[FWD] DNS Error while doing SSL handshake - bad gethostbyaddr - Openssl

This is a discussion on [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr - Openssl ; Forwarded to openssl-users for public discussion. Best regards, Lutz ----- Forwarded message from "Joy, Byju (GE Healthcare, consultant)" ----- Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr

  1. [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr

    Forwarded to openssl-users for public discussion.

    Best regards,
    Lutz
    ----- Forwarded message from "Joy, Byju (GE Healthcare, consultant)" -----

    Subject: DNS Error while doing SSL handshake - bad gethostbyaddr
    Date: Fri, 10 Oct 2008 15:00:51 +0200
    Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr
    thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw==
    From: "Joy, Byju (GE Healthcare, consultant)"
    To: rt@openssl.org

    Dear OpenSSL experts,

    I am trying to run OpenSSL version "OpenSSL 0.9.8i 15 Sep 2008" on
    Windows Server 2003 Standard Edition Version 5.2.3790. Could you please
    help me with "bad gethostbyaddr" error message while doing SSL
    handshake? Log is given below:


    D:\OpenSSL2\bin>openssl
    OpenSSL> s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key
    D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3
    verify depth is 2
    Enter pass phrase for D:\my_key.pem:
    Loading 'screen' into random state - done
    Using default temp DH parameters
    Using default temp ECDH parameters
    ACCEPT
    bad gethostbyaddr
    SSL_accept:before/accept initialization
    read from 0xa533d0 [0xa6fc10] (5 bytes => 0 (0x0))
    SSL_accept:failed in SSLv3 read client hello B
    ERROR
    shutting down SSL
    CONNECTION CLOSED
    ACCEPT
    bad gethostbyaddr
    SSL_accept:before/accept initialization
    read from 0xa533d0 [0xa6fc10] (5 bytes => 0 (0x0))
    SSL_accept:failed in SSLv3 read client hello B
    ERROR
    shutting down SSL
    CONNECTION CLOSED
    ACCEPT
    bad gethostbyaddr


    Thanks & Regards,
    Byju Joy
    +91-9902511344, +91-80-67245657, *7098068


    ----- End forwarded message -----
    --
    Lutz Jaenicke jaenicke@openssl.org
    OpenSSL Project http://www.openssl.org/~jaenicke/
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr

    > -----Original Message-----
    > From: owner-openssl-users@openssl.org On Behalf Of Lutz Jaenicke
    > Sent: Friday, 10 October, 2008 09:03
    > ----- Forwarded message from "Joy, Byju (GE Healthcare,
    > consultant)" -----
    >
    > Subject: DNS Error while doing SSL handshake - bad gethostbyaddr
    > Date: Fri, 10 Oct 2008 15:00:51 +0200
    > Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr
    > thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw==
    > From: "Joy, Byju (GE Healthcare, consultant)"
    > To: rt@openssl.org
    >
    > Dear OpenSSL experts,
    >
    > I am trying to run OpenSSL version "OpenSSL 0.9.8i 15 Sep 2008" on
    > Windows Server 2003 Standard Edition Version 5.2.3790. Could you please
    > help me with "bad gethostbyaddr" error message while doing SSL
    > handshake? Log is given below:
    >

    s_server calls do_server calls do_accept which, after the actual (TCP)
    accept,
    calls gethostbyaddr to try to get the client host's name. If your
    system/network
    doesn't have DNS set up to do reverse-mapping for that host, you get this
    printed.
    (That would include DNS not set up at all, but I don't think Svr03 can do
    that.
    It could include using a bad/wrong nameserver, or zone; or unreachable/down
    one;
    or using a good nameserver but the zone admin doesn't do reverse-mapping at
    all
    -- some don't; or didn't do it for that host -- particularly if it's a
    dynamic
    host e.g. a(nother) PC many admins don't consider it worth the trouble.)

    But it causes no harm; it just passes back a nullptr for the hostname
    string,
    which the actual logic (sv_body or www_body) never uses. The connection can
    still
    be completed and used, at least through 0.9.8g and I doubt this would be
    changed.
    (If you actually want to fix the revlookup, you need to say more about the
    type
    and relative network location of the client machine, and if it's not
    something
    simple you'll probably need to go elsewhere to a network-mgt
    group/list/forum.)

