15

Is this the correct way to do error handling in OpenSSL? And what is the difference between SSL_get_error and ERR_get_error? The docs are quite vague in this regard.

int ssl_shutdown(SSL *ssl_connection)
{
    int rv, err;
    ERR_clear_error();
    rv = SSL_shutdown(ssl_connection);

    if (rv == 0)
        SSL_shutdown(ssl_connection);

    if (rv < 0)
    {
        err = SSL_get_error(ssl_connection, rv);

        if (err == SSL_ERROR_SSL)
            fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));

        fprintf(stderr, "%s\n", SSL_state_string(ssl_connection));

        return 1;
    }

    SSL_free(ssl_connection);
    return 0;
}
Improve this question

2 Answers 2

Reset to default
11

SSL_get_error:

SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), SSL_read(), SSL_peek(), or SSL_write() on ssl. The value returned by that TLS/SSL I/O function must be passed to SSL_get_error() in parameter ret.

ERR_get_error:

ERR_get_error() returns the earliest error code from the thread's error queue and removes the entry. This function can be called repeatedly until there are no more error codes to return.

So the latter is for more general use and those shouldn't be used together, because:

The current thread's error queue must be empty before the TLS/SSL I/O operation is attempted, or SSL_get_error() will not work reliably.

So you have to read all of the errors using ERR_get_error and handle them (or ignore them by removal as you did in your code sample with ERR_clear_error) and then perform the IO operation. Your approach seems to be correct, although I can't check all aspects of it by myself at the moment.

Refer to this answer and this post for more information.

EDIT: according to this tutorial, BIO_ routines may generate an error and affect error queue:

The third field is the name of the package that generated the error, such as "BIO routines" or "bignum routines".

Improve this answer
1
  • 1
    It seems like it @Red. I edited my answer. Refer to this website for more info.
    – Jezor
    Commented Jun 23, 2016 at 13:03
10

And what is the difference between SSL_get_error and ERR_get_error?

There are two logical parts to OpenSSL. First is the SSL library, libssl.a (and libssl.so), and it includes the communication related stuff. Second is the cryptography library, libcrypto.a (and libcrypto.so), and it includes big numbers, configuration, input/output, etc.

libssl.a depends upon libcrypto.a, and its why the link command is ordered as -lssl -lcrypto.

You use SSL_get_error to retrieve most errors from the SSL portion library, and you use ERR_get_error to retrieve errors not in the SSL portion of the library.

Is this the correct way to do error handling in OpenSSL?

The code you showed is closer to "how do you shutdown a SSL socket". Ultimately, the gyrations control two cases. First is a half open connection, when the client shutdowns without sending the close notify message. The second is your program's behavior when sending the close notify message.

Its hard to answer "is it correct" because we don't know the behavior you want. If you don't care if the close notify is sent, then I believe you only need to call SSL_shutdown once, regardless of what the client does.

Improve this answer
1
  • 1
    My intended behavior is to wait for close notify. Is my usage of SSL_get_error and ERR_get_error correct? I did not encounter an SSL_* equivalent of ERR_error_string, so I assumed SSL_state_string would yield the same functionality, but I'm not sure.
    – Red
    Commented Jun 23, 2016 at 8:33

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.