I have a server application which uses OpenSSL (0.9.9-current as of about four months ago) in nonblocking mode.
As a test, I added an option to call SSL_renegotiate every 100 successful SSL_read or SSL_write calls. I am seeing very strange behavior and I wonder if SSL_renegotiate actually works in non-blocking mode. My application normally uses SSL_MODE_ENABLE_PARTIAL_WRITE to avoid pointless trips around its select loop (the application can generate 32K of data at a time, so without PARTIAL_WRITE, I end up selecting twice and calling SSL_write twice for every write, since it always rejects a write of 32K the first time). If I turn it off, the problem described below goes away. Essentially, I get SSL_ERROR_SSL back from an SSL_read() call which should have successfully finished the negotiation and returned 0 (because the client sends me one request and never generates more payload, while the server responds then closes the connection). The pattern is like this: 1) I have data to write, and the SSL session's descriptor selects as ready-to-write. 2) I call SSL_renegotiate. I do understand that in a server application this merely sends the client a request to do a new handshake, which the client can ignore. 3) I generate more data and several more SSL_writes() complete normally. 4) Eventualy the SSL session's file descriptor selects as ready-to-read. 5) I call SSL_read with a 4096-byte buffer. SSL_read returns -1 and error is SSL_ERROR_WANT_READ. 6) I set a flag to ensure I do not call SSL_write() (it isn't clear to me this is necessary -- the documentation is vague) and select on the SSL session's descriptor for read. 7) The SSL session's file descriptor selects as ready for read, I call SSL with the same 4096 byte buffer at the same address, and SSL_read returns -1 and error is SSL_ERROR_SSL. I cannot understand why #7 occurs. Is SSL_MODE_ENABLE_PARTIAL_WRITE just incompatible with non-blocking mode and renegotiations? Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org