[Libwebsockets] Mbedtls handshake fails often (on windows)

Andy Green andy at warmcat.com
Wed Feb 6 10:09:57 CET 2019



On 06/02/2019 15:40, Lasa Martxel wrote:
> Morning,
> 
> I’m having an issue with libwebsockets.
> 
> I have built libwebsockets with mbedtls support on windows. I have 
> created a simple example that responds GET requests, both http and https.
> 
> With HTTP requests, I don’t have issues so far. When I use HTTPS however 
> I get an error in the TLS negotiation every 4-5 requests.
> 
> If I wait a few seconds between requests, I don’t get the error that often.
> 
> I have tried with the minimal tls example, and it happens the same thing:

Thanks for checking like that.  And thanks for the log.

> [2019/02/06 07:36:47:7747] INFO: mbedtls_handshake: ssl ret -0 state 7
> 
> [2019/02/06 07:36:47:7747] INFO: mbedtls_handshake: ssl ret -0 state 8
> 
> [2019/02/06 07:36:47:7747] INFO: mbedtls_handshake: ssl ret -6900 state 8

-0x6900 is mbedtls-speak for MBEDTLS_ERR_SSL_WANT_READ... it's a 
nonfatal "I can't do the next step until I get some data from the remote 
peer".  Your "sometimes" behaviour is likely just racing whether the 
data came before we looked (happy), or we had to wait (error).

> [2019/02/06 07:36:47:7747] DEBUG: lws_tls_server_accept: 0302E900: 
> accept SSL_get_error 5 errno 0

This is after the openssl adaptation api has seen the above... it's 
translating the mbedtls condition to openssl error semantics... 5 is 
SSL_ERROR_SYSCALL and the matching errno is 0.

SYSCALL means that some posix api said something other than "perfect" 
and you have to check errno to find out the situation.

Errno is 0 so in other words there's no error.

> [2019/02/06 07:36:47:7747] INFO: SSL_accept says -1

...but it treats it like a fatal error and you're dead.

> [2019/02/06 07:36:47:7747] INFO: SSL_accept failed socket 824: -1
> 
> [2019/02/06 07:36:47:7747] INFO: lws_adopt_descriptor_vhost: fail ssl 
> negotiation
...
> 
> When I build and run it on linux, there are no problems.
> 
> Any clues?

What happens if you try this kind of thing?

diff --git a/lib/tls/mbedtls/mbedtls-server.c 
b/lib/tls/mbedtls/mbedtls-server.c
index d75500d77..943533d79 100644
--- a/lib/tls/mbedtls/mbedtls-server.c
+++ b/lib/tls/mbedtls/mbedtls-server.c
@@ -319,6 +319,11 @@ lws_tls_server_accept(struct lws *wsi)
         if (m == SSL_ERROR_SYSCALL && errno == 11)
                 return LWS_SSL_CAPABLE_MORE_SERVICE_READ;

+#if defined(WIN32)
+       if (m == SSL_ERROR_SYSCALL && errno == 0)
+               return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
+#endif
+
         if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL)
                 return LWS_SSL_CAPABLE_ERROR;


-Andy


More information about the Libwebsockets mailing list