RE: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
> Since I wait until the SSL_connect() function succeeds I > wanted to know if there is a better approach. Yes, there is a better approach, for example the one mentioned in the manual: * http://www.openssl.org/docs/ssl/SSL_connect.html > If the underlying BIO is non-blocking, SSL_connect() will also return > when the underlying BIO could not satisfy the needs of SSL_connect() > to continue the handshake, indicating the problem by the return value > -1. In this case a call to SSL_get_error() with the return value of > SSL_connect() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. > The calling process then must repeat the call after taking appropriate > action to satisfy the needs of SSL_connect(). The action depends on > the underlying BIO. When using a non-blocking socket, nothing is to be > done, but select() can be used to check for the required condition. > When using a buffering BIO, like a BIO pair, data must be written into > or retrieved out of the BIO before being able to continue. So it tells you should call SSL_connect again. If you just call it again directly, you end up calling it thousand times for nothing but wasting resources until data arives on the socket. Thus you shall wait for data arriving on the socket and then call SSL_connect. To wait until data arrived, you may use select(). So you could: while(ret == READ || ret==WRITE) { if (ret = WANTREAD) { select(fd+1, fd, NULL, NULL, &tv); } else { select(fd+1, NULL, fd, NULL, &tv); } ret = SSL_connect(...); } Needed improvements include timeout management, handling select timeout and handling of errors. oki, Steffen End of message. -- About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
Ohh .. ok. But I just want the SSL_connect to succeed because I want to fetch the certificate of an HTTPS website. So after the success of SSL_connect() function, I would call SSL_get_peer_certificate(). Since I wait until the SSL_connect() function succeeds I wanted to know if there is a better approach. Hope I am able to convey my understandings for these functions. If you feel that I dont, please help in understanding the same. ~Arjun On Mon, Nov 21, 2011 at 8:10 PM, Michael S. Zick wrote: > On Mon November 21 2011, Arjun SM wrote: > > Well yes, these are not errors. My bad for naming the variable as > 'error'. > > > > Not my point - > > Your logic shows that you think the connection has failed when it has > simple not yet finished with its protocol. > > Not finished because you didn't respond to the want-write and/or want-read. > Something which your code must do when using non-blocking sockets. > > Mike > > ~Arjun > > > > On Thu, Nov 17, 2011 at 11:50 PM, Michael S. Zick >wrote: > > > > > On Thu November 17 2011, Arjun SM wrote: > > > > Hi, > > > > Thanks for the reply. > > > > I have called the ssl_connect() function again after checking for > > > > SSL_ERROR_WANT_READ > > > > and SSL_ERROR_WANT_WRITE. But I wanted to know if I can optimize my > code. > > > > Below is my code > > > > > > > > int counter = 6; > > > > while (status < 0 && --counter >0 ) > > > > { > > > > if(status < 0) > > > > { > > > > error=SSL_get_error(ssl,status); > > > > if(error == SSL_ERROR_WANT_READ || error == > > > > SSL_ERROR_WANT_WRITE) > > > > { > > > > MessageLog.Write("SSL 1st Connect error ", > > > error); > > > > > > > > > > But these two cases are __not__ errors, > > > you just need to 'read' or 'write' as indicated so the protocol can > > > advance. > > > > > > Mike > > > > usleep(200); > > > > status = SSL_connect(ssl); > > > > error=SSL_get_error(ssl,status); > > > > MessageLog.Write("SSL 2nd Connect error ", > > > error); > > > > } > > > > else > > > > { > > > > break; > > > > } > > > > } > > > > } // end of while > > > > > > > > I would try for some time and break out saying unable to connect. I > am > > > sure > > > > I can optimize this code by using select() but I am unable to make it > > > work. > > > > If there is a better approach please do share. > > > > > > > > ~Arjun > > > > > > > > On Tue, Nov 15, 2011 at 9:04 PM, Huaqing Wang > > > wrote: > > > > > > > > > Hi, Arjun, > > > > > > > > > > For non-blocking case, you have to handle SSL_ERROR_WANT_READ and > > > > > SSL_ERROR_WANT_WRITE > > > > > In that case you need to redo *SSL_connect.