Blocking on a non-blocking socket?

rsbecker at nexbridge.com rsbecker at nexbridge.com
Thu May 23 14:45:51 UTC 2024


On Thursday, May 23, 2024 10:26 AM Matt Caswell wrote:
>On 23/05/2024 15:08, rsbecker at nexbridge.com wrote:
>> On Thursday, May 23, 2024 9:56 AM, Wiebe Cazemier wrote:
>>>> From: "Neil Horman" <nhorman at openssl.org>
>>>> from:
>>>> [ https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html |
>>>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html ]
>>>
>>>> SSL_MODE_AUTO_RETRY in non-blocking mode should cause
>>>> SSL_reaa/SSL_write to return -1 with an error code of
>>>> WANT_READ/WANT_WRITE until such time as the re-negotiation has
>>>> completed. I need to confirm thats the case in the code, but it
>>>> seems to be. If the underlying socket is in non-blocking mode, there
>>>> should be no way for calls to block in SSL_read/SSL_write on the
>>>> socket read/write system
>>> call.
>>>
>>> I still don't really see what the difference is between
>>> SSL_MODE_AUTO_RETRY on or off in non-blocking mode?
>>>
>>> The person at [1] seems to have had a similar issue, and was
>>> convinced clearing SSL_MODE_AUTO_RETRY fixed it. But I agree, I don't know
>how it could be.
>>> OpenSSL would have to remove the O_NONBLOCK, or do select/poll, and I
>>> can't find it doing that.
>>>
>>> I hope it happens again soon and I'm around to attach a debugger.
>>
>> I may be incorrect here, but my interpretation is as follows:
>>
>> SSL_MODE_AUTO_RETRY on - if there is a packet ready to read on the socket, the
>packet is retrieved. Same for write. If not ready, because EWOULDBLOCK, the
>operation is retried automatically by OpenSSL.
>>
>> SSL_MODE_AUTO_RETRY off - if there is a packet ready to read on the socket, the
>packet is retrieved. Same for write. If not ready, the OpenSSL operation reports an
>error.
>
>Not quite.
>
>When you call SSL_read() it is because you are hoping to read application data.
>
>OpenSSL will go ahead and attempt to read a record from the socket. If there is no
>data (and you are using a non-blocking socket), or only a partial record available
>then the SSL_read() call will fail and indicate SSL_ERROR_WANT_READ.
>
>If a full record is available it will process it. If the record contains application data
>then the SSL_read() call will return successfully and provide the application data to
>the application.
>
>If the record contains non-application data (i.e. some TLS protocol message like a
>key update, or new session ticket) then, with SSL_MODE_AUTO_RETRY on it will
>automatically try and read another record (and the above process repeats). If
>SSL_MODE_AUTO_RETRY off it will not attempt to retry and the SSL_read() call will
>fail and indicate SSL_ERROR_WANT_READ.
>
> From an application perspective, if SSL_MODE_AUTO_RETRY is off with a non-
>blocking socket, it is not possible to tell the difference between "no record/only
>partial record is available" and "we tried to read application data but got a non-
>application data record". They both result in SSL_read() failing and indicating
>SSL_ERROR_WANT_READ.
>
>For non-blocking mode it really doesn't make much difference to the application.
>Either way it should not cause it to block.

Thanks Matt. That helps with my own understanding.



More information about the openssl-users mailing list