Jump to content
Tuts 4 You

OpenSSL problem


LCF-AT

Recommended Posts

Hi guys,

before a longer time I did installed OpenSSL (Win32OpenSSL-1_1_0g.exe).Now I didnt use the commandline tool anymore for a while and I wanted to use it now again and see some problems I could not fix yet (also forgot some stuff already).The problem is I get a error using OpenSSL with some sites like...

openssl s_client -connect forum.tuts4you.com:443

...and get error called "Verify return code: 20 (unable to get local issuer certificate)"

Afrer trying to find a solution for that problem I found sites like this...

https://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/

....showing how to create a self certificate.I tried this and got a error using the command..

req -new -key ia.key -out ia.csr

OpenSSL> req -new -key ia.key -out ia.csr
problem creating object tsa_policy1=1.2.3.4.1
3752:error:08064066:object identifier routines:OBJ_create:oid exists:crypto\objects\obj_dat.c:690:
error in req

Then I read the comments below and there was a link to a small GUI app what can create certificate file/s.

https://blog.didierstevens.com/2016/08/08/howto-createcertgui-create-your-own-certificate-on-windows-openssl-library/

I tried this and got some success and some files out.I tried to install the certificate I got (not sure whether I did it right so this part isnt shown in the video) and tried to use OpenSSL commandline tool again with the command above for tuts4you / others I tried too and I get same error again about local issuer certificate etc.

Just wanna ask whether any OpenSSL user could show me some working  steps to get it work without to fail.I am using Windows 7 x86.In the Windows variables I have also the path to C:\OpenSSL-Win32\bin\openssl.cfg.

PS: I also tried to use the command -CAfile xy.crt but also didnt work = get same error again.

Thank you

Link to comment

Hi again,

so I am just trying to get the response header / status etc but I dont get anything like this....below the last data...

    Start Time: 1535566219
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
read:errno=0

C:\OpenSSL-Win32\bin>

or for this site...openssl s_client -connect forum.tuts4you.com:443

    Start Time: 1535566589
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
closed

C:\OpenSSL-Win32\bin>

I deinstalled OpenSSL and installed latest Win32OpenSSL-1_1_0i.exe but also I get same problem.Has anyone a clue why I dont get any status for the sites like HTTP/1.1 200 OK... etc?

greetz

Link to comment

That's not possible, there has to be a mishandling somewhere ... make sure the paths are alright (cacert.pem in same dir as openssl.exe) and you grabbed the right/latest pem file (https://curl.haxx.se/ca/cacert.pem).

What OS version are you on? Also show the entire output of the command with the -CAfile switch.

 

More generally I am not sure this is the right way to accomplish .. whatever you want to accomplish. :)

  • Like 1
Link to comment

Hi,

ok I dont get the error code anymore "Verify return code: 20 (unable to get local issuer certificate)" so there I get a OK now using the pem file "Verify return code: 0 (ok)" but after that I still get only a closed message and not any status / header response / source etc to see.So if this works with the file so why I dont get any status after etc?I am using WIndows 7 x86.Below what I got.

