[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: SSL config info

Bryan Stansell bryan@conserver.com
Tue, 25 May 2004 13:23:30 -0700 (PDT) 

On Tue, May 25, 2004 at 03:12:45PM -0400, Nikolaos Papavassiliou wrote:
> removed it it seemed to start the server withno errors. However, I fell 
> into another
> problem... Now the client (console)  refuses to connect to a console and 
> fails
> with SSL connection negotiation errors.
> 
> =======
> % console nycilab12
> console: SSL negotiation failed
> %
> =======

are there any other things produced after the "SSL negotiation failed"
message?  there's a call to ERR_print_errors_fp() right after that in
the code that should dump the SSL layer error stack (though i can't
verify that).  if it's not printing anything, then i guess there are no
errors to report (which is weird...since it failed to connect properly).

> 
> Looking at the debug info from the serverlog I see the following:
> 
> =======
> DEBUG: [cutil.c:2019] FileSSLAccept(): about to SSL_accept() for fd 6
> DEBUG: [main.c:301] TmpDHCallback(): asked for a DH key length 1024
> ERROR: FileSSLAccept(): SSL error on fd 6
> =======
> 
> Any clues on this?

except for the last line, all looks normal.  all the real magic happens
inside the openssl package.  makes me wonder if your openssl library is
configured properly or if the host is missing something (like entropy).
but, it could be conserver as well.  i'm lacking on clues, however.

if things fail with 'ERROR: FileSSLAccept(): SSL error on...' every
time, i suggest adding a 'ERR_print_errors_fp(stderr);' to
conserver/cutil.c - right between lines 2032 and 2033 (which means,
right after the line of code that produces the error above).  that
should dump more openssl clues to stderr (or the logfile if it's been
redirected to a file).  *maybe* it'll tell us something useful.

i'm on a sun (ultra 2) running solaris 9 with openssl 0.9.7d, so, in
theory, we're pretty much the same.  it "just works" for me.  i'm using
gcc 3.3.3 compiling 32-bit binaries.  you doing the same?  if there's no
basic openssl setup problem, maybe it's a compilation thing.

those are my current thoughts...if anyone else has ideas, please yell!

Bryan