<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Ad: The "correct" answer is that if you get SSL_ERROR_SYSCALL then the connection has failed and you shouldn't use that connection any more.</div>
<div> </div>
<div>This somehow contradicts the description of returncode <0 on SSL_connect which says that</div>
<div> </div>
<div><font color="#00B050"><0</font></div>
<div><font color="#00B050"> </font></div>
<div><font color="#00B050"> The TLS/SSL handshake was not successful, because a fatal error occurred either at the protocol level or a connection failure occurred.
<br>
The shutdown was not clean. It can also occur of <b><u>action is need to continue the operation for non-blocking BIOs</u></b>.
<br>
Call SSL_get_error() with the return value ret to find out the reason.</font></div>
<div> </div>
<div>If SSL_ERROR_SYSCAL would always mean connection failure, why then any action to continue the operation…..</div>
<div>So we’re getting SSL_connect() = -1 and we call SSL_get_error() returning 5 as advised</div>
<div>Then as SSL_get_error() says</div>
<div> </div>
<div><font face="Times New Roman" size="3" color="#00B050"><span style="font-size:12pt;">SSL_ERROR_SYSCALL</span></font></div>
<div style="margin-top:5pt;margin-bottom:5pt;padding-left:36pt;"><font face="Times New Roman" size="3" color="#00B050"><span style="font-size:12pt;">Some non-recoverable I/O error occurred. The OpenSSL error queue may contain more information on the error.
<br>
For socket I/O on Unix systems, consult <b>errno</b> for details</span></font></div>
<div style="margin-top:5pt;margin-bottom:5pt;"><font size="2"><span style="font-size:10.5pt;">We call<font face="Times New Roman" size="3" color="#00B050"><span style="font-size:12pt;"> </span></font><font face="Consolas" size="2"><span style="font-size:9.5pt;">ERR_print_errors_fp(</span></font><font face="Consolas" size="2" color="#6F008A"><span style="font-size:9.5pt;">stderr</span></font><font face="Consolas" size="2"><span style="font-size:9.5pt;">)</span></font><font face="Consolas" size="2"><span style="font-size:9.5pt;">
</span></font>which gives no output.<br>
We inspect errno which indicates EWOULDBLOCK or EAGAIN</span></font></div>
<div style="margin-top:5pt;margin-bottom:5pt;"><font size="2"><span style="font-size:10.5pt;">This seems to happen rarely (once per hundreds of SSL_Connect) and as we’re currently treating any SSL_ERROR_SYSCALL<br>
as bogus and terminate the connection (SSL_shutdown+Socketclose)</span></font></div>
<div style="margin-top:5pt;margin-bottom:5pt;"><font size="2"><span style="font-size:10.5pt;">As our server runs “forever” and has high load we see a lot of such “SSL_Connect errors in our Logs”
<br>
Additionally it seems to happen more frequently when connecting to a remote host rather than when connecting to a server co-located….</span></font></div>
<div style="margin-top:5pt;margin-bottom:5pt;"><font size="2"><span style="font-size:10.5pt;">I have experienced the same behavior with SSL_read/SSL_write where we also get SSL_ERROR_SYSCALL and find that errno is EWOULDBLOCK<br>
But in these cases we “know” what to do (wait for readable when it appears in SSL_read and wait for writeable when in SSL_write)<br>
Therefore we have the feeling that same blocking happens during SSL_connect……..?</span></font></div>
<div style="margin-top:5pt;margin-bottom:5pt;"><font size="2"><span style="font-size:10.5pt;">GJ </span></font></div>
<div> </div>
<div>-----Original Message-----<br>
From: openssl-users [<a href="mailto:openssl-users-bounces@openssl.org">mailto:openssl-users-bounces@openssl.org</a>] On Behalf Of Matt Caswell<br>
Sent: Friday, September 07, 2018 11:24 AM<br>
To: openssl-users@openssl.org<br>
Subject: Re: [openssl-users] SSL_connect returns SSL_ERROR_SYSCALL and errno == EWOULDBLOCK</div>
<div> </div>
<div> </div>
<div> </div>
<div>On 07/09/18 09:16, Jahn, Gerhard wrote:</div>
<div>> Hi,</div>
<div>> </div>
<div>> We are using OpenSSl 1.0.2n in our server running on LINUX.</div>