C:\OpenSSL-Win32\bin>openssl.exe s_client -connect forum.tuts4you.com:443 -CAfile cacert.pem
CONNECTED(000000D8)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = tuts4you.com
verify return:1
---
Certificate chain
 0 s:/CN=tuts4you.com
   i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
 1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF+zCCBOOgAwIBAgIRAPMngmDTaQ8tiDoBPmvg1kYwDQYJKoZIhvcNAQELBQAw
cjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMRUw
....etc
-----END CERTIFICATE-----
subject=/CN=tuts4you.com
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5184 bytes and written 334 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: .....etc
    Session-ID-ctx:
    Master-Key: .....etc
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e0 17 71 b3 0f 23 62 c8-5c 17 0e c2 f5 2f b2 4e   ..q..#b.\..../.N
    0010 - 3a 7e 46 6a fc c8 70 2b-59 ec 3e fa c2 f8 6a 7f   :~Fj..p+Y.>...j.
    0020 - 4b 86 1b 92 64 36 6f ef-98 c0 5c 93 66 a5 ea de   K...d6o...\.f...
    0030 - 45 ba 80 b2 39 2f 94 6c-60 fd 97 39 e6 56 6e 7e   E...9/.l`..9.Vn~
    0040 - 89 37 54 a7 20 cb d4 5c-bc 58 57 ae 2a 8d 4f 90   .7T. ..\.XW.*.O.
    0050 - 4e 5f 92 12 87 d4 fc 5a-9b 5c fb 24 ca 92 98 4e   N_.....Z.\.$...N
    0060 - 98 b0 d6 aa ba 53 a0 77-04 8a f8 d3 5d 71 fb 87   .....S.w....]q..
    0070 - ef dd 4f 97 21 3e cf 9c-01 f7 c6 1b 35 75 10 4c   ..O.!>......5u.L
    0080 - 71 61 ed 80 d1 b1 24 c1-08 01 26 07 b1 66 c7 85   qa....$...&..f..
    0090 - 16 16 36 53 a8 aa 1d c3-8f da 1d 4f 60 74 a1 87   ..6S.......O`t..
    00a0 - 84 38 a3 fe 45 ac f7 bd-5f ea 41 d4 1b 3c 9b 92   .8..E..._.A..<..
    00b0 - 28 0e 04 42 0d 2d 47 8e-5d b0 4c d8 fd b5 f2 54   (..B.-G.].L....T

    Start Time: 1535574350
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
closed

C:\OpenSSL-Win32\bin>

 

One more question about OpenSSL functions: I am looking for the function SSL_set_tlsext_host_name but its not there into my libssl.lib.There are only..

SSL_CTX_set_tlsext_max_fragment_length

SSL_CTX_set_tlsext_use_srtp

SSL_set_tlsext_max_fragment_length

SSL_set_tlsext_use_srtp

...functions to find with tlsext inside.Does anyone know how to set the servername (SNI) without that function SSL_set_tlsext_host_name?

greetz

Link to comment

Really you should be using curl or wget from the command line as is the normal practice as long as those tools have openssl built for use with them.  You should be piping in some type of request.  So put the GET or HEAD e.g. "GET / HTTP/1.1\r\n\r\n" into a file called maybe input.txt.  Then run the command with "< input.txt".

On the client side, you use SSL_set_tlsext_host_name(ssl, servername) before initiating the SSL connection.   The s_client.c file in the apps/ directory of the OpenSSL source distribution implement this functionality, so it is a good resource to see how it should be done.

  • Like 1
Link to comment

Hi again,

I dont have that OpenSSL / libssl-1_1.dll function  "SSL_set_tlsext_host_name" so I cant use it.In the s_client.c of OpenSSL is this function also not to find.

https://github.com/openssl/openssl/blob/master/apps/s_client.c

So in coding I am trying to get successfully return after calling SSL_get_peer_certificate function.For some sites I get fail back and I need to aboard in this case.My code looks like that...

invoke OPENSSL_init_ssl, OPENSSL_INIT_LOAD_SSL_STRINGS, NULL
invoke OPENSSL_init_crypto,OPENSSL_INIT_LOAD_SSL_STRINGS,NULL

invoke TLS_client_method
mov method, eax
invoke SSL_CTX_new,method
mov ctx,eax

// added new
invoke SSL_CTX_set_verify,ctx,0,0
invoke SSL_CTX_get_cert_store,ctx
invoke SSL_CTX_callback_ctrl,ctx,35h,0
//

....
invoke connect, s, addr peer, sizeof peer

invoke SSL_new,ctx
mov ssl,eax
invoke SSL_set_fd,ssl,s
invoke SSL_connect,ssl
// added new
invoke SSL_get_peer_cert_chain,ssl
//
invoke SSL_get_peer_certificate,ssl
= failed for some sites

...some function between // added new I did add for testing trying to get some successfully return at SSL_get_peer_certificate function but still failed for some sites.

