On Thursday, May 23, 2024 10:26 AM Matt Caswell wrote: >On 23/05/2024 15:08, rsbecker@xxxxxxxxxxxxx wrote: >> On Thursday, May 23, 2024 9:56 AM, Wiebe Cazemier wrote: >>>> From: "Neil Horman" <nhorman@xxxxxxxxxxx> >>>> from: >>>> [ https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html | >>>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html ] >>> >>>> SSL_MODE_AUTO_RETRY in non-blocking mode should cause >>>> SSL_reaa/SSL_write to return -1 with an error code of >>>> WANT_READ/WANT_WRITE until such time as the re-negotiation has >>>> completed. I need to confirm thats the case in the code, but it >>>> seems to be. If the underlying socket is in non-blocking mode, there >>>> should be no way for calls to block in SSL_read/SSL_write on the >>>> socket read/write system >>> call. >>> >>> I still don't really see what the difference is between >>> SSL_MODE_AUTO_RETRY on or off in non-blocking mode? >>> >>> The person at [1] seems to have had a similar issue, and was >>> convinced clearing SSL_MODE_AUTO_RETRY fixed it. But I agree, I don't know >how it could be. >>> OpenSSL would have to remove the O_NONBLOCK, or do select/poll, and I >>> can't find it doing that. >>> >>> I hope it happens again soon and I'm around to attach a debugger. >> >> I may be incorrect here, but my interpretation is as follows: >> >> SSL_MODE_AUTO_RETRY on - if there is a packet ready to read on the socket, the >packet is retrieved. Same for write. If not ready, because EWOULDBLOCK, the >operation is retried automatically by OpenSSL. >> >> SSL_MODE_AUTO_RETRY off - if there is a packet ready to read on the socket, the >packet is retrieved. Same for write. If not ready, the OpenSSL operation reports an >error. > >Not quite. > >When you call SSL_read() it is because you are hoping to read application data. > >OpenSSL will go ahead and attempt to read a record from the socket. If there is no >data (and you are using a non-blocking socket), or only a partial record available >then the SSL_read() call will fail and indicate SSL_ERROR_WANT_READ. > >If a full record is available it will process it. If the record contains application data >then the SSL_read() call will return successfully and provide the application data to >the application. > >If the record contains non-application data (i.e. some TLS protocol message like a >key update, or new session ticket) then, with SSL_MODE_AUTO_RETRY on it will >automatically try and read another record (and the above process repeats). If >SSL_MODE_AUTO_RETRY off it will not attempt to retry and the SSL_read() call will >fail and indicate SSL_ERROR_WANT_READ. > > From an application perspective, if SSL_MODE_AUTO_RETRY is off with a non- >blocking socket, it is not possible to tell the difference between "no record/only >partial record is available" and "we tried to read application data but got a non- >application data record". They both result in SSL_read() failing and indicating >SSL_ERROR_WANT_READ. > >For non-blocking mode it really doesn't make much difference to the application. >Either way it should not cause it to block. Thanks Matt. That helps with my own understanding.