* > > > > > * > > > > > * > > > > > Huaqing > > > > > > > > > > On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM > wrote: > > > > > > > > > >> Hi all, > > > > >>I am newbie to openssl any help is greatly appreciated. > > > > >> > > > > >> I have a requirement of fetching the Common name (domin name ) > from > > > the > > > > >> certificate that I request from any HTTPS websites. I followed the > > > regular > > > > >> method of > > > > >> > > > > >> 1. establish a connection with the ip address using *connect() > *system > > > > >> call. > > > > >> 2. Use *SSL_connect()* system call to perform handshake. > > > > >> 3. Use *SSL_get_peer_certificate()* to get the certificate. > > > > >> > > > > >> The problem I faced was that, the connect() call would at times > > > return a > > > > >> errno 4 (EINTR) error . So i changed code from blocking to > > > non-blocking > > > > >> sockets and used select() call to have a valid connection and > return > > > an > > > > >> appropriate file descriptor. > > > > >> Now the ssl_connect() call returns SSL_ERROR_WANT_READ > > > > >> or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by > > > adding a > > > > >> select() even on ssl_connect() call. > > > > >> > > > > >> If any one can please help as to how I need to use the > ssl_connect() > > > by > > > > >> polling that would be of great help. preferred language would be > C/C++ > > > > >> > > > > >> thanks, > > > > >> ~Arjun > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > > > > > > > > > > > > -- > > > > > Thank you. > > > > > Best Regards, > > > > > Michael(Huaqing) Wang > > > > > > > > > > > > > > > > > > > > > > > __ > > > OpenSSL Project http://www.openssl.org > > > User Support Mailing Listopenssl-users@openssl.org > > > Automated List Manager majord...@openssl.org > > > > > > > > __ > OpenSSL Project http
Re: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
On Mon November 21 2011, Arjun SM wrote: > Well yes, these are not errors. My bad for naming the variable as 'error'. > Not my point - Your logic shows that you think the connection has failed when it has simple not yet finished with its protocol. Not finished because you didn't respond to the want-write and/or want-read. Something which your code must do when using non-blocking sockets. Mike > ~Arjun > > On Thu, Nov 17, 2011 at 11:50 PM, Michael S. Zick wrote: > > > On Thu November 17 2011, Arjun SM wrote: > > > Hi, > > > Thanks for the reply. > > > I have called the ssl_connect() function again after checking for > > > SSL_ERROR_WANT_READ > > > and SSL_ERROR_WANT_WRITE. But I wanted to know if I can optimize my code. > > > Below is my code > > > > > > int counter = 6; > > > while (status < 0 && --counter >0 ) > > > { > > > if(status < 0) > > > { > > > error=SSL_get_error(ssl,status); > > > if(error == SSL_ERROR_WANT_READ || error == > > > SSL_ERROR_WANT_WRITE) > > > { > > > MessageLog.Write("SSL 1st Connect error ", > > error); > > > > > > > But these two cases are __not__ errors, > > you just need to 'read' or 'write' as indicated so the protocol can > > advance. > > > > Mike > > > usleep(200); > > > status = SSL_connect(ssl); > > > error=SSL_get_error(ssl,status); > > > MessageLog.Write("SSL 2nd Connect error ", > > error); > > > } > > > else > > > { > > > break; > > > } > > > } > > > } // end of while > > > > > > I would try for some time and break out saying unable to connect. I am > > sure > > > I can optimize this code by using select() but I am unable to make it > > work. > > > If there is a better approach please do share. > > > > > > ~Arjun > > > > > > On Tue, Nov 15, 2011 at 9:04 PM, Huaqing Wang > > wrote: > > > > > > > Hi, Arjun, > > > > > > > > For non-blocking case, you have to handle SSL_ERROR_WANT_READ and > > > > SSL_ERROR_WANT_WRITE > > > > In that case you need to redo *SSL_connect.* > > > > * > > > > * > > > > Huaqing > > > > > > > > On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM wrote: > > > > > > > >> Hi all, > > > >>I am newbie to openssl any help is greatly appreciated. > > > >> > > > >> I have a requirement of fetching the Common name (domin name ) from > > the > > > >> certificate that I request from any HTTPS websites. I followed the > > regular > > > >> method of > > > >> > > > >> 1. establish a connection with the ip address using *connect() *system > > > >> call. > > > >> 2. Use *SSL_connect()* system call to perform handshake. > > > >> 3. Use *SSL_get_peer_certificate()* to get the certificate. > > > >> > > > >> The problem I faced was that, the connect() call would at times > > return a > > > >> errno 4 (EINTR) error . So i changed code from blocking to > > non-blocking > > > >> sockets and used select() call to have a valid connection and return > > an > > > >> appropriate file descriptor. > > > >> Now the ssl_connect() call returns SSL_ERROR_WANT_READ > > > >> or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by > > adding a > > > >> select() even on ssl_connect() call. > > > >> > > > >> If any one can please help as to how I need to use the ssl_connect() > > by > > > >> polling that would be of great help. preferred language would be C/C++ > > > >> > > > >> thanks, > > > >> ~Arjun > > > >> > > > >> > > > >> > > > >> > > > >> > > > > > > > > > > > > -- > > > > Thank you. > > > > Best Regards, > > > > Michael(Huaqing) Wang > > > > > > > > > > > > > > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
