SSL CONNECT产生-1错误 [英] SSL CONNECT produces -1 ERROR
本文介绍了SSL CONNECT产生-1错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我无法与SSL服务器连接,并且无法查找错误。
错误code期间返回所以SSL_connect()为-1(SSL_SOCKET:无法建立SSL会话:2)
我看了一些论坛,这表明,以执行 SELECT 困惑的实现部分。
发布我下面的客户端code。请求指针故障排除:
INT setupSSL(int服务器)
{
INT retVal的= 0;
如果(InitCTX()!= 0)
返回-1;
SSL = SSL_new(CTX); / *创建新的SSL连接状态* /
如果(SSL == NULL)
{
sprintf的(debugBuf,SYSTEM:%s_SOCKET:SSL:无法创建SSL_new环境\\ n,海峡[服务器]);
debug_log(debugBuf,DEBUG_LOG);
返回-1;
} retVal的= SSL_set_fd(SSL,服务器); / *连接套接字描述符* /
如果(retVal的!= 1){/ *执行连接* /
sprintf的(debugBuf,SYSTEM:%s_SOCKET:无法设置SSL FD数:%d%S \\ n,海峡[服务器],retVal的,字符串错误(retVal的));
debug_log(debugBuf,DEBUG_LOG);
返回-1;
}做
{
retVal的=所以SSL_connect(SSL);
ErrorStatus中= SSL_get_error(SSL,retVal的);
开关(ErrorStatus中)
{
案例SSL_ERROR_NONE:
打破;
案例SSL_ERROR_WANT_READ:
案例SSL_ERROR_WANT_WRITE:
打破;
默认:
sprintf的(debugBuf,SYSTEM:SSL_SOCKET:无法建立SSL会话数:%d%S \\ n,ErrorStatus中,字符串错误(retVal的));
debug_log(debugBuf,DEBUG_LOG);
返回-1;
打破;
}sprintf的(debugBuf,SYSTEM:SSL_SOCKET:无法建立SSL会话数:%d%S \\ n,ErrorStatus中,字符串错误(retVal的));
debug_log(debugBuf,DEBUG_LOG);
retryMaxCount--;
如果(retryMaxCount&下; = 0)
打破;
}而(SSL和放大器;&安培;!ErrorStatus中= SSL_ERROR_NONE);
证书= SSL_get_peer_certificate(SSL);
如果(CERT == NULL){ sprintf的(debugBuf,SYSTEM:%s_SOCKET:SSL:无法以检索服务器证书\\ n,海峡[服务器]);
debug_log(debugBuf,DEBUG_LOG);
} 如果(SSL_get_verify_result(SSL)!= X509_V_OK){ sprintf的(debugBuf,SYSTEM:%s_SOCKET:SSL:证书不验证\\ n,海峡[服务器]);
debug_log(debugBuf,DEBUG_LOG);
返回-1;
} X509_NAME_get_text_by_NID(X509_get_subject_name(CERT),NID_commonName,peer_CN,256);
如果(strcasecmp(peer_CN,cnName)){
sprintf的(debugBuf,SYSTEM:%s_SOCKET:SSL:通用名称不匹配的主机名\\ n,海峡[服务器]);
debug_log(debugBuf,DEBUG_LOG);
返回-1;
} 返回0;
}INT InitCTX(无效)
{
OpenSSL_add_all_algorithms(); / *负载cryptos,等人* /
SSL_load_error_strings(); / *带和注册错误信息* /
如果(SSL_library_init()℃,){
debug_log(SYSTEM:SSL_SOCKET:无法初始化OpenSSL库\\ n,TRACE_LOG);
返回-1;
} 方法= SSLv3_client_method(); / *创建新的客户方法实例* /
CTX = SSL_CTX_new(法); / *创建新的上下文* /
如果(CTX == NULL){
debug_log(SYSTEM:SSL_SOCKET:无法创建一个新的SSL上下文结构\\ n,TRACE_LOG);
返回-1;
} 的SSL_CTX_set_options(CTX,SSL_OP_NO_SSLv2);
如果(SSL_CTX_use_certificate_file(CTX,CERTFILE,SSL_FILETYPE_PEM)下; = 0){
debug_log(SYSTEM:SSL_SOCKET:错误设置的证书文件\\ n,TRACE_LOG);
返回-1;
} / *设置提供基于文件和/或目录的可信CA的列表* /
如果(SSL_CTX_load_verify_locations(CTX,CERTFILE,NULL)&所述; 1){
debug_log(SYSTEM:SSL_SOCKET:错误设置验证位置\\ n,TRACE_LOG);
返回-1;
} SSL_CTX_set_verify(CTX,SSL_VERIFY_PEER,NULL);
SSL_CTX_set_timeout(CTX,60); 返回0;
}
解决方案
请阅读SSL_的文档*功能:你不应该使用字符串错误,但 SSL_get_error(retVal的)获得SSL错误code的所以SSL_connect。根据错误code,你需要使用ERR_get_error访问错误队列,你会得到使用ERR_error_string得到字符串重新错误presentation。
I am unable to connect with the SSL server, and not able to locate the error.
