David Schwartz wrote:
At that point we get stung because SSL_want_read() erroneously returned
'true' and we therefore registered the SSL-TCP file descriptor for
POLLIN, even though OpenSSL (and only OpenSSL) knows that the SSL-TCP
file descriptor has already returned read()==0.
This is insane. Imagine if SSL_want_read and SSL_want_write both returned
false. Then you wouldn't ever notice that the socket had been closed, you
could wait for new inbound data forever, and your proxy would stall.
That is not insane, it is completely sane, because it is *exactly* how
things happen in a half-duplex TCP connection as well.
By analogy, the following is how a completely normal
half-duplex-handling TCP proxy operates when the remote side completely
closes its socket.
* Remote side completely closes its socket.
* Our TCP proxy gets read()==0 on the TCP socket.
* In response, our proxy does shutdown(WR) on the local drain file
descriptor (the other side of the proxy).
This propagates the "read()==0" event to the local endpoint
process that we're being a proxy for.
* The proxy has nothing left to do, so it goes to sleep with poll().
The TCP socket is not registered: neither POLLIN nor POLLOUT. (!)
The local source file descriptor is registered for POLLIN.
* During the poll() sleep period, the TCP connection is already
dead, but neither the proxy nor the local process can know this yet.
* Sooner or later, the local endpoint process that we're being a
proxy for will do a write() or close() towards us. (Usually in
response to the shutdown(WR) that we did)
* Our proxy is then woken up from poll().
If the read() on the local source file descriptor ==0, we can quit
right away.
If the read() on the local source file descriptor did return data,
our proxy calls write() on the TCP socket with the new data it
got, and finally gets the waiting error on that TCP socket,.
At this point our proxy knows the game is well and truly up, and
quits.
See? This is working nicely all over the Internet "as we speak" for TCP
and Unix domain sockets.
I want to repeat: it's also OK by me if the documentation *explicitly*
says somewhere
"SSL can not operate half-duplex like TCP can. SSL_read()==0 means
the connection is truly dead. You should not do SSL_write() anymore,
and you can not use the results of SSL_want*() anymore for poll()."
Nanno
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
