SSL_renegotiate broken in non-blocking mode with PARTIAL_WRITE?

Thu, 21 May 2009 23:16:56 -0700 

I have a server application which uses OpenSSL (0.9.9-current as of about
four months ago) in nonblocking mode.

As a test, I added an option to call SSL_renegotiate every 100 successful
SSL_read or SSL_write calls.  I am seeing very strange behavior and I wonder
if SSL_renegotiate actually works in non-blocking mode.

My application normally uses SSL_MODE_ENABLE_PARTIAL_WRITE to avoid
pointless trips around its select loop (the application can generate 32K
of data at a time, so without PARTIAL_WRITE, I end up selecting twice and
calling SSL_write twice for every write, since it always rejects a write
of 32K the first time).  If I turn it off, the problem described below goes
away.

Essentially, I get SSL_ERROR_SSL back from an SSL_read() call which should
have successfully finished the negotiation and returned 0 (because the
client sends me one request and never generates more payload, while
the server responds then closes the connection).

The pattern is like this:

        1) I have data to write, and the SSL session's descriptor
           selects as ready-to-write.

        2) I call SSL_renegotiate.  I do understand that in a server
           application this merely sends the client a request to
           do a new handshake, which the client can ignore.

        3) I generate more data and several more SSL_writes() complete
           normally.

        4) Eventualy the SSL session's file descriptor selects as
           ready-to-read.

        5) I call SSL_read with a 4096-byte buffer.  SSL_read returns
           -1 and error is SSL_ERROR_WANT_READ.

        6) I set a flag to ensure I do not call SSL_write() (it isn't
           clear to me this is necessary -- the documentation is vague)
           and select on the SSL session's descriptor for read.

        7) The SSL session's file descriptor selects as ready for read,
           I call SSL with the same 4096 byte buffer at the same address,
           and SSL_read returns -1 and error is SSL_ERROR_SSL.

I cannot understand why #7 occurs.  Is SSL_MODE_ENABLE_PARTIAL_WRITE just
incompatible with non-blocking mode and renegotiations?

Thor
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to