Let me just state this one more time one other way to help people wrap their brain around it. The OpenSSL library is a black box. You are not supposed to look inside the black box.
If you want to get decrypted plaintext from the black box, the black box may or may not need to read data from the socket to get it. You don't know, and you're not supposed to know. When you want to read data, you're supposed to call SSL_read. Now one of the things that might happen when you call SSL_read is that the black box has no data for you. But you have no way to know this until you ask it. If it has no data for you, it will tell you why. Maybe it needs to read from the socket. Maybe it needs to write to the socket. But until it tells you, you have no idea. Yes, you really do know that OpenSSL typically has to read encrypted data from the socket to give you unencrypted data. But this secret knowledge of the internals of SSL is not supposed to be in your code. Your code is supposed to be agnostic. All it knows is that OpenSSL gives it decrypted data. Your code should be just as prepared for SSL_read to return WANT_WRITE as WANT_READ. Why? Because OpenSSL is a black box that sometimes needs to read and sometimes needs to write. You should not ever assume that waiting for data to read on the socket means plaintext will arrive. It might, but your knowledge that it will is knowledge of SSL internals that your code should *not* have. So when you say: >Consider that when running with the current non-blocking API, once OpenSSL >takes the data out of the socket buffer, both library and application >programmer are basically stuck. The socket will never come up selectable >for read again, but there is no other way for the application to find out >that there is further data pending internally in OpenSSL. The answer is -- of course there is. The application simply asks OpenSSL if there is further data pending. If OpenSSL cannot make further forward progress without reading from the socket, it will tell the application. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
