lifetime=0
[2017/02/18 13:12:45:1183] NOTICE: mirror: connecting
[2017/02/18 13:12:45:1183] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:45:1186] NOTICE: lws_client_connect_2: address localhost
[2017/02/18 13:12:45:1196] NOTICE: accepting self-signed certificate (verify_callback)
[2017/02/18 13:12:45:1201] NOTICE: lws_ssl_client_connect2: SSL_connect says -1
[2017/02/18 13:12:45:1205] NOTICE: lws_ssl_client_connect2: SSL_connect says 1
[2017/02/18 13:12:45:1221] NOTICE: checking client ext permessage-deflate
[2017/02/18 13:12:45:1221] NOTICE: instantiating client ext permessage-deflate
[2017/02/18 13:12:45:1221] ERR: Capping pmd rx to 128
[2017/02/18 13:12:45:1221] NOTICE: mirror: LWS_CALLBACK_CLIENT_ESTABLISHED
^C[2017/02/18 13:12:45:1360] ERR: Exiting
[2017/02/18 13:12:45:1360] NOTICE: lws_context_destroy: ctx 0x1e1f760
[2017/02/18 13:12:45:1360] NOTICE: dumb: LWS_CALLBACK_CLOSED
[2017/02/18 13:12:45:1361] NOTICE: mirror: LWS_CALLBACK_CLOSED mirror_lifetime=37266
[2017/02/18 13:12:45:1363] NOTICE: lws_context_destroy2: ctx 0x1e1f760

The text was updated successfully, but these errors were encountered:

Источник