[openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

Viktor Dukhovni openssl-users at dukhovni.org
Mon Oct 10 08:01:22 UTC 2016

> On Oct 10, 2016, at 3:52 AM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
> If(BIO_should_read(socket->ssl_bio) != 0)
> If(BIO_should_write(socket->ssl_bio) != 0)

In Postfix, we don't bother with the application layer ssl_bio,
and just do SSL_read()/SSL_write() directly.  You only need this
if you specifically want a BIO API to SSL.

> With this, I could get the entire end-to-end workflow to work !!!!

You might not be done yet.  Is the client verifying the server
certificate including name checks?  Just doing TLS, without
certificate checks, only protects against passive attacks.


More information about the openssl-users mailing list