Well yes, these are not errors. My bad for naming the variable as 'error'. ~Arjun On Thu, Nov 17, 2011 at 11:50 PM, Michael S. Zick wrote: > On Thu November 17 2011, Arjun SM wrote: > > Hi, > > Thanks for the reply. > > I have called the ssl_connect() function again after checking for > > SSL_ERROR_WANT_READ > > and SSL_ERROR_WANT_WRITE. But I wanted to know if I can optimize my code. > > Below is my code > > > > int counter = 6; > > while (status < 0 && --counter >0 ) > > { > > if(status < 0) > > { > > error=SSL_get_error(ssl,status); > > if(error == SSL_ERROR_WANT_READ || error == > > SSL_ERROR_WANT_WRITE) > > { > > MessageLog.Write("SSL 1st Connect error ", > error); > > > > But these two cases are __not__ errors, > you just need to 'read' or 'write' as indicated so the protocol can > advance. > > Mike > > usleep(200); > > status = SSL_connect(ssl); > > error=SSL_get_error(ssl,status); > > MessageLog.Write("SSL 2nd Connect error ", > error); > > } > > else > > { > > break; > > } > > } > > } // end of while > > > > I would try for some time and break out saying unable to connect. I am > sure > > I can optimize this code by using select() but I am unable to make it > work. > > If there is a better approach please do share. > > > > ~Arjun > > > > On Tue, Nov 15, 2011 at 9:04 PM, Huaqing Wang > wrote: > > > > > Hi, Arjun, > > > > > > For non-blocking case, you have to handle SSL_ERROR_WANT_READ and > > > SSL_ERROR_WANT_WRITE > > > In that case you need to redo *SSL_connect.* > > > * > > > * > > > Huaqing > > > > > > On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM wrote: > > > > > >> Hi all, > > >>I am newbie to openssl any help is greatly appreciated. > > >> > > >> I have a requirement of fetching the Common name (domin name ) from > the > > >> certificate that I request from any HTTPS websites. I followed the > regular > > >> method of > > >> > > >> 1. establish a connection with the ip address using *connect() *system > > >> call. > > >> 2. Use *SSL_connect()* system call to perform handshake. > > >> 3. Use *SSL_get_peer_certificate()* to get the certificate. > > >> > > >> The problem I faced was that, the connect() call would at times > return a > > >> errno 4 (EINTR) error . So i changed code from blocking to > non-blocking > > >> sockets and used select() call to have a valid connection and return > an > > >> appropriate file descriptor. > > >> Now the ssl_connect() call returns SSL_ERROR_WANT_READ > > >> or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by > adding a > > >> select() even on ssl_connect() call. > > >> > > >> If any one can please help as to how I need to use the ssl_connect() > by > > >> polling that would be of great help. preferred language would be C/C++ > > >> > > >> thanks, > > >> ~Arjun > > >> > > >> > > >> > > >> > > >> > > > > > > > > > -- > > > Thank you. > > > Best Regards, > > > Michael(Huaqing) Wang > > > > > > > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
On Thu November 17 2011, Arjun SM wrote: > Hi, > Thanks for the reply. > I have called the ssl_connect() function again after checking for > SSL_ERROR_WANT_READ > and SSL_ERROR_WANT_WRITE. But I wanted to know if I can optimize my code. > Below is my code > > int counter = 6; > while (status < 0 && --counter >0 ) > { > if(status < 0) > { > error=SSL_get_error(ssl,status); > if(error == SSL_ERROR_WANT_READ || error == > SSL_ERROR_WANT_WRITE) > { > MessageLog.Write("SSL 1st Connect error ", error); > But these two cases are __not__ errors, you just need to 'read' or 'write' as indicated so the protocol can advance. Mike > usleep(200); > status = SSL_connect(ssl); > error=SSL_get_error(ssl,status); > MessageLog.Write("SSL 2nd Connect error ", error); > } > else > { > break; > } > } > } // end of while > > I would try for some time and break out saying unable to connect. I am sure > I can optimize this code by using select() but I am unable to make it work. > If there is a better approach please do share. > > ~Arjun > > On Tue, Nov 15, 2011 at 9:04 PM, Huaqing Wang wrote: > > > Hi, Arjun, > > > > For non-blocking case, you have to handle SSL_ERROR_WANT_READ and > > SSL_ERROR_WANT_WRITE > > In that case you need to redo *SSL_connect.* > > * > > * > > Huaqing > > > > On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM wrote: > > > >> Hi all, > >>I am newbie to openssl any help is greatly appreciated. > >> > >> I have a requirement of fetching the Common name (domin name ) from the > >> certificate that I request from any HTTPS websites. I followed the regular > >> method of > >> > >> 1. establish a connection with the ip address using *connect() *system > >> call. > >> 2. Use *SSL_connect()* system call to perform handshake. > >> 3. Use *SSL_get_peer_certificate()* to get the certificate. > >> > >> The problem I faced was that, the connect() call would at times return a > >> errno 4 (EINTR) error . So i changed code from blocking to non-blocking > >> sockets and used select() call to have a valid connection and return an > >> appropriate file descriptor. > >> Now the ssl_connect() call returns SSL_ERROR_WANT_READ > >> or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by adding a > >> select() even on ssl_connect() call. > >> > >> If any one can please help as to how I need to use the ssl_connect() by > >> polling that would be of great help. preferred language would be C/C++ > >> > >> thanks, > >> ~Arjun > >> > >> > >> > >> > >> > > > > > > -- > > Thank you. > > Best Regards, > > Michael(Huaqing) Wang > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
