FYI I have seldom done low-level OpenSSL programming, but have implemented many server based programs. The server application that does an 'accept' on a socket is responsible for the communications on the socket, including any timeouts or recognition of stale communication. Therefore the socket can be gracefully destroyed instead of just abandoned. My server programs make judicial use of select or poll calls with timeout recognition.
After performing initial startup validation by the server, the connection socket can be transferred to the actual program that performs the actual work of message conversation. - Steve > Hi Jason, > > I am afraid you will have to deal with the TCP timeout on your own. > > Here is a quick and short answer : > http://stackoverflow.com/questions/11835203/openssl-ssl-connect-blocks-forever-how-to-set-timeout > > Most important : http://www.openssl.org/docs/ssl/SSL_get_error.html > > I am sure your question was often discussed in the past on this list. > Search about the OpenSSL 'internal state machine'. > > Michel > > Le 11/09/2013 16:39, Jason Schultz a écrit : >> I have a server that implements secure communication using OpenSSL. >> The server does a listen() on a port and keeps track of what listens >> are secure/SSL listens. When a peer opens to that IP addr/port, the >> server sees that it's for a secure connection and then makes the calls >> to set up SSL information for the socket: >> >> // error checking and extraneous code removed >> sock = accept(listen_sock, (struct sockaddr*)&sa_cli, &client_len); >> SSL_bio = BIO_new(BIO_s_socket()); >> SSL_obj = SSL_new(SSL_ctx); >> BIO_set_fd(SSL_bio,sock,BIO_NOCLOSE); >> SSL_set_bio(SSL_obj, SSL_bio, SSL_bio); >> SSL_set_verify(SSL_obj,SSL_VERIFY_NONE,verify_callback); >> SSL_set_accept_state(SSL_obj); >> >> At that point, the server should be waiting for the ClientHello, and >> will use SSL_read/write to perform the handshake. >> >> Let's say the client/peer never sends in the ClientHello. In other >> words, the client probably called connect() but not SSL_connect() or >> some similar scenario. >> >> Does OpenSSL eventually time out this connection and abort it >> somehow? Are there OpenSSL API calls the server should be using to >> ensure it does get timed out? Or is this something the server >> application should keep track of and handle on it's own? >> >> Thanks in advance. > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
