[ https://issues.apache.org/jira/browse/TS-3667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14634606#comment-14634606 ]
Oknet Xu commented on TS-3667: ------------------------------ I have a plugin that hook on SNI_HOOK/CERT_HOOK that lookup a cert from mysql database by SNI. the ssl handshake panding on CERT_REQUEST status and will not be reenabled by SSLAccept() because the {{this->read_raw_data()==-EAGAIN}} and {{return SSL_HANDSHAKE_WANT_READ}}. the {{this->read_raw_data()==0}} meaning the client side close the connection (EOF), we can drop off the ssl session before SSLAccept(). the {{this->read_raw_data()<0}} meaning some other error, I think SSLAccept() will find other error cases and return proper error value. the new patch at below if only handle the EOF, other error cases not included. {code} diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index e06f749..89e3f4e 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -1073,18 +1073,11 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) if (BIO_eof(SSL_get_rbio(this->ssl))) { // No more data in the buffer // Read from socket to fill in the BIO buffer with the // raw handshake data before calling the ssl accept calls. - int retval = this->read_raw_data(); - if (retval < 0) { - if (retval == -EAGAIN) { - // No data at the moment, hang tight - SSLDebugVC(this, "SSL handshake: EAGAIN"); - return SSL_HANDSHAKE_WANT_READ; - } else { - // An error, make us go away - SSLDebugVC(this, "SSL handshake error: read_retval=%d", retval); - return EVENT_ERROR; - } - } else if (retval == 0) { + retval = this->read_raw_data(); + + // TS-3667: handle EOS after SSLAccept() + // This is working with CERT_HOOK + if (retval == 0) { // EOF, go away, we stopped in the handshake SSLDebugVC(this, "SSL handshake error: EOF"); return EVENT_ERROR; {code} > SSL Handhake read does not correctly handle EOF and error cases > --------------------------------------------------------------- > > Key: TS-3667 > URL: https://issues.apache.org/jira/browse/TS-3667 > Project: Traffic Server > Issue Type: Bug > Components: SSL > Affects Versions: 5.2.0, 5.3.0 > Reporter: Susan Hinrichs > Assignee: Susan Hinrichs > Fix For: 5.3.1, 6.0.0 > > Attachments: ts-3667.diff > > > Reported by [~esproul] and postwait. > The return value of SSLNetVConnection::read_raw_data() is being ignored. So > EOF and errors are not terminated, but rather spin until the inactivity > timeout is reached. EAGAIN is not being descheduled until more data is > available. > This results in higher CPU utilization and hitting the SSL_error() function > much more than it needs to be hit. -- This message was sent by Atlassian JIRA (v6.3.4#6332)