Bill Klein <[EMAIL PROTECTED]> writes:
> Just as a follow-up to my own post. Here's some of the strange
> behaviour I'm seeing:
>
> - I call SSL_read() which returns -1
>
> - I call SSL_get_error() which returns SSL_ERROR_WANT_READ
>
> - I call select() to wait for readability with a timeout of
> 30 seconds. It returns quickly indicating readability.
>
> - I call SSL_read() which returns -1
>
> - I call SSL_get_error() which again returns SSL_ERROR_WANT_READ.
>
> Shouldn't the return from select() have guaranteed that I
> won't get another SSL_ERROR_WANT_READ spit back at me?
No. SSL is a record oriented protocol. This means that in order to
read even a single byte from the SSL connection OpenSSL must read an
entire record. However, a record might be spread over multiple TCP
segments.
select() only detects when any data may be read from the underlying
socket. So, if the record arrives in two pieces then select() would
return ready to read but SSL_read() might return SSL_ERROR_WANT_READ.
select() is quite tricky to use with SSL. The flip side of this
failure case is what happens if your SSL_read() doesn't read all
the data in a given record. In that case, select() won't
think there's any data on the socket but there's still data in
the SSL pipe.
I believe s_client/s_server handle this case correctly. There's
also some somewhat more minimal sample code on my web site at
http://www.rtfm.com/sslbook/examples
The relevant file is 'sclient.c'.
-Ekr
[Eric Rescorla [EMAIL PROTECTED]]
author of "SSL and TLS: Designing and Building Secure Systems"
Addison-Wesley 2000 http//www.rtfm.com/sslbook
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