<div>> We call SSL_connect() on async socket (after TCP connect completion) </div>
<div>> to establish a secure connection.</div>
<div>> According to DOC SSL_get_error(() has to be called if SSL_connect() </div>
<div>> returns <=0</div>
<div>> </div>
<div>> We do not understand what to do if SSL_get_error(() returns </div>
<div>> SSL_ERROR_SYSCALLand errno is EWOULDBLOCK If SSL_get_error returns </div>
<div>> SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE it pretty clear what to </div>
<div>> do… (we set the socket descriptor either in the readfds or writefds </div>
<div>> and call select to wait until the socket becomes readable or writeable </div>
<div>> (or times-out) But when EWOULDBLOCK is indicated, we do not know </div>
<div>> whether to wait for readable/writeable…… (setting both might be an </div>
<div>> idea but could easily lead to a live-loop as we suppose that the </div>
<div>> handshake either waits for a read or for a write but not both…</div>
<div> </div>
<div>That's quite a surprising result. Possibly intervening code somewhere between the sys call and where you check errno has changed its value?</div>
<div> </div>
<div>The "correct" answer is that if you get SSL_ERROR_SYSCALL then the connection has failed and you shouldn't use that connection any more.</div>
<div>Have you checked the openssl error stack for any reported issues?</div>
<div> </div>
<div>Matt</div>
<div> </div>
<div> </div>
<div> </div>
<div>> </div>
<div>> Any ideas?</div>
<div>> Thanks</div>
<div>> </div>
<div>> Mit freundlichen Grüßen/Best regards,</div>
<div>> *____________</div>
<div>> **Gerhard Jahn*</div>
<div>> </div>
<div>> Identity and Access Management</div>
<div>> </div>
<div>> Phone: +49 (211) 399-33276</div>
<div>> Phone: +49 (211) 399-22891</div>
<div>> Email: _gerhard.jahn@atos.net_ <<a href="mailto:gerhard.jahn@atos.net">mailto:gerhard.jahn@atos.net</a>> </div>
<div>> Otto-Hahn-Ring 6</div>
<div>> 81739 München, Germany</div>
<div>> de.atos.net</div>
<div>> </div>
<div>> Atos Information Technology GmbH; Geschäftsführung: Winfried Holz, Udo </div>
<div>> Littke; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft:</div>
<div>> München; Registergericht: München, HRB 235509.</div>
<div>> </div>
<div>> Diese E-Mail und etwaige Anlagen enthalten firmenvertrauliche </div>
<div>> Informationen, die ausschließlich für den Empfänger bestimmt sind.</div>
<div>> Sollten Sie diese E-Mail irrtümlich erhalten haben, benachrichtigen </div>
<div>> Sie bitte unverzüglich den Absender per Antwort-Mail und löschen Sie </div>
<div>> diese E-Mail nebst Anlagen von Ihrem System. Da die Integrität </div>
<div>> innerhalb des Internets nicht zu gewährleisten ist, kann die Atos </div>
<div>> Gruppe für die Inhalteder Nachricht kein Haftung übernehmen. Obwohl </div>
<div>> der Absender anstrebt ein virusfreies Computernetzwerk </div>
<div>> sicherzustellen, kann der Absender nicht gewährleisten, dass diese </div>
<div>> E-Mail virusfrei ist und wird damit keine Haftung bei Schäden auf </div>
<div>> Grund einer Virusübermittlung übernehmen.</div>
<div>> </div>
<div>> This e-mail and the documents attached are confidential and intended </div>
<div>> solely for the addressee; it may also be privileged. If you receive </div>
<div>> this e-mail in error, please notify the sender immediately and destroy </div>
<div>> it. As its integrity cannot be secured on the Internet, the Atos group </div>
<div>> liability cannot be triggered for the message content. Although the </div>
<div>> sender endeavors to maintain a computer virus-free network, the sender </div>
<div>> does not warrant that this transmission is virus-free and will not be </div>
<div>> liable for any damages resulting from any virus transmitted.</div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>> </div>
<div>--</div>
<div>openssl-users mailing list</div>
<div>To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users">
https://mta.openssl.org/mailman/listinfo/openssl-users</a></div>
<div> </div>
</span></font>
</body>
</html>