EDIT: Ok I got this working now using SSL_ctrl function.....

invoke OPENSSL_init_ssl, OPENSSL_INIT_LOAD_SSL_STRINGS, NULL
invoke OPENSSL_init_crypto,OPENSSL_INIT_LOAD_SSL_STRINGS,NULL

invoke TLS_client_method
mov method, eax
invoke SSL_CTX_new,method
mov ctx,eax

// added new
invoke SSL_CTX_set_verify,ctx,0,0
invoke SSL_CTX_get_cert_store,ctx
invoke SSL_CTX_callback_ctrl,ctx,35h,0
//

....
invoke connect, s, addr peer, sizeof peer

invoke SSL_new,ctx
mov ssl,eax
// added new
invoke SSL_ctrl,ssl,37h,0,addr HOSTNAME  // www.1234.com
//
invoke SSL_set_fd,ssl,s
invoke SSL_connect,ssl
// added new
invoke SSL_get_peer_cert_chain,ssl
//
invoke SSL_get_peer_certificate,ssl

Just add this function SSL_ctrl and now I get successfully return at SSL_get_peer_certificate function.

In the ssl.h file I can find the define of SSL_CTRL_SET_TLSEXT_HOSTNAME = 55 or 37h.No wonder that I didnt found the function of it before if its now using it as macro inside.

PS: Do you mean that I dont get any header / resource response back with the OpenSSL commandline tool I have installed?

greetz

Link to comment

pem doesn't have COMODO root or cPanel issuer signed by that root is what it looks like. I remember having the same issue when messing around with x509 stuff even with the Mozilla pem which isn't as reliable as people love to claim..

I don't think cURL or openssl can be made to use Windows CSP like EDGE and Chrome do.. A script to sync a pem with Windows CSP is needed(powershell has native calls).

I'm actually surprised you haven't came across static openssl stuff before. I remember using it to sniff decrypted buffers for an online game that used embedded-encrypted keys years ago and couldn't find anything and had to basically analyse cipher usage and backtrace..

  • Like 1
Link to comment

It is on line 1980 of the file you referenced.  I think you are mistyping something or forgetting an underscore or what have you.  The function really should be there...

Yes I mean the command line tool must have the HTTP request portion piped in if you expect to get any output.  It uses stdin/stdout for communication which is rather inconvenient compared to other command line tools.

  • Like 1
Link to comment

Hi guys,

so I did installed OpenSSL in the past already and I think it was on XP and also needed to do some cmd commands and key stuff to get it work with SSL Sites and getting response header / resources back in cmd window.Problem is I dont remember anymore what I did and now I am using Windows 7 x86.I still dont know why I dont get any response status back etc.Dont know how to fix this now to get some status etc.

I am using basic OpenSSL functions with my client code since a longer while and everything was working so far till I found another sites where my code / function failed.Thats the reason why I did search for a solution to fix that issue and found that SNI thing (-servername *).You are right Progman,the function is really in the client code I did post above at this line but I didnt found it because of any copy / paste problem (Teddy,could you please check this copy / past thing on this forum?Mostly it dosent work correctly and  I get some strange ? or spaces signs if I paste something to notepad etc).I see the function is there in the client code but not in the dll itself.Below a link to include file with all fucntions...

https://github.com/mrfearless/libraries/blob/master/OpenSSL/OpenSSL x86/libssl.inc

If I load OpenSSL / dlls in Olly then this function isnt to find.Seems that they removed it in newer versions.

tls1.h
# define SSL_set_tlsext_host_name(s,name) \
# define TLSEXT_NAMETYPE_host_name 0
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)

ssl.h
# define SSL_CTRL_SET_TLSEXT_HOSTNAME            55

=
SSL_ctrl,s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,char * name

I need to use that SSL_ctrl function.

About OpenSSL commandline tool again.Now it works using a input file with request datas. :) Thanks again for that info.Do you know the paramter for manually entering the request datas directly in CMD window?Like this...openssl s_client -connect forum.tuts4you.com:443 HEAD / HTTP/1.1  ...etc.Dont wanna use a extern file each time for tiny requests.

greetz

Link to comment

Hi again,

so I have one more question about using a pem file or not.Just wanna know whether its important to use any pem like that cacert.pem like deepzero told before or not.So I see if I don use a pem file then I always get some error codes back from SSL_get_verify_result function which is not X509_V_OK.Mostly I get error code 19 oe 20

# define         X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN            19
# define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY    20

but reading the page source works and getting status 200 OK too also with that error result messages.If I use that pem file with the function SSL_CTX_load_verify_locations then I get X509_V_OK = no error.

