From db5a95b3709ad5e744aa307e5f51b2443a7501b6 Mon Sep 17 00:00:00 2001 From: lchristina26 Date: Fri, 30 Jan 2015 08:41:34 -0700 Subject: [PATCH 1/5] add option for bidirectional shutdown --- examples/client/client.c | 35 ++++++++++++++++++++++++++++++----- examples/server/server.c | 16 ++++++++++++++-- src/internal.c | 9 ++++++--- src/ssl.c | 11 +++++++++++ 4 files changed, 61 insertions(+), 10 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 3e96ce539..5755e022d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -141,6 +141,7 @@ static void Usage(void) printf("-m Match domain name in cert\n"); printf("-N Use Non-blocking sockets\n"); printf("-r Resume session\n"); + printf("-w Wait for bidirectional shutdown\n"); #ifdef HAVE_SECURE_RENEGOTIATION printf("-R Allow Secure Renegotiation\n"); printf("-i Force client Initiated Secure Renegotiation\n"); @@ -207,6 +208,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) int doPeerCheck = 1; int nonBlocking = 0; int resumeSession = 0; + int shutdown = 0; int scr = 0; /* allow secure renegotiation */ int forceScr = 0; /* force client initiaed scr */ int trackMemory = 0; @@ -258,7 +260,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) StackTrap(); while ((ch = mygetopt(argc, argv, - "?gdDusmNrRitfxUPh:p:v:l:A:c:k:b:zS:L:ToO:a")) != -1) { + "?gdDusmNrwRitfxUPh:p:v:l:A:c:k:b:zS:L:ToO:a")) != -1) { switch (ch) { case '?' : Usage(); @@ -367,6 +369,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) resumeSession = 1; break; + case 'w' : + shutdown = 1; + break; + case 'R' : #ifdef HAVE_SECURE_RENEGOTIATION scr = 1; @@ -643,7 +649,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed"); - wolfSSL_shutdown(ssl); + if (shutdown) { /* bidirectional shutdown if true */ + if (!wolfSSL_shutdown(ssl)) + wolfSSL_shutdown(ssl); + } + else { + wolfSSL_shutdown(ssl); + } wolfSSL_free(ssl); CloseSocket(sockfd); } @@ -802,8 +814,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } #endif - if (doDTLS == 0) /* don't send alert after "break" command */ - wolfSSL_shutdown(ssl); /* echoserver will interpret as new conn */ + if (doDTLS == 0) { /* don't send alert after "break" command */ + if (shutdown) { /* bidirectional shutdown if true */ + if (!wolfSSL_shutdown(ssl)) /* echoserver interprets as new conn */ + wolfSSL_shutdown(ssl); + } + else { + wolfSSL_shutdown(ssl); + } + } #ifdef ATOMIC_USER if (atomicUser) FreeAtomicUser(ssl); @@ -879,7 +898,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) /* try to send session break */ wolfSSL_write(sslResume, msg, msgSz); - wolfSSL_shutdown(sslResume); + if (shutdown) { /* bidirectional shutdown if true */ + if (!wolfSSL_shutdown(sslResume)) + wolfSSL_shutdown(sslResume); + } + else { + wolfSSL_shutdown(sslResume); + } wolfSSL_free(sslResume); CloseSocket(sockfd); } diff --git a/examples/server/server.c b/examples/server/server.c index 8374d376d..a2c5d0176 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -135,6 +135,7 @@ static void Usage(void) printf("-r Create server ready file, for external monitor\n"); printf("-N Use Non-blocking sockets\n"); printf("-S Use Host Name Indication\n"); + printf("-w Wait for bidirectional shutdown\n"); #ifdef HAVE_OCSP printf("-o Perform OCSP lookup on peer certificate\n"); printf("-O Perform OCSP lookup using as responder\n"); @@ -173,6 +174,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int fewerPackets = 0; int pkCallbacks = 0; int serverReadyFile = 0; + int shutdown = 0; char* cipherList = NULL; const char* verifyCert = cliCert; const char* ourCert = svrCert; @@ -203,7 +205,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) fdOpenSession(Task_self()); #endif - while ((ch = mygetopt(argc, argv, "?dbstnNufraPp:v:l:A:c:k:S:oO:")) != -1) { + while ((ch = mygetopt(argc, argv, "?dbstnNufrawPp:v:l:A:c:k:S:oO:")) != -1) { switch (ch) { case '?' : Usage(); @@ -257,6 +259,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif break; + case 'w' : + shutdown = 1; + break; + case 'v' : version = atoi(myoptarg); if (version < 0 || version > 3) { @@ -560,7 +566,13 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) Task_yield(); #endif - SSL_shutdown(ssl); + if (shutdown) { /* bidirectional shutdown if true */ + if (!SSL_shutdown(ssl)) + SSL_shutdown(ssl); + } + else { + SSL_shutdown(ssl); + } SSL_free(ssl); SSL_CTX_free(ctx); diff --git a/src/internal.c b/src/internal.c index e43d35820..9833d7979 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6351,8 +6351,9 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, WOLFSSL_MSG(" close notify"); ssl->options.closeNotify = 1; } - WOLFSSL_ERROR(*type); - + if (!ssl->options.sentNotify) { + WOLFSSL_ERROR(*type); + } if (ssl->keys.encryptionOn) { if (*inOutIdx + ssl->keys.padSz > totalSz) return BUFFER_E; @@ -7750,7 +7751,9 @@ startScr: while (ssl->buffers.clearOutputBuffer.length == 0) { if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); + if (!ssl->options.sentNotify) { + WOLFSSL_ERROR(ssl->error); + } if (ssl->error == ZERO_RETURN) { WOLFSSL_MSG("Zero return, no more data coming"); return 0; /* no more data coming */ diff --git a/src/ssl.c b/src/ssl.c index 8e0ae8a5e..5c61d6571 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -936,6 +936,17 @@ int wolfSSL_shutdown(WOLFSSL* ssl) return SSL_FATAL_ERROR; } ssl->options.sentNotify = 1; /* don't send close_notify twice */ + WOLFSSL_LEAVE("SSL_shutdown()", ssl->error); + return 0; + } + + /* call wolfSSL_shutdown again for bidirectional shudown */ + if (ssl->options.sentNotify && !ssl->options.closeNotify) { + ssl->error = ReceiveData(ssl, 0, 0, 0); + if (ssl->error < 0) { + WOLFSSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } } WOLFSSL_LEAVE("SSL_shutdown()", ssl->error); From ed80732957d4e17d18a43f9624d8477c9aba18c5 Mon Sep 17 00:00:00 2001 From: lchristina26 Date: Wed, 4 Feb 2015 11:52:37 -0700 Subject: [PATCH 2/5] add mymktemp function for random output file name in test.h --- testsuite/testsuite.c | 24 ++++++++++++++++++------ wolfssl/test.h | 41 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 58 insertions(+), 7 deletions(-) diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 1e426fbb3..2f1767cf8 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -47,12 +47,7 @@ enum { NUMARGS = 3 }; -#ifndef USE_WINDOWS_API - static const char outputName[] = "/tmp/output"; -#else - static const char outputName[] = "output"; -#endif - +static const char *outputName; int myoptind = 0; char* myoptarg = NULL; @@ -77,6 +72,16 @@ int testsuite_test(int argc, char** argv) tcp_ready ready; THREAD_TYPE serverThread; +#ifndef USE_WINDOWS_API + char tempName[] = "/tmp/output-XXXXXX"; + int len = 18; + int num = 6; +#else + char tempName[] = "fnXXXXXX"; + int len = 8; + int num = 6; +#endif + #ifdef HAVE_CAVIUM int ret = OpenNitroxDevice(CAVIUM_DIRECT, CAVIUM_DEV_ID); if (ret != 0) @@ -136,6 +141,13 @@ int testsuite_test(int argc, char** argv) echo_args.argc = 3; echo_args.argv = myArgv; + /* Create unique file name */ + outputName = mymktemp(tempName, len, num); + if (outputName == NULL) { + printf("Could not create unique file name"); + return EXIT_FAILURE; + } + strcpy(echo_args.argv[0], "echoclient"); strcpy(echo_args.argv[1], "input"); strcpy(echo_args.argv[2], outputName); diff --git a/wolfssl/test.h b/wolfssl/test.h index 11989cd4b..b500832eb 