OpenSSL BIO_do_handshake does not put any errors on the stack

Question

I'm trying to debug a TLS handshake problem from the server side. The client sends something the server doesn't like in the Client Hello packet, and I'm trying to figure out what it is.

After setting up a context, setting options, loading the server certificate, etc., the code creates a BIO object from the context. After that, it calls BIO_do_handshake to perform the handshake. BIO_do_handshake returns -1, indicating an error. But when I call ERR_get_error immediately after that, it returns 0, meaning that there are no error codes on the stack.

Here's the code. (It currently uses the OpenSSL 1.0.2 API.)

long
perform_handshake(BIO *bio)
{
    long rc;

    do {
        rc = BIO_do_handshake(bio);
        if (rc <= 0) {
            unsigned long errcode;
            char *errstr;

            syslog(LOG_ERR, "BIO_do_handshake returned %d\n", rc);

            while (errcode = ERR_get_error()) {
                errstr = ERR_error_string(errcode, NULL);
                syslog(LOG_ERR, "%s\n", errstr);
            }
        }
    } while (rc <= 0 && BIO_should_retry(bio));

    return rc;
}

I get the message "BIO_do_handshake returned -1" in my syslog output, but no error strings.

Are my expectations about BIO_do_handshake wrong? Does it not put errors on the stack? If not, how am I supposed to get detailed information about the handshake problem?

(Note: all of the code works fine if the handshake doesn't fail.)

Answer 1

The problem is that OpenSSL 1.0.2 doesn't appear to properly put error events on the stack during BIO_do_handshake. The same code with OpenSSL 1.1.1 gets a non-zero error stack and correctly logs the errors.