openssl: SSL_accept SSL_ERROR_WANT_READ

Windows. Non-blocking sockets, Select() method. OpenSSL 1.1.1d.

Server: The server code only. The server is at https://127.0.0.1:8887/ Client: There is no client code, I access the server using the Chrome browser.

The program works normal on the laptop in Chrome. But on the PC, the very first call to SSL_accept() results in an infinite loop of SSL_ERROR_WANT_READ messages.

Then I try to call SSL_read() to eliminate the SSL_ERROR_WANT_READ error, it returns the “-1 bytes” value. I.e. the call to SSL_read() do not succeed either.

Can it be due to local proxy setup etc?

Question: could you write me the steps to go through to debug this issue?

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 3
  • Comments: 34 (17 by maintainers)

Most upvoted comments

Hmm. I’m having a very similar issue with DTLS. I’m just beginning to learn OpenSSL. I’m basing my code off of https://github.com/nplab/DTLS-Examples/blob/master/src/dtls_udp_echo.c

My code (sorry if it’s bad): https://github.com/RotartsiORG/StoneMason/blob/master/src/stms/net/dtls.cpp https://github.com/RotartsiORG/StoneMason/blob/master/include/stms/net/dtls.hpp

I would create a new DTLSServer, call start(), and then call tick() in a loop. I would then try to connect with openssl s_client -comp -dtls1_2 -timeout -async -nbio -debug -msg -verify 5 -connect *myip*:3000 -CAfile ca-pub-cert.pem -cert cli-pub-cert.pem -key cli-priv-key.pem, but in the server I would see:

[17:00:06.143] [  info  ] [10427|10427] [DTLSServer|dtls.cpp:192]: Creating new DTLS server to be hosted on *myip*:3000
[17:00:06.144] [  info  ] [10427|10427] [tryAddr|dtls.cpp:438]: Candidate 0: IPv4 *myip*:3000
[17:00:06.144] [  info  ] [10427|10427] [tryAddr|dtls.cpp:480]: Candidate 0 is viable and active. However, it is not necessarily preferred.
[17:00:06.144] [  info  ] [10427|10427] [start|dtls.cpp:225]: Using Candidate 0 because it is IPv4
[17:00:07.028] [  info  ] [10427|10427] [tick|dtls.cpp:307]: New client at *myip*:38690 is trying to connect.
[17:00:07.029] [warning ] [10427|10427] [tick|dtls.cpp:360]: Fatal DTLS Handshake error! Refusing to connect.
[17:00:07.029] [warning ] [10427|10427] [handleSslGetErr|dtls.cpp:524]: Unable to complete OpenSSL call: Want Read. Please retry. (Auto Retry is on!)

SSL_accept is returning SSL_ERROR_WANT_READ. At this point, I drop the connection because the docs say that this is a fatal error. Hope this helps.

+1
ROTARTSI82 on May 1, 2020

Hmm. That’s very strange. I can’t think of a reason at the moment why it would do that. Are you able to run this in a debugger? You will need to compile openssl with debugging symbols available (–debug option to Configure). In the call to accept which results in the move to the “SSL negotiation finished successfully” line, I expect to end up in the “tls_finish_handshake” function in ssl/statem/statem_lib.c. Set a breakpoint in there and make sure the function completes successfully. From there it should be a more-or-less straight line return up the call stack back to the SSL_accept() call in your application - which is supposed to result in a 1 return. We’re trying to figure out at what point in deviates from that straight line return and you get something other than 1.

+1
mattcaswell on Oct 31, 2019
Read more comments on GitHub
← openssl: ssl3_read_n:unexpected eof while reading while keepalive
openssl: SSL_read() failed (SSL: error:0A000126:SSL routines::unexpected eof while reading) →