mongoose icon indicating copy to clipboard operation
mongoose copied to clipboard
verified publisher icon cesanta

WolfSSL fails on MacOS

Open scaprile opened this issue 1 year ago • 4 comments

5.7.0_1 , about to get a file from ourselves (locally signed CA)

961c1  3 net.c:199:mg_listen            1 3 https://localhost:12347
961c1  3 net.c:174:mg_connect           2 -1 https://localhost:12347
961c1  3 sock.c:391:mg_connect_resolved 2 4 -> 127.0.0.1:12347 pend
961c1  3 tls_openssl.c:137:mg_tls_init  2 Setting TLS
961c2  3 tls_openssl.c:232:mg_tls_init  2 SSL client OK
961c3  3 sock.c:446:accept_conn         3 5 accepted 127.0.0.1:49197 -> 127.0.0.1:12347
961c3  3 tls_openssl.c:137:mg_tls_init  3 Setting TLS
**961c3  1 event.c:31:mg_error            3 5 SSL_new**
961c5  3 net.c:148:mg_close_conn        3 5 closed
961c5  3 sock.c:301:read_conn           2 4 21:0:0 -2 err 0
961c5  3 sock.c:301:read_conn           2 4 21:0:0 -2 err 0
961c5  3 net.c:148:mg_close_conn        2 4 closed
FAILURE unit_test.c:1278: fetch(&mgr, buf, url, "GET /a.txt HTTP/1.0\n\n") == 200

but it is SSL_new() that fails on the server side https://github.com/cesanta/mongoose/blob/a9902b55d82fe68c36f8f4ffcde4a8c99239c716/src/tls_openssl.c#L136-L145

adding

#if MG_TLS == MG_TLS_WOLFSSL && !defined(OPENSSL_COMPATIBLE_DEFAULTS)
  if (opts->ca.len == 0 || mg_strcmp(opts->ca, mg_str("*")) == 0) {
    SSL_CTX_set_verify(tls->ctx, SSL_VERIFY_NONE, NULL);
  }
#endif

before calling SSL_new() does not help.

scaprile avatar Jul 08 '24 19:07 scaprile

I have also seen this error with WolfSSL 5.6.3 but on Linux. I have not tested on macOS. The workaround was to ensure a cert and key were set on the SSL context using SSL_CTX_use_certificate(tls->ctx, cert) and SSL_CTX_use_PrivateKey(tls->ctx, key) before calling SSL_new()

gmholland avatar Sep 11 '24 21:09 gmholland

It fails on Windows too.

gvanem avatar Jun 25 '25 07:06 gvanem

@gvanem Hi, not on our setup (GitHub's), please report your setup and describe the failure mode you observe, add logs, etc. Thank you.

scaprile avatar Jun 25 '25 12:06 scaprile

@scaprile The log is similar to the above:

4d276b86 3 tls_openssl.c:138:mg_tls_ini 2 Setting TLS
4d276bd4 3 tls_openssl.c:236:mg_tls_ini 2 SSL client OK
4d276bd4 3 sock.c:477:accept_conn       3 604 accepted 127.0.0.1:49221 -> 127.0.0.1:12347
4d276bd4 3 tls_openssl.c:138:mg_tls_ini 3 Setting TLS
4d276bd4 1 event.c:30:mg_error          3 604 SSL_new
4d276be4 3 net.c:147:mg_close_conn      3 604 closed
4d276be4 3 sock.c:328:read_conn         2 620 21:0:0 -1 err 10054
4d276be4 3 net.c:147:mg_close_conn      2 620 closed

I built everything with -DMG_ENABLE_POLL=1. But the same timeout w/o it.

gvanem avatar Jun 26 '25 06:06 gvanem