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -10,6 +10,7 @@ #include /* portability layer */ #include #include +#include #ifdef ATOMIC_USER #include @@ -17,7 +18,6 @@ #include #endif #ifdef HAVE_PK_CALLBACKS - #include #include #ifdef HAVE_ECC #include @@ -1791,5 +1791,44 @@ static INLINE char* strsep(char **stringp, const char *delim) #endif /* __hpux__ */ +/* Create unique filename, len is length of tempfn name, assuming + len does not include null terminating character, + num is number of characters in tempfn name to randomize */ +static INLINE const char* mymktemp(char *tempfn, int len, int num) +{ + int x, size; + static const char alphanum[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz"; + RNG rng; + int out; + + if (tempfn == NULL || len < 1 || num < 1 || len <= num) { + printf("Bad input\n"); + return NULL; + } + + size = len - 1; + + if (wc_InitRng(&rng) != 0) { + printf("InitRng failed\n"); + return NULL; + } + + for (x = size; x > size - num; x--) { + if (wc_RNG_GenerateBlock(&rng,(byte*)&out, sizeof(out)) != 0) { + printf("RNG_GenerateBlock failed\n"); + return NULL; + } + tempfn[x] = alphanum[out % (sizeof(alphanum) - 1)]; + } + tempfn[len] = '\0'; + +#if defined(HAVE_HASHDRBG) + wc_FreeRng(&rng); +#endif + + return tempfn; +} + #endif /* wolfSSL_TEST_H */ From 1ef9d7852c06fa2003480f6aaa4de58160999a59 Mon Sep 17 00:00:00 2001 From: lchristina26 Date: Fri, 6 Feb 2015 08:42:37 -0700 Subject: [PATCH 3/5] fixes from scan-build output in test.c --- wolfcrypt/test/test.c | 57 +++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 18 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 7b3e2c5a2..38ce86188 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -3179,30 +3179,49 @@ int rsa_test(void) wc_RsaInitCavium(&key, CAVIUM_DEV_ID); #endif ret = wc_InitRsaKey(&key, 0); - if (ret != 0) return -39; + if (ret != 0) { + free(tmp); + return -39; + } ret = wc_RsaPrivateKeyDecode(tmp, &idx, &key, (word32)bytes); - if (ret != 0) return -41; - + if (ret != 0) { + free(tmp); + return -41; + } ret = wc_InitRng(&rng); - if (ret != 0) return -42; - + if (ret != 0) { + free(tmp); + return -42; + } ret = wc_RsaPublicEncrypt(in, inLen, out, sizeof(out), &key, &rng); - if (ret < 0) return -43; - + if (ret < 0) { + free(tmp); + return -43; + } ret = wc_RsaPrivateDecrypt(out, ret, plain, sizeof(plain), &key); - if (ret < 0) return -44; - - if (memcmp(plain, in, inLen)) return -45; - + if (ret < 0) { + free(tmp); + return -44; + } + if (memcmp(plain, in, inLen)) { + free(tmp); + return -45; + } ret = wc_RsaSSL_Sign(in, inLen, out, sizeof(out), &key, &rng); - if (ret < 0) return -46; - + if (ret < 0) { + free(tmp); + return -46; + } memset(plain, 0, sizeof(plain)); ret = wc_RsaSSL_Verify(out, ret, plain, sizeof(plain), &key); - if (ret < 0) return -47; - - if (memcmp(plain, in, ret)) return -48; - + if (ret < 0) { + free(tmp); + return -47; + } + if (memcmp(plain, in, ret)) { + free(tmp); + return -48; + } #if defined(WOLFSSL_MDK_ARM) #define sizeof(s) strlen((char *)(s)) #endif @@ -3215,8 +3234,10 @@ int rsa_test(void) bytes = sizeof_client_cert_der_2048; #else file2 = fopen(clientCert, "rb"); - if (!file2) + if (!file2) { + free(tmp); return -49; + } bytes = fread(tmp, 1, FOURK_BUF, file2); fclose(file2); From 4c7b076cea27f0178ead0310aec8fa2a76b46c0c Mon Sep 17 00:00:00 2001 From: lchristina26 Date: Wed, 11 Feb 2015 09:37:54 -0700 Subject: [PATCH 4/5] updates to shutdown and mymktemp --- src/internal.c | 8 ++------ src/ssl.c | 20 ++++++++++++-------- wolfssl/test.h | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/internal.c b/src/internal.c index 