Just wanna know whether its so important or not to use a file for simple TLS client requests.

greetz

Link to comment

Have you checked that the function is not a macro, or inlined in some way?  If invoking from assembly then remember that C library interfaces are not always the same as actual link library exported interfaces.  Sometimes you will have to track down exactly what the compiler will find.  In this case, you should probably search that function out everywhere to see exactly how it is defined.

I do not know of a way to do it without piping - a script could be made to do what you described but its generally why wget and curl exist to wrap the details of openssl.  Of course using the command line tool as an empirical method of software development is not such a bad idea and a great way to learn the details here.

That is the point of the library - it is totally up to you whether or not you kill the SSL connection and throw a certificate validation error or simply ignore it.  This would be considered a major security vulnerability in some software if those 2 return values are not specifically handled.  This is why the command line tool does not continue with them unless some option allows to ignore the certificate check.

This thread should probably be moved to the Programming and Coding section as its not really general discussion.

  • Like 1
Link to comment

Hi,

so I think using that function like this..

invoke SSL_ctrl,ssl,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,addr Servername

...is ok so far.I also use a lib file no dll from outside which can be diffrent.

Good ok,so I dont need to use the commandline tool offten so in this case its ok to enter the request paramters into extern file like you did show before.

About the SSL_CTX_set_verify function.I have test a little the ssllabs.com site and checking my code with diffrent bad hosts having F or T rating.I did check diffrent client paramters for that function like SSL_VERIFY_NONE & SSL_VERIFY_PEER to bypass verify or not and to get successfully return or not after calling  SSL_get_peer_certificate function (if fails I have to aboard).

About the 2 possible errors 19 & 20 etc I only get without using the pem file (SSL_CTX_load_verify_locations) anyway whether I use SSL_VERIFY_NONE or SSL_VERIFY_PEER.I see I can ignore that erros but with a pem file I dont get them.Just wanna know when it makes sense to use a pem file.I think it dosent make sense to use a pem file if I use SSL_VERIFY_NONE paramter right?On the other hand if I use only SSL_VERIFY_PEER without pem file then I cant access sites who using no trusted certificate and SSL_get_peer_certificate function fails but also if I use a pem file.The only thing I know so far is that I can choose between these 2 paramters to access all sites or just trusted sites.Its a little difficult for me to understand the whole procedere.

https://wiki.openssl.org/index.php/SSL/TLS_Client

In this example client above it does check for X509_V_OK and does aboard if not OK.But the status X509_V_OK I only get using a pem file.

greetz

Link to comment

As far as I know, for caution on the side of more security, it functions exactly as:

SSL_VERIFY_PEER + no pem file = always fail with errors 19 & 20

SSL_VERIFY_PEER + pem file = success

SSL_VERIFY_NONE + pem file = success

SSL_VERIFY_NONE + no pem file = always fail with errors 19 & 20, but error can be ignored and continue processing

  • Like 1
Link to comment

Hi again,

ok.I have another question about sites they dont have "Secure Renegotiation IS NOT supported".I have test some other sites and found one what only use TLSv1 protocol.I got not success back if I check this one site using first OpenSSL commandline tool.I tried to set -tls1 paramter but also dosent work.In browser I can access the site via https.Below the site I mean...

https://www.ssllabs.com/ssltest/analyze.html?d=start.calfee.com

Protocols
TLS 1.3 	No
TLS 1.2 	No
TLS 1.1 	No
TLS 1.0 	Yes
SSL 3 	No
SSL 2 	No

Secure RenegotiationSupported <--- this is also to see

My question is how to call this site with OpenSSL commands?

openssl.exe s_client -connect start.calfee.com:443 -servername start.calfee.com -CAfile cacert.pem -tls1 < input.txt
C:\OpenSSL-Win32\bin>openssl.exe s_client -connect start.calfee.com:443 -servername start.calfee.com -CAfile cacert.pem -tls1 < input.txt
CONNECTED(000000DC)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 127 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1536000250
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

C:\OpenSSL-Win32\bin>

How to get it work in this case?

