1

we have put our gsoap stubs c++ into a custom dynamic library, linked and built it against our main program.

When i use a https call i get ERROR_SYSCALL from openssl and see that it fails in the SSL_Connect.

The exact error is:

sk_sort:0xb6cc1680
SOAP 1.2 fault SOAP-ENV:Receiver [no subcode]
"SSL_ERROR_SYSCALL
Error observed by underlying SSL/TLS BIO: Connection reset by peer"
Detail: SSL_connect error in tcp_connect()

If i use the same code directly in our main program it works without any problem...

What am I missing ? our custom library is dynamic and linking also openssl dynamically...

With kind regards

jww
  • 97,681
  • 90
  • 411
  • 885
Lonko
  • 389
  • 9
  • 25
  • Strange looks like it is a gsoap problem. Old version works new not. Same proxy definition just upgraded version.... What could be wrong ? – Lonko Sep 30 '16 at 19:40
  • It is true that we added the second web service and the error is similar to this tread: http://openssl.6102.n7.nabble.com/SSL-read-returns-SSL-ERROR-SYSCALL-td24361.html – Lonko Sep 30 '16 at 19:45
  • Need lots more information, like client info, server info, client's secure transport (I think its OpenSSL), server secure transport, firewall configs, OpenSSL version. – jww Oct 01 '16 at 07:46
  • Don't know what it could be, but i used our older stub with gsoap 2.8.17r and it works! If i use gsoap 2.8.33 or 2.8.36 i always get error syscal?!?! – Lonko Oct 03 '16 at 06:42
  • Oh the 2.8.17r version prints: SSL verify error or warning with certificate at depth 2: unable to get local issuer certificate. BUT IT WORKS without a problem.... – Lonko Oct 03 '16 at 06:42
  • Solved it!!!! - problem is in gsoap using by default: SSL_set_tlsext_host_name(soap->ssl, host) - WHICH causes ERROR SYSCALL because we are using IP and not host name. And server drops the link as hostname is ip and not a valid name. As we need to use IP instead of hostname and gsoap does not use any flag for this, we commented out the part in stdsoap2.cpp – Lonko Oct 03 '16 at 10:29
  • Stack Overflow works differently than a message board sites. Please add your answer in an answer block, and then accept your own answer. Also see [How does accepting an answer work?](http://meta.stackexchange.com/q/5234) on Meta Stack Exchange. – jww Oct 03 '16 at 17:46
  • You can use an IP address, but it must be in the server certificate's *Subject Alternate Name (SAN)*. Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) It provides a lot of background information on X.509 server certificates, how to present names, and where the various rules come from. – jww Oct 03 '16 at 17:47
  • @jww IIS does not allow ip to be entered into SNI. The host name is invalid if you use numbers,,, – Lonko Oct 10 '16 at 07:57

1 Answers1

1

Not exactly problem with custom library but with latest GSOAP. Gsoap added SSL_set_tlsext_host_name to use SNI with TLS. If you are using IP based server with default SSL certificate e.g. no SNI then all calls will fail with ERROR_SYSCALL

So we solved it like this for now:
SSL_set_tlsext_host_name(soap->ssl, host) - WHICH causes ERROR SYSCALL because we are using IP and not host name. And server drops the link as hostname is ip and not a valid name. As we need to use IP instead of hostname and gsoap does not use any flag for this, we commented out the part in stdsoap2.cpp

We just searched SSL_set_tlsext_host_name in stdsoap2.cpp and commented out.

Probably Gsoap should have a flag for this ?

Lonko
  • 389
  • 9
  • 25