Blocking on a non-blocking socket?

Thu May 23 14:26:28 UTC 2024

On 23/05/2024 15:08, rsbecker at nexbridge.com wrote:
> On Thursday, May 23, 2024 9:56 AM, Wiebe Cazemier wrote:
>>> From: "Neil Horman" <nhorman at openssl.org>
>>> from:
>>> [ https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html |
>>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html ]
>>
>>> SSL_MODE_AUTO_RETRY in non-blocking mode should cause
>>> SSL_reaa/SSL_write to return -1 with an error code of
>>> WANT_READ/WANT_WRITE until such time as the re-negotiation has
>>> completed. I need to confirm thats the case in the code, but it seems
>>> to be. If the underlying socket is in non-blocking mode, there should
>>> be no way for calls to block in SSL_read/SSL_write on the socket read/write system
>> call.
>>
>> I still don't really see what the difference is between SSL_MODE_AUTO_RETRY on or
>> off in non-blocking mode?
>>
>> The person at [1] seems to have had a similar issue, and was convinced clearing
>> SSL_MODE_AUTO_RETRY fixed it. But I agree, I don't know how it could be.
>> OpenSSL would have to remove the O_NONBLOCK, or do select/poll, and I can't
>> find it doing that.
>>
>> I hope it happens again soon and I'm around to attach a debugger.
> 
> I may be incorrect here, but my interpretation is as follows:
> 
> SSL_MODE_AUTO_RETRY on - if there is a packet ready to read on the socket, the packet is retrieved. Same for write. If not ready, because EWOULDBLOCK, the operation is retried automatically by OpenSSL.
> 
> SSL_MODE_AUTO_RETRY off - if there is a packet ready to read on the socket, the packet is retrieved. Same for write. If not ready, the OpenSSL operation reports an error.

Not quite.

When you call SSL_read() it is because you are hoping to read 
application data.

OpenSSL will go ahead and attempt to read a record from the socket. If 
there is no data (and you are using a non-blocking socket), or only a 
partial record available then the SSL_read() call will fail and indicate 
SSL_ERROR_WANT_READ.

If a full record is available it will process it. If the record contains 
application data then the SSL_read() call will return successfully and 
provide the application data to the application.

If the record contains non-application data (i.e. some TLS protocol 
message like a key update, or new session ticket) then, with 
SSL_MODE_AUTO_RETRY on it will automatically try and read another record 
(and the above process repeats). If SSL_MODE_AUTO_RETRY off it will not 
attempt to retry and the SSL_read() call will fail and indicate 
SSL_ERROR_WANT_READ.

 From an application perspective, if SSL_MODE_AUTO_RETRY is off with a 
non-blocking socket, it is not possible to tell the difference between 
"no record/only partial record is available" and "we tried to read 
application data but got a non-application data record". They both 
result in SSL_read() failing and indicating SSL_ERROR_WANT_READ.

For non-blocking mode it really doesn't make much difference to the 
application. Either way it should not cause it to block.

Matt