13

I am using openssl to establish the TLS connection with the remote server.

Here are the code snippets:

if ((ret = SSL_connect(c->ssl)) <= 0) {
    ret = SSL_get_error(c->ssl, ret);
    if((err = ERR_get_error())) {
        SSL_load_error_strings();
        ERR_load_crypto_strings();
        CRERROR(LOGSSLUTILS, "SSL connect err code:[%lu](%s)\n", err, ERR_error_string(err, NULL));
        CRERROR(LOGSSLUTILS, "Error is %s \n",ERR_reason_error_string(err));
    }
}

for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:

SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))

Error: cmrSSLlInit:174 Error is (null)

As you can see, I can only get the error code but cannot get the readable error string.

How how can I get the readable error string ?

jww
  • 83,594
  • 69
  • 338
  • 732
AllenHu
  • 349
  • 2
  • 3
  • 11

4 Answers4

8

for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:

SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))

$ openssl errstr 0x14082174
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small

For DH key too small, checkout SSL operation failed with code 1: dh key too small on Stack Overflow. The short of it is, earlier versions of OpenSSL used a 512-bit DH group. Its too small, and you need to use a 2048-bit group.

How how can I get the readable error string ?

To log a string like error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small, I believe you can call err_print_errors and ERR_print_errors_fp. The functions print the entire error stack. Also see the ERR_print_errors man pages.

Community
  • 1
  • 1
jww
  • 83,594
  • 69
  • 338
  • 732
6

One way to get all queued thread local errors is with the snippet below as suggested here:

string getOpenSSLError()
{
    BIO *bio = BIO_new(BIO_s_mem());
    ERR_print_errors(bio);
    char *buf;
    size_t len = BIO_get_mem_data(bio, &buf);
    string ret(buf, len);
    BIO_free(bio);
    return ret;
}
ceztko
  • 13,391
  • 2
  • 44
  • 64
3

You are calling SSL_load_error_strings() and ERR_load_crypto_strings() too late in your sample code. They should be called right up front at the start of your program - you should then get readable error strings out of OpenSSL. @jww has it right about the DH group being too small. Ideally the server needs to be reconfigured with a larger group. If that is not possible then try connecting with a non-DHE ciphersuite (i.e. use an ECDHE based one instead)

Matt Caswell
  • 5,622
  • 14
  • 21
2

This is because I include the option "no-err" when compile openssl. so the Err_error_string return NULL

AllenHu
  • 349
  • 2
  • 3
  • 11