我无法连接SSL服务器,也无法找到错误。
SSL_CONNECT()期间返回的错误代码为-1(SSL_SOCKET:无法构建SSL会话:2)
我已经阅读了一些建议在实施部分上混淆SELECT的论坛。
在下面发布我的客户端代码。请求解决问题的指针:
int setupSSL(int server)
{
int retVal=0;
if(InitCTX() != 0)
return -1;
ssl = SSL_new(ctx); /* create new SSL connection state */
if(ssl == NULL)
{
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Unable to create SSL_new context\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
retVal=SSL_set_fd(ssl, server); /* attach the socket descriptor */
if ( retVal != 1 ){ /* perform the connection */
sprintf(debugBuf,"SYSTEM:%s_SOCKET:Could not set ssl FD: %d %s\n",str[server],retVal,strerror(retVal));
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
do
{
retVal = SSL_connect(ssl);
errorStatus=SSL_get_error (ssl, retVal) ;
switch (errorStatus)
{
case SSL_ERROR_NONE:
break;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
break;
default:
sprintf(debugBuf,"SYSTEM:SSL_SOCKET:Could not build SSL session: %d %s\n",errorStatus,strerror(retVal));
debug_log(debugBuf,DEBUG_LOG);
return -1;
break;
}
sprintf(debugBuf,"SYSTEM:SSL_SOCKET:Could not build SSL session: %d %s\n",errorStatus,strerror(retVal));
debug_log(debugBuf,DEBUG_LOG);
retryMaxCount--;
if (retryMaxCount <= 0 )
break;
}while ( ssl && errorStatus != SSL_ERROR_NONE );
cert = SSL_get_peer_certificate(ssl);
if(cert == NULL){
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Unable to retrive server certificate\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
}
if(SSL_get_verify_result(ssl)!=X509_V_OK){
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Certificate doesn't verify\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
X509_NAME_get_text_by_NID (X509_get_subject_name (cert), NID_commonName, peer_CN, 256);
if(strcasecmp(peer_CN, cnName)){
sprintf(debugBuf,"SYSTEM:%s_SOCKET:SSL:Common name doesn't match host name\n",str[server]);
debug_log(debugBuf,DEBUG_LOG);
return -1;
}
return 0;
}
int InitCTX(void)
{
OpenSSL_add_all_algorithms(); /* Load cryptos, et.al. */
SSL_load_error_strings(); /* Bring in and register error messages */
if(SSL_library_init() < 0){
debug_log("SYSTEM:SSL_SOCKET:Could not initialize the OpenSSL library\n",TRACE_LOG);
return -1;
}
method = SSLv3_client_method(); /* Create new client-method instance */
ctx = SSL_CTX_new(method); /* Create new context */
if ( ctx == NULL){
debug_log("SYSTEM:SSL_SOCKET:Unable to create a new SSL context structure\n",TRACE_LOG);
return -1;
}
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
if (SSL_CTX_use_certificate_file(ctx,CertFile, SSL_FILETYPE_PEM) <= 0) {
debug_log("SYSTEM:SSL_SOCKET:Error setting the certificate file.\n",TRACE_LOG);
return -1;
}
/* Set the list of trusted CAs based on the file and/or directory provided*/
if(SSL_CTX_load_verify_locations(ctx,CertFile,NULL)<1) {
debug_log("SYSTEM:SSL_SOCKET:Error setting verify location.\n",TRACE_LOG);
return -1;
}
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
SSL_CTX_set_timeout (ctx, 60);
return 0;
}
答案 0 :(得分:1)
请阅读SSL_ *函数的文档:您不应使用strerror,而应使用SSL_get_error(retVal)来获取SSL_connect的SSL错误代码。根据错误代码,您需要使用ERR_get_error来访问错误队列,并使用ERR_error_string来获取错误的字符串表示。