My code does also return fails at SSL_get_peer_certificate function.I think I need to check before whether Renegotiation is supported or not and setting the protocol if Renegotiation is not supported but for testing using OpenSSL commandline tool setting the used protocol of -tls1 dosent work so far.

greetz

Link to comment
  • 1 year later...

Hi guys,

I have a new / old question about OpenSSL functions and getting some problems using them on Windows 10 now.So the problem now using my app is that it hangs for a longer time in the SSL_connect function by random.So if I do call the same page diffrent times in a row then it works for few times like 5 and then on next call it stucks inside this function for round about 10 seconds before it returns.Now on the return of SSL_connect I have the value -1 in eax and in lasterror register I have this error..

WSAETIMEDOUT (0000274C)

OpenSSL does tell this...

https://www.openssl.org/docs/man1.1.1/man3/SSL_connect.html


0

    The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value ret to find out the reason.
1

    The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been established.
<0

    The TLS/SSL handshake was not successful, because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was not clean. It can also occur of action is need to continue the operation for non-blocking BIOs. Call SSL_get_error() with the return value ret to find out the reason.

...so in this case its <0 because of a fatal error and I should call SSL_get_error function what I did and as return of this function I get the value 5 which means this....

https://www.openssl.org/docs/man1.0.2/man3/SSL_get_error.html

SSL_ERROR_SYSCALL

Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may contain more information on the error. For socket I/O on Unix systems, consult errno for details. If this error occurs then no further I/O operations should be performed on the connection and SSL_shutdown() must not be called.

....ok, some fatal error and I dont know the reason why it happens also not just randomly you know.Maybe the problem is the page I do call or something because it this problem dosent happen if I do call other pages and SSL_connect always returns successfully.

Now I am trying to find a workable solution to handle this problem when it happens.In my code I always set a Timeout of less seconds like 3-6 to aboard the request when it takes to long.For this I am using the ioctlsocket select functions  method.The problem now is that this timeout method dosent work when it access the SSL_connect function and stucks inside and it returns a longer while later.My question is whether OpenSSL has any function to set a timeout for this SSL_connect function I could set before to set the time limit to prevent to hang a longer time in this function?

greetz

EDIT: Some info.It also happens when just using WinSock without SSL.In this case it hangs in recv function (also with a longer time X / not the timeout I did set before) and returns SOCKET_ERROR and lasterror = Error: 10060 | 0000274C Hex = WSAETIMEDOUT.So its same problem as I told above.But also here I did set a timeout of 2 seconds using select function method but this dosent work in that case.Is there really no way to prevent this and setting a timeout X somehow to force a aboard of the request?

Edited by LCF-AT
Added another info
Link to comment

Connection timeouts for OpenSSL are based on the underlying socket being used. If you are using a blocking socket, it will block until something happens. If you wish to monitor for timeouts, then you need to use a non-blocking socket. As their docs state:

Quote

If the underlying BIO is blocking, SSL_connect() will only return once the handshake has been finished or an error occurred.

If the underlying BIO is non-blocking, SSL_connect() will also return when the underlying BIO could not satisfy the needs of SSL_connect() to continue the handshake, indicating the problem by the return value -1.

You need to setup a new socket with the proper "BIO" flags to be nonblocking and then loop the connection call and monitor the returned error/value to see if the connection was successful. Then you can create any kind of timeout you wish to use.

  • Like 1
Link to comment

Hi again,

thanks for your answer but still not sure about that and how to write the code for this method.Otherwise I told that I also have same problem without using OpenSSL and just using WindowSocket functions.

Lets say I wanna create such a nonblocking socket.As I see I also need to use ioctlsocket function for windows..

