Bug #2269

(connections.c.271) SSL: -1 5 0 Undefined error: 0

Added by brad@comstyle.com over 3 years ago. Updated almost 3 years ago.

Status:FixedStart date:2010-10-25
Priority:HighDue date:
Assignee:-% Done:

100%

Category:core
Target version:1.4.29
Missing in 1.5.x:No

Description

The OS's base OpenSSL was updated from 0.9.8k to OpenSSL 1.0.0a and now all SSL connection attempts result in the error message "(connections.c.271) SSL: -1 5 0 Undefined error: 0" in the error log.

ssl-encoding-algorithms.diff Magnifier (357 Bytes) brad@comstyle.com, 2010-11-06 21:52


Related issues

Duplicated by Bug #2306: SSL regression following r2780 Duplicate 2011-03-28

Associated revisions

Revision 2788
Added by stbuehler almost 3 years ago

[ssl/md5] prefix our own md5 implementation with li_ so it doesn't conflict with the openssl one (fixes #2269)

Revision 2790
Added by stbuehler almost 3 years ago

[md5] fix md5 includes if openssl is not available (#2269)

Revision 2791
Added by stbuehler almost 3 years ago

[ssl/md5] prefix our own md5 implementation with li_ so it doesn't conflict with the openssl one (fixes #2269)

History

#1 Updated by stbuehler over 3 years ago

  • Priority changed from High to Low
  • Target version changed from 1.4.29 to 1.4.x

I just checked the code, and i don't think we do anything wrong there.
ssl returned SSL_ERROR_SYSCALL, but errno was 0 after SSL_read.

#2 Updated by Olaf-van-der-Spek over 3 years ago

SSL_ERROR_SYSCALL:
Some I/O error occurred. The OpenSSL error queue may contain more information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error: If ret 0, an EOF was observed that violates the protocol. If ret -1, the underlying BIO reported an I/O error (for socket I/O on Unix systems, consult errno for details).

http://www.openssl.org/docs/ssl/SSL_get_error.html

#3 Updated by brad@comstyle.com over 3 years ago

Adding to this issue... I was seeing the error messages with each and every connection attempt and not being able to connect via HTTPS. I applied the attached patch and I am now seeing the error message only once upon the first HTTPS connection for each vhost and that connection as well as any other connections are now successful.

#4 Updated by stbuehler almost 3 years ago

  • Priority changed from Low to High
  • Target version changed from 1.4.x to 1.4.29
  • algorithms got added in @2780
  • i tried to debug the issue, and the problem is that lighty 1.4.x + openssl 1.0.0 fails with TLS clients. but if you compile lighttpd with -O0 instead of -O2 it works, so it looks like there is some memory corruption or whatever. valgrind didn't help though, and neither did clang.

#5 Updated by stbuehler almost 3 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2788.

#6 Updated by brad@comstyle.com almost 3 years ago

Yes with the commited patch back ported this fixes this symptom as well as the issues I was also experiencing along with sthen with ticket 2306 as I had asked him to report that. I could not connect with lynx, openssl s_client as well as some online SSL testers which are all working now.

Also available in: Atom