How to get the error string in openssl?

Question

I am using openssl to establish the TLS connection with the remote server.

Here are the code snippets:

if ((ret = SSL_connect(c->ssl)) <= 0) {
    ret = SSL_get_error(c->ssl, ret);
    if((err = ERR_get_error())) {
        SSL_load_error_strings();
        ERR_load_crypto_strings();
        CRERROR(LOGSSLUTILS, "SSL connect err code:[%lu](%s)\n", err, ERR_error_string(err, NULL));
        CRERROR(LOGSSLUTILS, "Error is %s \n",ERR_reason_error_string(err));
    }
}

for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:

SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))

Error: cmrSSLlInit:174 Error is (null)

As you can see, I can only get the error code but cannot get the readable error string.

How how can I get the readable error string ?

score 10 · Answer 1 · edited Mar 30 '22 at 12:49

for some unknown reason, the ssl_connect failed and I just want to identify the reason by using the ERR_error_string, the outputs are:
SSL connect err code:[336077172] (error:14082174:lib(20):func(130):reason(372))

$ openssl errstr 0x14082174
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small

For DH key too small, checkout SSL operation failed with code 1: dh key too small on Stack Overflow. The short of it is, earlier versions of OpenSSL used a 512-bit DH group. Its too small, and you need to use a 2048-bit group.

How how can I get the readable error string ?

To log a string like error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small, I believe you can call err_print_errors and ERR_print_errors_fp. The functions print the entire error stack. Also see the ERR_print_errors man pages.

score 8 · Answer 2 · answered Jun 25 '19 at 11:15

8

One way to get all queued thread local errors is with the snippet below as suggested here:

string getOpenSSLError()
{
    BIO *bio = BIO_new(BIO_s_mem());
    ERR_print_errors(bio);
    char *buf;
    size_t len = BIO_get_mem_data(bio, &buf);
    string ret(buf, len);
    BIO_free(bio);
    return ret;
}

answered Jun 25 '19 at 11:15

ceztko

14,736
5
58
73

Thanks! Exactly what I was looking for – george_ptr Mar 19 '20 at 19:50

score 4 · Answer 3 · answered Jul 27 '21 at 08:45

4

i use this to print the latest error

ctx = SSL_CTX_new(method);
if(ctx == NULL)
{
    printf("%s", ERR_error_string(ERR_get_error(), NULL));
}

answered Jul 27 '21 at 08:45

khánh nguyễn

41
2

score 3 · Answer 4 · answered Feb 08 '17 at 23:51

You are calling SSL_load_error_strings() and ERR_load_crypto_strings() too late in your sample code. They should be called right up front at the start of your program - you should then get readable error strings out of OpenSSL. @jww has it right about the DH group being too small. Ideally the server needs to be reconfigured with a larger group. If that is not possible then try connecting with a non-DHE ciphersuite (i.e. use an ECDHE based one instead)

score 2 · Answer 5 · answered Feb 09 '17 at 06:40

2

This is because I include the option "no-err" when compile openssl.　so the Err_error_string return NULL

answered Feb 09 '17 at 06:40

AllenHu

561
2
5
13

How to get the error string in openssl?

5 Answers5

Linked