Debugging OpenSSL Error Codes Easily

Nov 9, 2015 How To

Introduction

I was recently working on a project which required revolved around the OpenSSL library. For those of you who have played around with OpenSSL in the past, you know the error messages are not very helpful.

For example:

8#0: *3 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 192.168.99.1, server: 0.0.0.0:443

I get it, a bad certificate is bad, but what the hell is alert number 42?

Cracking the code

Just like everything when it comes to development, always go back to the source. This tactic has proved extremely successful for me.

Using the header filer from the OpenSSL project, like in the GitHub link below, you are able to turn it into a Rosetta stone and provide context in the errors.

https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h

If you search for the constant value from the OpenSSL error, you can find the name of the constant, in this instance X509_V_ERR_INVALID_POLICY_EXTENSION.

# define         X509_V_ERR_INVALID_POLICY_EXTENSION             42

The next steps would be to look at your implementation and correct any invalid policy extensions.


comments powered by Disqus