How to get the error string in openssl?

Asked 8/2, 2017 at 6:40 Answered 27/7, 2021 at 8:45

I am using openssl to establish the TLS connection with the remote server.

Here are the code snippets:

if ((ret = SSL_connect(c->ssl)) <= 0) {
    ret = SSL_get_error(c->ssl, ret);
    if((err = ERR_get_error())) {
        SSL_load_error_strings();
        ERR_load_crypto_strings();
        CRERROR(LOGSSLUTILS, "SSL connect err code:[%lu](%s)\n", err, ERR_error_string(err, NULL));
        CRERROR(LOGSSLUTILS, "Error is %s \n",ERR_reason_error_string(err));
    }
}

for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:

SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))

Error: cmrSSLlInit:174 Error is (null)

As you can see, I can only get the error code but cannot get the readable error string.

How how can I get the readable error string ?

Fetishist answered 8/2, 2017 at 6:40 Comment(0)

for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:
SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))

$ openssl errstr 0x14082174
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small

For DH key too small, checkout SSL operation failed with code 1: dh key too small on Stack Overflow. The short of it is, earlier versions of OpenSSL used a 512-bit DH group. Its too small, and you need to use a 2048-bit group.

How how can I get the readable error string ?

To log a string like error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small, I believe you can call err_print_errors and ERR_print_errors_fp. The functions print the entire error stack. Also see the ERR_print_errors man pages.

Interchange answered 8/2, 2017 at 13:57 Comment(0)

One way to get all queued thread local errors is with the snippet below as suggested here:

string getOpenSSLError()
{
    BIO *bio = BIO_new(BIO_s_mem());
    ERR_print_errors(bio);
    char *buf;
    size_t len = BIO_get_mem_data(bio, &buf);
    string ret(buf, len);
    BIO_free(bio);
    return ret;
}

Invar answered 25/6, 2019 at 11:15 Comment(5)

Thanks! Exactly what I was looking for – Fayefayette 19/3, 2020 at 19:50

I tried it and the returned string contains extra garbage chars like "ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍýýýý", do you know how to trim the extra chars? – Rosanne 22/7 at 14:51

@Rosanne the code is clearly handling the right size of the buffer in the return std::string and it works already for several people. Try it verbatim, or run it in a small demo program to confirm it working with a smaller code. – Invar 26/7 at 7:49

@Invar Sorry, my fault. I was able to see the garbage chars when I checked the returned buf. It works well when I 'truncated' the buf by the len, the garbage chars are trimed. – Rosanne 26/7 at 10:13

@Rosanne get used to non null terminated strings as they are trending ;) – Invar 30/7 at 10:28

i use this to print the latest error

ctx = SSL_CTX_new(method);
if(ctx == NULL)
{
    printf("%s", ERR_error_string(ERR_get_error(), NULL));
}

Paschall answered 27/7, 2021 at 8:45 Comment(0)

You are calling SSL_load_error_strings() and ERR_load_crypto_strings() too late in your sample code. They should be called right up front at the start of your program - you should then get readable error strings out of OpenSSL. @jww has it right about the DH group being too small. Ideally the server needs to be reconfigured with a larger group. If that is not possible then try connecting with a non-DHE ciphersuite (i.e. use an ECDHE based one instead)

Bandwidth answered 8/2, 2017 at 23:51 Comment(0)

This is because I include the option "no-err" when compile openssl.　so the Err_error_string return NULL

Fetishist answered 9/2, 2017 at 6:40 Comment(0)

Recommended topics

Hot tags