On 23/05/2024 15:08, rsbecker@xxxxxxxxxxxxx wrote:
On Thursday, May 23, 2024 9:56 AM, Wiebe Cazemier wrote:
From: "Neil Horman" <nhorman@xxxxxxxxxxx>
from:
[ https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html |
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html ]
SSL_MODE_AUTO_RETRY in non-blocking mode should cause
SSL_reaa/SSL_write to return -1 with an error code of
WANT_READ/WANT_WRITE until such time as the re-negotiation has
completed. I need to confirm thats the case in the code, but it seems
to be. If the underlying socket is in non-blocking mode, there should
be no way for calls to block in SSL_read/SSL_write on the socket read/write system
call.
I still don't really see what the difference is between SSL_MODE_AUTO_RETRY on or
off in non-blocking mode?
The person at [1] seems to have had a similar issue, and was convinced clearing
SSL_MODE_AUTO_RETRY fixed it. But I agree, I don't know how it could be.
OpenSSL would have to remove the O_NONBLOCK, or do select/poll, and I can't
find it doing that.
I hope it happens again soon and I'm around to attach a debugger.
I may be incorrect here, but my interpretation is as follows:
SSL_MODE_AUTO_RETRY on - if there is a packet ready to read on the socket, the packet is retrieved. Same for write. If not ready, because EWOULDBLOCK, the operation is retried automatically by OpenSSL.
SSL_MODE_AUTO_RETRY off - if there is a packet ready to read on the socket, the packet is retrieved. Same for write. If not ready, the OpenSSL operation reports an error.
Not quite.
When you call SSL_read() it is because you are hoping to read
application data.
OpenSSL will go ahead and attempt to read a record from the socket. If
there is no data (and you are using a non-blocking socket), or only a
partial record available then the SSL_read() call will fail and indicate
SSL_ERROR_WANT_READ.
If a full record is available it will process it. If the record contains
application data then the SSL_read() call will return successfully and
provide the application data to the application.
If the record contains non-application data (i.e. some TLS protocol
message like a key update, or new session ticket) then, with
SSL_MODE_AUTO_RETRY on it will automatically try and read another record
(and the above process repeats). If SSL_MODE_AUTO_RETRY off it will not
attempt to retry and the SSL_read() call will fail and indicate
SSL_ERROR_WANT_READ.
From an application perspective, if SSL_MODE_AUTO_RETRY is off with a
non-blocking socket, it is not possible to tell the difference between
"no record/only partial record is available" and "we tried to read
application data but got a non-application data record". They both
result in SSL_read() failing and indicating SSL_ERROR_WANT_READ.
For non-blocking mode it really doesn't make much difference to the
application. Either way it should not cause it to block.
Matt
