<div dir="ltr">Hi,<div><br></div><div>As per the suggestion from openssl documentation whenever the SSL API returns SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, The calling process then must repeat the call after taking appropriate action to satisfy the needs of SSL_connect().</div><div><br></div><div>I am copying the code bits here, </div><div><br></div><div><div><span style="white-space:pre"> </span> do</div><div><span style="white-space:pre"> </span> {</div><div><span style="white-space:pre"> </span>/* Clear openssl error queue */</div><div><span style="white-space:pre"> </span>ERR_clear_error();</div><div><br></div><div><span style="white-space:pre"> </span>/* Initiate SSL Handshake */</div><div><span style="white-space:pre"> </span>aRetValue = SSL_connect(ivSSL);</div><div><br></div><div><span style="white-space:pre"> </span>if (aRetValue <= 0)</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span> aTlsError = SSL_get_error(ivSSL, aRetValue);<span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span> switch(aTlsError)</div><div><span style="white-space:pre"> </span> {</div><div><span style="white-space:pre"> </span>case SSL_ERROR_WANT_READ:<span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span>case SSL_ERROR_WANT_WRITE:</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span> /* Select on the socket for read/write events */</div><div><span style="white-space:pre"> </span><b> retry = pollSocketForEvents(aTlsError); --------------> Function is copied below</b></div><div><br></div><div><span style="white-space:pre"> </span> /* Nothing to do, retry to connect again*/</div><div><span style="white-space:pre"> </span> LOGG_DBUG(Logger::M3UA_LOG,"Link-%d SSL_connect() fails to connect "</div><div><span style="white-space:pre"> </span> "need to retry, returned error code %d , retry ? %s", ivLink->getLinkId(), aTlsError, retry?"true":"false");</div><div><span style="white-space:pre"> </span>}</div><div><span style="white-space:pre"> </span>break;</div><div><br></div><div><span style="white-space:pre"> </span>case SSL_ERROR_SYSCALL:</div><div><br></div><div><span style="white-space:pre"> </span>if (EWOULDBLOCK == errno || EAGAIN == errno)</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span> /* Nothing to do, retry to connect again */</div><div><span style="white-space:pre"> </span>}</div><div><span style="white-space:pre"> </span>else</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span> int aRet = ERR_get_error_line(&aFile, &aLine);</div><div><span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span> LOGG_DBUG(Logger::M3UA_LOG,"Link-%d SSL File : %s , Line number : %d , "</div><div><span style="white-space:pre"> </span>"Socket Id %d, Linux Error Code %d",ivLink->getLinkId(), aFile, aLine, getFd(), errno);</div><div><span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span> LOGG_DBUG(Logger::M3UA_LOG,"Link-%d SSL_connect () :: Result Code : %d ",ivLink->getLinkId(), aTlsError);</div><div><br></div><div><span style="white-space:pre"> </span> retry = false;</div><div><span style="white-space:pre"> </span>}</div><div><br></div><div><span style="white-space:pre"> </span>break;</div><div><br></div><div><span style="white-space:pre"> </span>default:</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span> int aRet = ERR_get_error_line(&aFile, &aLine);</div><div><span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span> LOGG_DBUG(Logger::M3UA_LOG,"Link-%d (SSL_connect) Failed to connect to server, "</div><div><span style="white-space:pre"> </span>" Socket Id %d, Return Value %d ", ivLink->getLinkId(), getFd(), aTlsError);</div><div><span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span> LOGG_DBUG(Logger::M3UA_LOG,"Link-%d SSL File : %s , Line number : %d , Linux Error Code %d",ivLink->getLinkId(), aFile, aLine, errno);</div><div><br></div><div><span style="white-space:pre"> </span> retry = false;</div><div><span style="white-space:pre"> </span>}</div><div><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span>break;</div><div><span style="white-space:pre"> </span> } <span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span>}</div><div><span style="white-space:pre"> </span> }while (aRetValue != 1 && retry != false);</div></div><div><br></div><div><br></div><div><div><span style="white-space:pre"> </span>bool TlsAssociation::pollSocketForEvents(long aTlsError)</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span>/* This function is to implement the SSL Socket call behaviour</div><div><span style="white-space:pre"> </span> <a href="http://jmarshall.com/stuff/handling-nbio-errors-in-openssl.html">http://jmarshall.com/stuff/handling-nbio-errors-in-openssl.html</a> */</div><div><span style="white-space:pre"> </span> </div><div><span style="white-space:pre"> </span>fd_set readFds, writeFds;</div><div><span style="white-space:pre"> </span>struct timeval timeout;</div><div><span style="white-space:pre"> </span>int retValue;</div><div><br></div><div><span style="white-space:pre"> </span>int nfds = getFd();</div><div><br></div><div><span style="white-space:pre"> </span>FD_ZERO (&readFds);</div><div><span style="white-space:pre"> </span>FD_ZERO (&writeFds);</div><div><span style="white-space:pre"> </span>FD_SET(nfds, &readFds);</div><div><span style="white-space:pre"> </span>FD_SET(nfds, &writeFds);</div><div><br></div><div><span style="white-space:pre"> </span>/* Wait for 5 Seconds */</div><div><span style="white-space:pre"> </span>timeout.tv_usec = 0;</div><div><span style="white-space:pre"> </span>timeout.tv_sec = 5;</div><div><br></div><div><span style="white-space:pre"> </span>if (SSL_ERROR_WANT_READ == aTlsError)</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span>retValue = select(nfds + 1, &readFds, NULL, NULL, &timeout);</div><div><span style="white-space:pre"> </span>if (retValue <= 0)</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span>// Timeout or error just return failure</div><div><span style="white-space:pre"> </span>return false;</div><div><span style="white-space:pre"> </span>}</div><div><span style="white-space:pre"> </span>}</div><div><br></div><div><span style="white-space:pre"> </span>if (SSL_ERROR_WANT_WRITE == aTlsError)</div><div><span style="white-space:pre"> </span>{</div><div><span style="white-space:pre"> </span>retValue = select(nfds + 1, NULL, &writeFds, NULL, &timeout);</div><div><span style="white-space:pre"> </span>if (retValue <= 0)</div><div><span style="white-space:pre"> </span>{ </div><div><span style="white-space:pre"> </span>// Timeout or error just return failure</div><div><span style="white-space:pre"> </span>return false;</div><div><span style="white-space:pre"> </span>}</div><div><span style="white-space:pre"> </span>}</div><div><br></div><div><span style="white-space:pre"> </span>return true;</div><div><span style="white-space:pre"> </span>}<span style="white-space:pre"> </span></div></div><div><br></div><div><br></div><div><br></div><div>Thanks,<br>Mahesh G S</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 14, 2017 at 4:01 PM, Graham Leggett <span dir="ltr"><<a href="mailto:minfrin@sharp.fm" target="_blank">minfrin@sharp.fm</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><span class="">On 14 Nov 2017, at 12:00 PM, mahesh gs <<a href="mailto:mahesh116@gmail.com" target="_blank">mahesh116@gmail.com</a>> wrote:</span><div><br><div><span class=""><blockquote type="cite">We have application that provide DTLS security for SCTP connections. During our testing we found that API "<b>SSL_connect</b> " fail and always returns SSL_ERROR_WANT_READ which causes infinite loop in the application.<br></blockquote><div><br></div></span><div>Are you properly handling that SSL_ERROR_WANT_READ, or are you ignoring it?</div><div><br></div><div>The message isn’t an error (the symbol was misnamed), it just means openssl is asking you permission to read. If your code is saying "yes openssl you may read" when you actually aren’t ready you’ll end up in an infinite loop.</div><div><br></div><div>Regards,</div><div>Graham</div><div>—</div><div><br></div></div></div></div><br>--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>