Hi,
I am trying to nest two SSL streams (using BIO_SSL). The server is
some sort of TCP proxy server which gets connections from its clients
via SSL ("outer" connection). The second server also expects the
connection to be SSL encrypted ("inner" connection), making that two
nested SSL streams visible to the client.
I keep getting the following error after the second (inner) handshake:
4962:error:1409F080:SSL routines:SSL3_WRITE_PENDING:bio not
set:s3_pkt.c:751:
Interestingly, this error comes from the "outer" SSL object. It seems
like the second handshake has invalidated the first SSL object.
A debugging session showed that the cause lies somewhere in
ssl_free_wbio_buffer() (called from the "inner" SSL object). This
function calls BIO_pop() on the buffered BIO (BIO_f_buffer).
BIO_pop() performs this pop and additionally calls
BIO_ctrl(BIO_CTRL_POP) - the BIO_f_buffer instance does not evaluate
BIO_CTRL_POP and hands it off to the next BIO in the chain - which is
the "outer" SSL object in this case.
BIO_f_ssl has a special handling for BIO_CTRL_POP: it sets ssl->wbio
and ssl->rbio to NULL. This is wrong here, since it's not the
BIO_f_ssl on which the BIO_pop() is performed. In the end, this
results in ssl->wbio being NULL and in SSL_R_BIO_NOT_SET.
I believe that BIO_f_buffer (and possibly other filters like
BIO_f_null) should never pass BIO_CTRL_POP and BIO_CTRL_PUSH down the
linked list, since other BIO objects like BIO_f_ssl might draw wrong
conclusions from that. They should simply ignore these two ctrls. I
tested that, and it works well.
My tests were performed with version 0.9.8c (Debian etch), and a quick
review of 0.9.8e showed that nothing has changed regarding this bug.
Max
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
