Re: SSL_read returns SSL_ERROR_WANT_READ
On 11 Jul 2011, at 3:18 PM, Carla Strembicke wrote: The server recieves the encrypted data and sends to the lower level and where it is pumped into the SSL structure ( which is using these memory buffers) using the BIO_write call ( I acutally see that bytes are written into it) and the buffer looks good. I then go and do an SSL_read() and I get nothing except SSL_ERRO_WANT_READ. I do see that a session has been established and that the packet member actually contains the data I want access tobut the member state=8576 and rstate=240. What am I missing Is it somthing to do this the handshake that I am missing or the readinf of the data. During the initial handshake (and a few other times) the two ends of the connection will need to send several messages back and forth before any cleartext data appears. Is it possible that the client or server has written a message to the buffer, and is returning SSL_WANT_READ because it is waiting for a response from the other side? Are you checking for data written to your _out BIO and copying it to the socket even when you are reading? See: http://www.openssl.org/support/faq.html#PROG10 If you look in ssl.h/ssl2.h/ssl3.h you can decode the state values (or use SSL_state_string_long()) to describe the connection's current state: 8576 = 0x2180 = SSL_ST_ACCEPT|SSL3_ST_SR_CERT_A which is part of the connection setup still, I think. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_read returns SSL_ERROR_WANT_READ
Hi,
I need help deciphering why I am getting this error.
Below is the scenario which is not a common implementation ( well not that I
have been able to fine on the net).
What I am doing is using bio memory buffers (BIO_s_mem() ) at an embedded
level away from the connection( currently tcpip).
So there is not sockets tied to the ssl.
As well, I am only utilizing encryption with only providing the client side
with CA certificate and the server has a server certificate.
On load everything appear to load correctly ( certifcates).
As well, I have set the verify context to SSL_VERIFY_NONE.
The server starts and loads its server certicate and private key
successfully.
The client starts and load the CA certificate sucessfully.
The following code illustrate the ssl setup:
setup_function(connection self, context *c)
{
SSL_load_error_strings();
SSL_library_init();
_ssl = SSL_new(c-_impl-_ctx);
if( _ssl==0 )
throw logic_error(unable to create osa::ssl::connection);
//our io mechanism is through memory buffers
_in = BIO_new(BIO_s_mem());
_out = BIO_new(BIO_s_mem());
SSL_set_bio(_ssl, _in, _out);
//TODO: this is either accept or connect based upon the role
//from the context
if(c-get_role() == ssl::role_server)
{
SSL_set_accept_state(_ssl);
}
else
{
SSL_set_connect_state(_ssl);
}
}
The next this that I do is start sending data from client. First a
connection has been established at the tcpip but ssl is unaware of this
connection because this layer again is embedded. On the client side raw
data is written to the ssl structure using SSL_write(). Of course I recieve
an SSL_ERROR_WANT_READ, but that is because I have to read it out of memory
using BIO_read() and this reads the data into buffer that is sent on the
tcpip communication line.
This actaully seems to work, and the data is encrypted and looks ok ( I
think).
The server is where I have problems.
The server recieves the encrypted data and sends to the lower level and
where it is pumped into the SSL structure ( which is using these memory
buffers) using the BIO_write call ( I acutally see that bytes are written
into it) and the buffer looks good. I then go and do an SSL_read() and I
get nothing except SSL_ERRO_WANT_READ. I do see that a session has been
established and that the packet member actually contains the data I want
access tobut the member state=8576 and rstate=240.
What am I missing
Is it somthing to do this the handshake that I am missing or the readinf of
the data.
I have been working on this for a while and am at a stale mate..please
help!!!
Re: SSL_read returns SSL_ERROR_WANT_READ
On 7/11/2011 3:18 PM, Carla Strembicke wrote: The server recieves the encrypted data and sends to the lower level and where it is pumped into the SSL structure ( which is using these memory buffers) using the BIO_write call ( I acutally see that bytes are written into it) and the buffer looks good. I then go and do an SSL_read() and I get nothing except SSL_ERRO_WANT_READ. I do see that a session has been established and that the packet member actually contains the data I want access tobut the member state=8576 and rstate=240. What am I missing Nothing that seems normal. Is it somthing to do this the handshake that I am missing or the readinf of the data. I have been working on this for a while and am at a stale mate..please help!!! What's the problem exactly? If you get SSL_ERROR_WANT_READ it means that there is no application data yet. The data you passed was likely negotiation data. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_read returns SSL_ERROR_WANT_READ
Hi all! Im having a problem with SSL_read. When SSL_read fails and returns SSL_ERROR_WANT_READ I do select checking for readability but I never get a hit and if I try SSL_read again I get the same error. Does anyone know what to do? Im using different threads for receiving and sending. Isnt that the thing do, to check for readability with select when I get SSL_ERROR_WANT_READ and then when hit try SSL_read again? Regards Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_read returns SSL_ERROR_WANT_READ
Im having a problem with SSL_read. When SSL_read fails and returns SSL_ERROR_WANT_READ I do select checking for readability but I never get a hit and if I try SSL_read again I get the same error. Does anyone know what to do? That sounds like there is just nothing to read. Im using different threads for receiving and sending. Isnt that the thing do, to check for readability with select when I get SSL_ERROR_WANT_READ and then when hit try SSL_read again? Yes, that is correct. Make sure that you protect the SSL session with a mutex. You are not allowed to call SSL_read and SSL_write at the same time on the same session from different threads. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_read returns SSL_ERROR_WANT_READ
David Schwartz wrote: Make sure that you protect the SSL session with a mutex. You are not allowed to call SSL_read and SSL_write at the same time on the same session from different threads. DS David, Does same session mean, same instance of an ssl object, or same instance of a ctx object? Thanks! Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_read returns SSL_ERROR_WANT_READ
David, Does same session mean, same instance of an ssl object, or same instance of a ctx object? You are permitted concurrent access to different SSL sessions based on the same context. You just cannot read and write to the same session at the same time. (You also can't read a session in one thread and close it in another or anything like that.) This is a semantic difference between SSL sessions and regular TCP sockets. The usual solution is to associate in your application a mutex with each SSL session. Hold the mutex while you call an SSL_* function for that session. Another thing to watch out for, breaking the rules that do exist for regular TCP connections is generally non-disastrous whereas breaking then with SSL connections generally is disastrous. For example, it's not legal with a TCP connection to call 'close' in one connection while you might be calling 'read' in another, but it usually won't cause a disaster. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
