Hello there,
It has been understood that the concurrent use of SSL_write and SSL_read is
dangerous.
However, is it correct to assume that the only crossing between these two
APIs happen at the handshake stage only ?
In other terms, once the SSL handshake stage has been completed, is it safe
to use these two APIs concurrently ?
In our server application, we integrated OpenSSL and so far could not see
any issue related to the concurrent use of these two APIs.
We even setup a test in which we send/receive many messages that we "sort
of sign" by means of hashing, then we ensured that the data we get
in other end is correct.
We are afraid that this is just luck. And we appreciate a lot if some
expert can validate or not our above claim, since the examination of the
source
code of OpenSSL has been very difficult.
Below is the details of how we are doing things:
1. First of all we are doing our own socket IO, so we are using two BIOs.
2. Once we have new incoming data, we write that into the input BIO then
call SSL_read to get the decryption result
3. Once we are ready to send some outgoing data, we call SSL_write, then
read the encryption result from the output BIO before sending it to the
network.
4. 2. and 3. can happen simultaneously leading to the concurrent call to
SSL_write/SSL_read
5. 4. is only true once the connection has finished the handshake stage.
6. If the connection is still at handshake stage, what we only do is react
to incoming data: if some data comes, we do like in 2. but then expect
the output BIO to have been filled with some outgoing data which we
send to client. This continues till the handshake has finished.
Thank you for any possible advise and help.
