Hello, > The application I am writing has requirement that after a request is > sent to server, it should hear from the server in xyz seconds. > > With normal tcp socket, i can achieve this through select() function. > But how do I achieve this for SSL_read? > As I understand from last few threads on this group, a select() will > just tell the application that some bytes are available in the tcp > buffer for the layer above to read. But select does not distinguish > between application data and control data (renegotiation data). > > So will select() be really able to tell me that the next SSL_read() > will succeed immediately and fill application buffer with the server's > response? In general - no.
> What if my server and client are not going to renegotiate ever? In > that case would a hit from select() indicate availability of > application data only? In OpenSSL - no. There is another mechanism which may give you hit from select() but not application data - empty fragments. This is protection against CBC timing attack, peer before sending SSL record with real application data sends empty SSL record (encrypted MAC only) which is discarded by SSL layer but this is detected in select(). So, for example if you will get readable hit from select() then: - for blocking socket - empty fragment is read, ignored, and next record is read (and this may block if there is no SSL record ready in tcp buffers from peer) - for non-blocking socket - empty fragment is read, ignored, and next record is read (and here you may get WANT_READ if there is no SSL record ready in tcp buffers from peer) Empty fragments (sending) is controlled by SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag. But this mechanism may be treated like peer activity and if in select() timeout occurs - you may drop connection. But from the other hand, using this mechanism, peer may send you empty fragments artificially support the connection without sending real data :-) But I think - this mostly happens in theory :-) Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