9833d7979..e3bfa615a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6351,9 +6351,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, WOLFSSL_MSG(" close notify"); ssl->options.closeNotify = 1; } - if (!ssl->options.sentNotify) { - WOLFSSL_ERROR(*type); - } + WOLFSSL_ERROR(*type); if (ssl->keys.encryptionOn) { if (*inOutIdx + ssl->keys.padSz > totalSz) return BUFFER_E; @@ -7751,9 +7749,7 @@ startScr: while (ssl->buffers.clearOutputBuffer.length == 0) { if ( (ssl->error = ProcessReply(ssl)) < 0) { - if (!ssl->options.sentNotify) { - WOLFSSL_ERROR(ssl->error); - } + WOLFSSL_ERROR(ssl->error); if (ssl->error == ZERO_RETURN) { WOLFSSL_MSG("Zero return, no more data coming"); return 0; /* no more data coming */ diff --git a/src/ssl.c b/src/ssl.c index 5c61d6571..5025eab84 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -917,6 +917,7 @@ int wolfSSL_recv(WOLFSSL* ssl, void* data, int sz, int flags) /* SSL_SUCCESS on ok */ int wolfSSL_shutdown(WOLFSSL* ssl) { + byte tmp; WOLFSSL_ENTER("SSL_shutdown()"); if (ssl == NULL) @@ -937,23 +938,26 @@ int wolfSSL_shutdown(WOLFSSL* ssl) } ssl->options.sentNotify = 1; /* don't send close_notify twice */ WOLFSSL_LEAVE("SSL_shutdown()", ssl->error); - return 0; + + if (ssl->options.closeNotify) + return 1; + else + return 0; } /* call wolfSSL_shutdown again for bidirectional shudown */ if (ssl->options.sentNotify && !ssl->options.closeNotify) { - ssl->error = ReceiveData(ssl, 0, 0, 0); + ssl->error = wolfSSL_read(ssl, &tmp, 0); if (ssl->error < 0) { WOLFSSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } + WOLFSSL_LEAVE("SSL_shutdown()", ssl->error); + ssl->error = SSL_ERROR_SYSCALL; /* simulate OpenSSL behavior */ + if(ssl->options.closeNotify) + return SSL_SUCCESS; } - - WOLFSSL_LEAVE("SSL_shutdown()", ssl->error); - - ssl->error = SSL_ERROR_SYSCALL; /* simulate OpenSSL behavior */ - - return SSL_SUCCESS; + return SSL_FATAL_ERROR; } diff --git a/wolfssl/test.h b/wolfssl/test.h index b500832eb..8720ff516 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1800,7 +1800,7 @@ static INLINE const char* mymktemp(char *tempfn, int len, int num) static const char alphanum[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz"; RNG rng; - int out; + byte out; if (tempfn == NULL || len < 1 || num < 1 || len <= num) { printf("Bad input\n"); From 5f3b1d90b64367d6fe2506f5db58fe6c11045e91 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 16 Feb 2015 14:23:33 -0800 Subject: [PATCH 5/5] fix shutdown returns --- examples/client/client.c | 30 +++++++++--------------------- examples/server/server.c | 13 +++++-------- src/ssl.c | 28 ++++++++++++++++------------ wolfssl/ssl.h | 1 + 4 files changed, 31 insertions(+), 41 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 5755e022d..66db505a8 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -209,6 +209,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) int nonBlocking = 0; int resumeSession = 0; int shutdown = 0; + int ret; int scr = 0; /* allow secure renegotiation */ int forceScr = 0; /* force client initiaed scr */ int trackMemory = 0; @@ -649,13 +650,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed"); - if (shutdown) { /* bidirectional shutdown if true */ - if (!wolfSSL_shutdown(ssl)) - wolfSSL_shutdown(ssl); - } - else { - wolfSSL_shutdown(ssl); - } + wolfSSL_shutdown(ssl); wolfSSL_free(ssl); CloseSocket(sockfd); } @@ -815,13 +810,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif if (doDTLS == 0) { /* don't send alert after "break" command */ - if (shutdown) { /* bidirectional shutdown if true */ - if (!wolfSSL_shutdown(ssl)) /* echoserver interprets as new conn */ - wolfSSL_shutdown(ssl); - } - else { - wolfSSL_shutdown(ssl); - } + ret = wolfSSL_shutdown(ssl); + if (shutdown && ret == SSL_SHUTDOWN_NOT_DONE) + wolfSSL_shutdown(ssl); /* bidirectional shutdown */ } #ifdef ATOMIC_USER if (atomicUser) @@ -898,13 +889,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) /* try to send session break */ wolfSSL_write(sslResume, msg, msgSz); - if (shutdown) { /* bidirectional shutdown if true */ - if (!wolfSSL_shutdown(sslResume)) - wolfSSL_shutdown(sslResume); - } - else { - wolfSSL_shutdown(sslResume); - } + ret = wolfSSL_shutdown(sslResume); + if (shutdown && ret == SSL_SHUTDOWN_NOT_DONE) + wolfSSL_shutdown(sslResume); /* bidirectional shutdown */ + wolfSSL_free(sslResume); CloseSocket(sockfd); } diff --git a/examples/server/server.c b/examples/server/server.c index a2c5d0176..64a989d65 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -135,7 +135,7 @@ static void Usage(void) printf("-r Create server ready file, for external monitor\n"); printf("-N Use Non-blocking sockets\n"); printf("-S Use Host Name Indication\n"); - printf("-w Wait for bidirectional shutdown\n"); + printf("-w Wait for bidirectional shutdown\n"); #ifdef HAVE_OCSP printf("-o Perform OCSP lookup on peer certificate\n"); printf("-O Perform OCSP lookup using as responder\n"); @@ -175,6 +175,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int pkCallbacks = 0; int serverReadyFile = 0; int shutdown = 0; + int ret; char* cipherList = NULL; const char* verifyCert = cliCert; const char* ourCert = svrCert; @@ -566,13 +567,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) Task_yield(); #endif - if (shutdown) { /* bidirectional shutdown if true */ - if (!SSL_shutdown(ssl)) - SSL_shutdown(ssl); - } - else { - SSL_shutdown(ssl); - } + ret = SSL_shutdown(ssl); + if (shutdown && ret == SSL_SHUTDOWN_NOT_DONE) + SSL_shutdown(ssl); /* bidirectional shutdown */ SSL_free(ssl); SSL_CTX_free(ctx); diff --git a/src/ssl.c b/src/ssl.c index 5025eab84..5ef43fc8f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -917,6 +917,7 @@ int wolfSSL_recv(WOLFSSL* ssl, void* data, int sz, int flags) /* SSL_SUCCESS on ok */ int wolfSSL_shutdown(WOLFSSL* ssl) { + int ret = SSL_FATAL_ERROR; byte tmp; WOLFSSL_ENTER("SSL_shutdown()"); @@ -937,27 +938,30 @@ int wolfSSL_shutdown(WOLFSSL* ssl) return SSL_FATAL_ERROR; } ssl->options.sentNotify = 1; /* don't send close_notify twice */ - WOLFSSL_LEAVE("SSL_shutdown()", ssl->error); - if (ssl->options.closeNotify) - return 1; + ret = SSL_SUCCESS; else - return 0; + ret = SSL_SHUTDOWN_NOT_DONE; + + WOLFSSL_LEAVE("SSL_shutdown()", ret); + return ret; } /* call wolfSSL_shutdown again for bidirectional shudown */ if (ssl->options.sentNotify && !ssl->options.closeNotify) { - ssl->error = wolfSSL_read(ssl, &tmp, 0); - if (ssl->error < 0) { + ret = wolfSSL_read(ssl, &tmp, 0); + if (ret < 0) { WOLFSSL_ERROR(ssl->error); - return SSL_FATAL_ERROR; + ret = SSL_FATAL_ERROR; + } else if (ssl->options.closeNotify) { + ssl->error = SSL_ERROR_SYSCALL; /* simulate OpenSSL behavior */ + ret = SSL_SUCCESS; } - WOLFSSL_LEAVE("SSL_shutdown()", ssl->error); - ssl->error = SSL_ERROR_SYSCALL; /* simulate OpenSSL behavior */ - if(ssl->options.closeNotify) - return SSL_SUCCESS; } - return SSL_FATAL_ERROR; + + WOLFSSL_LEAVE("SSL_shutdown()", ret); + + return ret; } diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 4385a15a0..721d33272 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -644,6 +644,7 @@ enum { /* ssl Constants */ SSL_ERROR_NONE = 0, /* for most functions */ SSL_FAILURE = 0, /* for some functions */ SSL_SUCCESS = 1, + SSL_SHUTDOWN_NOT_DONE = 2, /* call wolfSSL_shutdown again to complete */ SSL_BAD_CERTTYPE = -8, SSL_BAD_STAT = -7,