RE: SSL_read() returning SSL_ERROR_SYSCALL with errno 11 EAGAIN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Create a non-blocking TCP socket 
	socket() for a sock_stream.
	connect().
	SSL_new(), SSL_set_fd(), SSL_connect().

The application sends LDAP operations from many threads. We have just one thread that reads LDAP results. If an operation is outstanding then the result thread does (simplified):

SSL_read()
If > 0 return data.
Else if SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE then poll(); back to SSL_read() when data available.
Else return error and disconnect.

Don't know what protocol was negotiated or what the server does in terms of returned data. TCP/OpenSSL handle that.
Both ends OpenSSL 1.1.0h.
Problem seems to occur at random - only reproducable on customer site and after a long time running their soak test.

Regards,
John.

-----Original Message-----
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Viktor Dukhovni
Sent: 02 May 2019 07:25
To: openssl-users@xxxxxxxxxxx
Subject: Re: SSL_read() returning SSL_ERROR_SYSCALL with errno 11 EAGAIN

CAUTION: This email originated from outside of Synchronoss.


> On May 1, 2019, at 9:47 AM, John Unsworth <John.Unsworth@xxxxxxxxxxxxxxx> wrote:
>
> Create a non-blocking TCP socket.
> Call SSL_new(), SSL_set_fd(), SSL_connect() Thereafter call 
> SSL_read().
> Renegotiates handled by OpenSSL.

Can you be more specific about "Create a non-blocking TCP socket"?
That fully sets up the TCP connection?

Also, with the non-blocking connection, how do you decide when to read?
Are you using poll()? select()? epoll()?  And did they report available data?

In this particular case, was the client trying to read the initial bytes of the server's reply having received nothing yet in response to its query?  Or was it in the middle of reading a data stream?

When reading TLS records OpenSSL first reads the record layer header which indicates the payload length, and then tries to read that many bytes.  Does the server send the record layer header in the same TCP segment as the payload, or in separate segments?

Do you know what protocol version was negotiated?  Are both ends using OpenSSL?  What version on the server side? ...

Can you reproduce the problem after sufficiently many client server interactions?  Can you get PCAP files of any problem cases?

--
        Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux