ssl handshake failure.
vipin
vipin@REDACTED
Wed Dec 21 12:15:10 CET 2005
Hi folks,
I'm facing the following error when a C-client tries to connect an
Erlang server.
on Client Side :
*************************************************************
$ ./cclient 202.62.79.138 5000
SSL connection using DES-CBC3-MD5
Details of Server certificate:
subject: /CN=server/OU=Erlang OTP/O=Ericsson
AB/C=SE/L=Stockholm/emailAddress=peter@REDACTED
issuer: /CN=otpCA/OU=Erlang OTP/O=Ericsson
AB/C=SE/L=Stockholm/emailAddress=peter@REDACTED
Status of the cert = 0
1962:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake
failure:s2_pkt.c:428:
*************************************************************
Where as server stucks on ssl:accept(LSock).
Here is the server code :
================
%%%%%%%%%%%%%%%%%%%%%%%%%%
start_server() ->
application:start(ssl),
ssl:seed("pouslkjdfskdnfsowewasd"),
Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
io:format("Dir : ~p~n",[Dir]),
Role="server",
io:format("Before ssl:listen~n"),
case ssl:listen(?server_port, [binary, {packet, 0},{active, false},
{verify, 2}, {depth, 2},
{cacertfile, filename:join([Dir, Role, "cacerts.pem"])},
{certfile, filename:join([Dir, Role, "cert.pem"])},
{keyfile, filename:join([Dir, Role, "key.pem"])}]) of
{ok, ListenSock} ->
spawn(tcpserver, listen_request, [ListenSock]);
Other ->
io:format("Can't listen to socket ~p~n", [Other])
end.
listen_request(LSock)->
io:format("in listen request , LSock : ~p~n",[LSock]),
case ssl:accept(LSock) of
{ok, Socket} ->
Pid= spawn(tcpserver, logon_client,[Socket]),
listen_request(LSock);
{error, Reason} ->
io:format("Error : Reason - ~p~n",[Reason]),
listen_request(LSock)
end.
%%%%%%%%%%%%%%%%%%%%%%%%%%
And Client code
===========
///////////////////////////////////////////////////////////////////////////////
#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr);
exit(2); }
void init_ssl (void){
SSLeay_add_ssl_algorithms ();
meth = SSLv2_client_method ();
SSL_load_error_strings ();
ctx = SSL_CTX_new (meth);
CHK_NULL (ctx);
}
int open_conxn_to_serv (void){
int sock = socket (AF_INET, SOCK_STREAM, 0);
struct sockaddr_in serv_addr;
int ret_conn = 0;
X509* server_cert;
char* str;
if (sock < 0){
printf("sock < 0\n");
return (sock);
}
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = inet_addr (serv_ip);
serv_addr.sin_port = htons (serv_port);
ret_conn = connect (sock, (struct sockaddr *) &serv_addr, sizeof
(serv_addr));
if (ret_conn < 0){
printf("ret_conn < 0\n");
perror ("open_conxn_to_server:Failed to connect :...");
close (sock);
return (-1);
}
serv_ssl = SSL_new (ctx);
CHK_NULL (serv_ssl);
SSL_set_fd (serv_ssl, sock);
SSL_connect (serv_ssl);
CHK_SSL(ret_conn);
server_cert = SSL_get_peer_certificate (serv_ssl);
CHK_NULL(server_cert);
printf ("Details of Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name(server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
free (str);
str = X509_NAME_oneline (X509_get_issuer_name(server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
free (str);
X509_STORE_CTX ctx;
int i;
X509_STORE_CTX_init(&ctx,serv_ssl->ctx->cert_store, server_cert, NULL);
if (SSL_get_verify_depth(serv_ssl) >= 0)
X509_STORE_CTX_set_depth(&ctx,
SSL_get_verify_depth(serv_ssl));
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),serv_ssl);
if(serv_ssl->server)
i = X509_PURPOSE_SSL_CLIENT;
else
i = X509_PURPOSE_SSL_SERVER;
i=X509_verify_cert(&ctx);
printf("Status of the cert = %d \n", i);
X509_free (server_cert);
return (sock);
}
///////////////////////////////////////////////////////////////////////////////
Is it a right approach to get a SSL connection ? Or do i making any
mistake ?
Suggestions and comments would be welcome.
Cheers,
Vipin
More information about the erlang-questions
mailing list