Hi, Thanks for the reply. I have called the ssl_connect() function again after checking for SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE. But I wanted to know if I can optimize my code. Below is my code int counter = 6; while (status < 0 && --counter >0 ) { if(status < 0) { error=SSL_get_error(ssl,status); if(error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE) { MessageLog.Write("SSL 1st Connect error ", error); usleep(200); status = SSL_connect(ssl); error=SSL_get_error(ssl,status); MessageLog.Write("SSL 2nd Connect error ", error); } else { break; } } } // end of while I would try for some time and break out saying unable to connect. I am sure I can optimize this code by using select() but I am unable to make it work. If there is a better approach please do share. ~Arjun On Tue, Nov 15, 2011 at 9:04 PM, Huaqing Wang wrote: > Hi, Arjun, > > For non-blocking case, you have to handle SSL_ERROR_WANT_READ and > SSL_ERROR_WANT_WRITE > In that case you need to redo *SSL_connect.* > * > * > Huaqing > > On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM wrote: > >> Hi all, >>I am newbie to openssl any help is greatly appreciated. >> >> I have a requirement of fetching the Common name (domin name ) from the >> certificate that I request from any HTTPS websites. I followed the regular >> method of >> >> 1. establish a connection with the ip address using *connect() *system >> call. >> 2. Use *SSL_connect()* system call to perform handshake. >> 3. Use *SSL_get_peer_certificate()* to get the certificate. >> >> The problem I faced was that, the connect() call would at times return a >> errno 4 (EINTR) error . So i changed code from blocking to non-blocking >> sockets and used select() call to have a valid connection and return an >> appropriate file descriptor. >> Now the ssl_connect() call returns SSL_ERROR_WANT_READ >> or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by adding a >> select() even on ssl_connect() call. >> >> If any one can please help as to how I need to use the ssl_connect() by >> polling that would be of great help. preferred language would be C/C++ >> >> thanks, >> ~Arjun >> >> >> >> >> > > > -- > Thank you. > Best Regards, > Michael(Huaqing) Wang > >
Re: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
Hi, Arjun, For non-blocking case, you have to handle SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE In that case you need to redo *SSL_connect.* * * Huaqing On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM wrote: > Hi all, >I am newbie to openssl any help is greatly appreciated. > > I have a requirement of fetching the Common name (domin name ) from the > certificate that I request from any HTTPS websites. I followed the regular > method of > > 1. establish a connection with the ip address using *connect() *system > call. > 2. Use *SSL_connect()* system call to perform handshake. > 3. Use *SSL_get_peer_certificate()* to get the certificate. > > The problem I faced was that, the connect() call would at times return a > errno 4 (EINTR) error . So i changed code from blocking to non-blocking > sockets and used select() call to have a valid connection and return an > appropriate file descriptor. > Now the ssl_connect() call returns SSL_ERROR_WANT_READ > or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by adding a > select() even on ssl_connect() call. > > If any one can please help as to how I need to use the ssl_connect() by > polling that would be of great help. preferred language would be C/C++ > > thanks, > ~Arjun > > > > > -- Thank you. Best Regards, Michael(Huaqing) Wang
SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
Hi all, I am newbie to openssl any help is greatly appreciated. I have a requirement of fetching the Common name (domin name ) from the certificate that I request from any HTTPS websites. I followed the regular method of 1. establish a connection with the ip address using *connect() *system call. 2. Use *SSL_connect()* system call to perform handshake. 3. Use *SSL_get_peer_certificate()* to get the certificate. The problem I faced was that, the connect() call would at times return a errno 4 (EINTR) error . So i changed code from blocking to non-blocking sockets and used select() call to have a valid connection and return an appropriate file descriptor. Now the ssl_connect() call returns SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by adding a select() even on ssl_connect() call. If any one can please help as to how I need to use the ssl_connect() by polling that would be of great help. preferred language would be C/C++ thanks, ~Arjun