// Set the socket I/O mode: In this case FIONBIO
// enables or disables the blocking mode for the 
// socket based on the numerical value of iMode.
// If iMode = 0, blocking is enabled; 
// If iMode != 0, non-blocking mode is enabled.

iResult = ioctlsocket(m_socket, FIONBIO, &iMode);
if (iResult != NO_ERROR)
  printf("ioctlsocket failed with error: %ld\n", iResult);

...using value != 0 like 1 to enable this non-blocking mode.So when I do this then I also just get a fail calling connect function which returns SOCKET_ERROR in eax & WSAEWOULDBLOCK as lasterror.In this error case I need to set the mode back to blocking enabled but also this I do already when I set the timeout.

invoke socket, AF_INET, SOCK_STREAM,IPPROTO_TCP
invoke ioctlsocket,s,FIONBIO, addr sockopt1     // enable non-blocking
invoke connect, s, addr peer, sizeof peer
       .if SOCKET_ERROR && WSAEWOULDBLOCK
           invoke ioctlsocket,s,FIONBIO, addr sockopt0  // disable non-blocking
           invoke select,0,NULL,addr Write,NULL,addr tv // timeout set
       .endif
...normal go on

I do use the same method as above for SSL too.The only diffrent is that I do stuck into SSL_connect function or for not SSL I do stuck into recv function.Both do return the same lasterror of 10060 | 0000274C Hex = WSAETIMEDOUT but its not my timeout I did set.In my tests I only did set a low timeout of 2 seconds and when it hangs it come back after 10s round about.

So do you have any tiny example code of the combination of functions I should use to get it work as you said (with & or without SSL)?Just find a working method of this to prevent this hanging into any function.

PS: I found something out which is strange.So when I do use the code above and set the second ioctlsocket function also to non-block then I get a error at recv function called Error: 10035 | 00002733 Hex (non blocking socket could not execute straight etc).But when I now set a sleep function of 100 or 200 bebfore recv function loop then I get A) this error or B) it works.No clue what it has to do with the sleep function.Like this..

invoke socket, AF_INET, SOCK_STREAM,IPPROTO_TCP
invoke ioctlsocket,s,FIONBIO, addr sockopt1     // enable non-blocking
invoke connect, s, addr peer, sizeof peer
       .if SOCKET_ERROR && WSAEWOULDBLOCK
           invoke ioctlsocket,s,FIONBIO, addr sockopt1  // enable non-blocking
           invoke select,0,NULL,addr Write,NULL,addr tv // timeout set
       .endif
...normal go on

invoke Sleep,100
@@: // recv loop
invoke  recv, s,  eax, RecvSpaceLeft, 0

...but also like this isnt really nice.

greetz

Link to comment

Hi again,

ok I think I got it now how to set both timeouts in case of SSL and not SSL just setting the SO_RCVTIMEO flag using setsockopt function and time X.This is timeout for recv function.When I set this too then the not SSL will return after the set time I did set on setsockopt at recv function and in using SSL functions it will return at SSL_connect function with the time I did set.Coolio!Only small issue is that this only just suportet from Win 8 and higher.My example would look now like this..

invoke socket, AF_INET, SOCK_STREAM,IPPROTO_TCP
//------ optional set recv timeout >= Win8
mov opt_data.tv_sec,2000  // 2 second timeout for recv or SSL_connect
mov opt_data.tv_usec,0
invoke setsockopt,s,SOL_SOCKET,SO_RCVTIMEO,addr opt_data,sizeof opt_data
//------
invoke ioctlsocket,s,FIONBIO, addr sockopt1     // enable non-blocking
invoke connect, s, addr peer, sizeof peer
       .if SOCKET_ERROR && WSAEWOULDBLOCK
           invoke ioctlsocket,s,FIONBIO, addr sockopt0  // disable non-blocking
           mov tv.tv_sec, 5  // 5 seconds timeout
           mov tv.tv_usec,0
           invoke select,0,NULL,addr Write,NULL,addr tv // timeout set
       .endif
...normal go on

All same like before just adding one setsockopt function. :)

greetz

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...