Error code returned during SSL_CONNECT() is -1 (SSL_SOCKET:Could not build SSL session: 2)
I have read some of forums which suggest to perform SELECT confused on the implementation part.
Posted my client code below. Request pointers for trouble shooting:
int setupSSL(int server)
{
int retVal=0;
if(InitCTX() != 0)
return -1;
ssl = SSL_new(ctx); /* create new SSL connection state */
if(ssl == NULL)
{
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Unable to create SSL_new context\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
retVal=SSL_set_fd(ssl, server); /* attach the socket descriptor */
if ( retVal != 1 ){ /* perform the connection */
sprintf(debugBuf,"SYSTEM:%s_SOCKET:Could not set ssl FD: %d %s\n",str[server],retVal,strerror(retVal));
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
do
{
retVal = SSL_connect(ssl);
errorStatus=SSL_get_error (ssl, retVal) ;
switch (errorStatus)
{
case SSL_ERROR_NONE:
break;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
break;
default:
sprintf(debugBuf,"SYSTEM:SSL_SOCKET:Could not build SSL session: %d %s\n",errorStatus,strerror(retVal));
debug_log(debugBuf,DEBUG_LOG);
return -1;
break;
}
sprintf(debugBuf,"SYSTEM:SSL_SOCKET:Could not build SSL session: %d %s\n",errorStatus,strerror(retVal));
debug_log(debugBuf,DEBUG_LOG);
retryMaxCount--;
if (retryMaxCount <= 0 )
break;
}while ( ssl && errorStatus != SSL_ERROR_NONE );
cert = SSL_get_peer_certificate(ssl);
if(cert == NULL){
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Unable to retrive server certificate\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
}
if(SSL_get_verify_result(ssl)!=X509_V_OK){
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Certificate doesn't verify\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
X509_NAME_get_text_by_NID (X509_get_subject_name (cert), NID_commonName, peer_CN, 256);
if(strcasecmp(peer_CN, cnName)){
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Common name doesn't match host name\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
return 0;
}
int InitCTX(void)
{
OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
SSL_load_error_strings(); /* Bring in and register error messages */
if(SSL_library_init() < 0){
debug_log("SYSTEM:SSL_SOCKET:Could not initialize the OpenSSL library\n",TRACE_LOG);
return -1;
}
method = SSLv3_client_method(); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL){
debug_log("SYSTEM:SSL_SOCKET:Unable to create a new SSL context structure\n",TRACE_LOG);
return -1;
}
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
if (SSL_CTX_use_certificate_file(ctx,CertFile, SSL_FILETYPE_PEM) <= 0) {
debug_log("SYSTEM:SSL_SOCKET:Error setting the certificate file.\n",TRACE_LOG);
return -1;
}
/* Set the list of trusted CAs based on the file and/or directory provided*/
if(SSL_CTX_load_verify_locations(ctx,CertFile,NULL)<1) {
debug_log("SYSTEM:SSL_SOCKET:Error setting verify location.\n",TRACE_LOG);
return -1;
}
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
SSL_CTX_set_timeout (ctx, 60);
return 0;
}
解决方案
Please read the documentation of the SSL_* functions: You should not use strerror, but SSL_get_error(retVal) to get the SSL error code for SSL_connect. Depending on the error code you need to use ERR_get_error to access the error queue and you get use ERR_error_string to get the string representation of errors.
这篇关于SSL CONNECT产生-1错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
