Reputation: 601
How to get the error string in openssl?
I am using openssl to establish the TLS connection with the remote server.
Here are the code snippets:
if ((ret = SSL_connect(c->ssl)) <= 0) {
ret = SSL_get_error(c->ssl, ret);
if((err = ERR_get_error())) {
SSL_load_error_strings();
ERR_load_crypto_strings();
CRERROR(LOGSSLUTILS, "SSL connect err code:[%lu](%s)\n", err, ERR_error_string(err, NULL));
CRERROR(LOGSSLUTILS, "Error is %s \n",ERR_reason_error_string(err));
}
}
for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:
SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))
Error: cmrSSLlInit:174 Error is (null)
As you can see, I can only get the error code but cannot get the readable error string.
How how can I get the readable error string ?
Upvotes: 16
Views: 32187
Answers (5)
Reputation: 15237
One way to get all queued thread local errors is with the snippet below as suggested here:
#include <openssl/err.h>
string getOpenSSLError()
{
BIO *bio = BIO_new(BIO_s_mem());
ERR_print_errors(bio);
char *buf;
size_t len = BIO_get_mem_data(bio, &buf);
string ret(buf, len);
BIO_free(bio);
return ret;
}
Upvotes: 11
Reputation: 102406
for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:
SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))
$ openssl errstr 0x14082174
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small
For DH key too small, checkout SSL operation failed with code 1: dh key too small on Stack Overflow. The short of it is, earlier versions of OpenSSL used a 512-bit DH group. Its too small, and you need to use a 2048-bit group.
How how can I get the readable error string ?
To log a string like error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small, I believe you can call err_print_errors and ERR_print_errors_fp. The functions print the entire error stack. Also see the ERR_print_errors man pages.
Upvotes: 10
Reputation: 71
i use this to print the latest error
ctx = SSL_CTX_new(method);
if(ctx == NULL)
{
printf("%s", ERR_error_string(ERR_get_error(), NULL));
}
Upvotes: 7
Reputation: 601
This is because I include the option "no-err" when compile openssl. so the Err_error_string return NULL
Upvotes: 2
Reputation: 9502
You are calling SSL_load_error_strings() and ERR_load_crypto_strings() too late in your sample code. They should be called right up front at the start of your program - you should then get readable error strings out of OpenSSL. @jww has it right about the DH group being too small. Ideally the server needs to be reconfigured with a larger group. If that is not possible then try connecting with a non-DHE ciphersuite (i.e. use an ECDHE based one instead)
Upvotes: 3
Related Questions
- How to read the openssl alert messages?
- Openssl ERR_error_string error description returns null
- TLS certificate verification failure
- Get certificate information after connection error
- Is there a file (place) to get all those error strings that openssl ERR_error_string_n api return?
- How to detect failure from OpenSSL in Bash
- How do I get the value of OpenSSL._util.lib.X509_verify_cert_error_string as a python string
- Why does OpenSSL return 0 even though there's an error?
- OpenSSL - find error depth in certificate chain
- Get the error string in Openssl certificate error