Read will fail if write must be done. Write will fail if read must be done. The bug is that you're not checking for the SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE required error statuses -- if you get either of those, you just need to retry the operation again (i.e., treat just like EAGAIN in POSIX).
Please see http://www.openssl.org/docs/ssl/SSL_read.html for more information, specifically the part just above the huge WARNING section. (I don't know if 0.9.7 has SSL_get_mode/SSL_set_mode, or if SSL_MODE_AUTO_RETRY is implemented, so I don't know if setting that will work in your environment.) It's important to note, though, that the documentation there is very unclear. (the reason for those codes is so that a process can implement its own BIOs and fill the buffers on its own.) -Kyle H On Nov 29, 2007 6:11 PM, k b <[EMAIL PROTECTED]> wrote: > > > Ok, so it's kindof working now. > > kinda because after a do_handshake, any read on the server server return -1, > but if you ignore this one and continue, subsequent read works. > And data transfer works if back to normal with the new session. > > Any reason why the read would fail ? > Are there any setting that i could use on the SSL_CTX that might be helpful. > Or is there a alternative way to handle this. > 1) the read would block till renegotiation successfully completes. > 2) i don't know, maybe read returns zero. > > I don't have access to the server code so possibly can't change the way the > read is performed. > > Again any insights would be appreciated. > Thanks > Kunal > > > > > ________________________________ > From: [EMAIL PROTECTED] > To: openssl-users@openssl.org > Subject: SSL_renegotiate and SSL_do_handshake > Date: Thu, 29 Nov 2007 13:11:04 -0800 > > > > Hi , > I have client that would connects to a server for a long duration of time. > And i'm trying to refresh the session keys. > > From what I have read for open ssl 0.9.7 and up the step to do the same are > pretty simple. > > SSL_renegotiate(SSL *) > SSL_do_handshake(SSL *) > > and then to confirm call SSL_renegotiate_pending to check status. > > the problem I'm seeing is that i don't see the SSL_renegotiate_pending > returning 0 to indicate > renegotiation completed. > I'm using openssl 0.9.7. and SSL_get_version returning TLSv1, which i think > is fine. > > Q1) By the way i'm making this call from the client. should this matter ? > Q2) is there any thing else that i need to do. or am i missing something ? > > Any insights would appreciated > > -Kunal > > > here the client code snippet > > void run() { > time_t lastRenewTime; > time_t currentTime; > > time(&lastRenewTime); > static BIO *out = BIO_new_fp(stdout,BIO_NOCLOSE); > > printf("SSL/TLS version : %s \n", SSL_get_version(mySSL)); > SSL_SESSION *session = SSL_get_session(mySSL); > > printf("session A\n"); > SSL_SESSION_print(out, session); > > while (1) > { > time(¤tTime); > > if ((currentTime - lastRenewTime) > 10) > { > printf("renegotiating ...\n"); > SSL_renegotiate(mySSL); > int pending = SSL_renegotiate_pending(mySSL); > int handShake = SSL_do_handshake(mySSL); > int timeout = 20000; > > printf("do_handshake %d\n", handShake); > // int ); > do { > timeout--; > // i think the actual renegotiate req would only go to server > whenever a data is sent. right ? > SendDataToServer(); > SSL_do_handshake(mySSL); > > } while(pending && SSL_renegotiate_pending(mySSL) && timeout > 0); > > SSL_SESSION *newSession = SSL_get_session(mySSL); > printf("session compare %d\n", SSL_SESSION_cmp(session, > newSession)); > if (!newSession) { > printf("session B \n"); > SSL_SESSION_print(out, session); > > } > > printf("timeout %d\n", timeout); > if (timeout <= 0) > { > printf("ERROR in refreshing keys\n"); > } > } > // read from and write to server. > } > } > > ________________________________ > Your smile counts. The more smiles you share, the more we donate. Join in! > > > ________________________________ > Your smile counts. The more smiles you share, the more we donate. Join in! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
