Menu
I am using openssl to establish the TLS connection with the remote server.
Here are the code snippets:
if ((ret = SSL_connect(c->ssl)) <= 0) {
ret = SSL_get_error(c->ssl, ret);
if((err = ERR_get_error())) {
SSL_load_error_strings();
ERR_load_crypto_strings();
CRERROR(LOGSSLUTILS, "SSL connect err code:[%lu](%s)\n", err, ERR_error_string(err, NULL));
CRERROR(LOGSSLUTILS, "Error is %s \n",ERR_reason_error_string(err));
}
}
for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:
SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))
Error: cmrSSLlInit:174 Error is (null)
As you can see, I can only get the error code but cannot get the readable error string.
How how can I get the readable error string ?
590
DESCRIPTION. When a call to the OpenSSL library fails, this is usually signalled by the return value, and an error code is stored in an error queue associated with the current thread. The err library provides functions to obtain these error codes and textual error messages.
SSL_ERROR_ZERO_RETURN. The TLS/SSL peer has closed the connection for writing by sending the close_notify alert. No more data can be read. Note that SSL_ERROR_ZERO_RETURN does not necessarily indicate that the underlying transport has been closed.
One way to get all queued thread local errors is with the snippet below as suggested here:
string getOpenSSLError()
{
BIO *bio = BIO_new(BIO_s_mem());
ERR_print_errors(bio);
char *buf;
size_t len = BIO_get_mem_data(bio, &buf);
string ret(buf, len);
BIO_free(bio);
return ret;
}
for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:
SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))
$ openssl errstr 0x14082174
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
For DH key too small, checkout SSL operation failed with code 1: dh key too small on Stack Overflow. The short of it is, earlier versions of OpenSSL used a 512-bit DH group. Its too small, and you need to use a 2048-bit group.
How how can I get the readable error string ?
To log a string like error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small, I believe you can call err_print_errors and ERR_print_errors_fp. The functions print the entire error stack. Also see the ERR_print_errors man pages.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