    >
    > D:\OpenSSL2\bin>openssl
    > OpenSSL> s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key
    > D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3
    > verify depth is 2
    > Enter pass phrase for D:\my_key.pem:
    > Loading 'screen' into random state - done
    > Using default temp DH parameters
    > Using default temp ECDH parameters
    > ACCEPT
    > bad gethostbyaddr
    > SSL_accept:before/accept initialization
    > read from 0xa533d0 [0xa6fc10] (5 bytes => 0 (0x0))
    > SSL_accept:failed in SSLv3 read client hello B


    This is your actual problem: you are not receiving the client hello.
    You appear to be getting a normal TCP shutdown instead i.e. FIN not RST.
    This might mean the client deliberately closed; on some system types
    it also occurs if the client fails e.g. segfault; it might also occur
    if something between you in the network like a firewall dislikes you.

    > ERROR
    > shutting down SSL
    > CONNECTION CLOSED
    > ACCEPT



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr


    Thank you Dave and Lutz. Good to know that I can ignore the error message
    "bad gethostbyaddr". Real problem is that "Client hello B" is not coming
    through. Yes, there is a firewall in between client and server. Since the
    SSL client was able to send in a few bytes ("cient hello A?") successfully,
    firewall connection in this direction looks ok. It might be that firewall
    doesn't allow communication in opposite direction (from server to client)
    and hence client not receiving "server hello"? I will look into the firewall
    side...

    Thanks,
    Byju Joy



    Dave Thompson-4 wrote:
    >
    >> -----Original Message-----
    >> From: owner-openssl-users@openssl.org On Behalf Of Lutz Jaenicke
    >> Sent: Friday, 10 October, 2008 09:03
    >> ----- Forwarded message from "Joy, Byju (GE Healthcare,
    >> consultant)" -----
    >>
    >> Subject: DNS Error while doing SSL handshake - bad gethostbyaddr
    >> Date: Fri, 10 Oct 2008 15:00:51 +0200
    >> Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr
    >> thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw==
    >> From: "Joy, Byju (GE Healthcare, consultant)"
    >> To: rt@openssl.org
    >>
    >> Dear OpenSSL experts,
    >>
    >> I am trying to run OpenSSL version "OpenSSL 0.9.8i 15 Sep 2008" on
    >> Windows Server 2003 Standard Edition Version 5.2.3790. Could you please
    >> help me with "bad gethostbyaddr" error message while doing SSL
    >> handshake? Log is given below:
    >>

    > s_server calls do_server calls do_accept which, after the actual (TCP)
    > accept,
    > calls gethostbyaddr to try to get the client host's name. If your
    > system/network
    > doesn't have DNS set up to do reverse-mapping for that host, you get this
    > printed.
    > (That would include DNS not set up at all, but I don't think Svr03 can do
    > that.
    > It could include using a bad/wrong nameserver, or zone; or
    > unreachable/down
    > one;
    > or using a good nameserver but the zone admin doesn't do reverse-mapping
    > at
    > all
    > -- some don't; or didn't do it for that host -- particularly if it's a
    > dynamic
    > host e.g. a(nother) PC many admins don't consider it worth the trouble.)
    >
    > But it causes no harm; it just passes back a nullptr for the hostname
    > string,
    > which the actual logic (sv_body or www_body) never uses. The connection
    > can
    > still
    > be completed and used, at least through 0.9.8g and I doubt this would be
    > changed.
    > (If you actually want to fix the revlookup, you need to say more about the
    > type
    > and relative network location of the client machine, and if it's not
    > something
    > simple you'll probably need to go elsewhere to a network-mgt
    > group/list/forum.)
    >
    >>
    >> D:\OpenSSL2\bin>openssl
    >> OpenSSL> s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key
    >> D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3
    >> verify depth is 2
    >> Enter pass phrase for D:\my_key.pem:
    >> Loading 'screen' into random state - done
    >> Using default temp DH parameters
    >> Using default temp ECDH parameters
    >> ACCEPT
    >> bad gethostbyaddr
    >> SSL_accept:before/accept initialization
    >> read from 0xa533d0 [0xa6fc10] (5 bytes => 0 (0x0))
    >> SSL_accept:failed in SSLv3 read client hello B

    >
    > This is your actual problem: you are not receiving the client hello.
    > You appear to be getting a normal TCP shutdown instead i.e. FIN not RST.
    > This might mean the client deliberately closed; on some system types
    > it also occurs if the client fails e.g. segfault; it might also occur
    > if something between you in the network like a firewall dislikes you.
    >
    >> ERROR
    >> shutting down SSL
    >> CONNECTION CLOSED
    >> ACCEPT

    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >


    --
    View this message in context: http://www.nabble.com/-FWD--DNS-Erro...p19950564.html
    Sent from the OpenSSL - User mailing list archive at Nabble.com.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread