[openssl-users] Graceful shutdown of TLS connection for blocking sockets

karl at denninger.net karl at denninger.net
Sun Oct 8 21:37:17 UTC 2017


In short ssl is not the same as a raw socket fd because of the intervening protocol.

That's all....

  Original Message  
From: michel.sales at free.fr
Sent: October 8, 2017 4:34 PM
To: openssl-users at openssl.org
Reply-to: openssl-users at openssl.org
Subject: Re: [openssl-users] Graceful shutdown of TLS connection for blocking sockets

Hi Thomas, 

I do not think that non-blocking code is hard to implement, but I am not
still convinced there is not some kind of confusion here.
Pardon me if I do not understand well your reasoning, but I just want to
highlight that SSL_read() contract is not to return TCP data, but SSL/TLS
data (if some are available), which is more work.
As described in https://www.openssl.org/docs/man1.1.0/ssl/SSL_read.html, you
may encounter cases where TCP data is available, but just contains TLS
records with no usefull application data.

Can this be what you experienced or I missed your point ?

Regards,

Michel


-----Message d'origine-----
De : openssl-users [mailto:openssl-users-bounces at openssl.org] De la part de
Thomas J. Hruska
Envoyé : dimanche 8 octobre 2017 22:56
À : openssl-users at openssl.org
Objet : Re: [openssl-users] Graceful shutdown of TLS connection for blocking
sockets

On 10/8/2017 7:28 AM, Michel wrote:
> While I understand that using non-blocking descriptors is a better 
> practice, I still do not see why select() should NEVER be used for 
> blocking sockets (except when combined/interfered with the internal 
> OpenSSL state machine or equivalent mechanism).
> 
> Could you please elaborate or give an example ?
>   
> Regards,
> 
> Michel.

Example:  You call select(), it returns the descriptor as readable, you pass
it into SSL_read(), and SSL_read() blocks.  You are worse off than before
you used select() since you made the incorrect assumption that you could do
something when select() returns and not have a blocking socket block.

Just because select() says that something is readable (or writable) does not
actually make it so.  The function only makes sense for non-blocking
descriptors.  The use of select() with a blocking descriptor is always
wrong.

Non-blocking code is actually easier to implement than you think.

--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI and Win32 OpenSSL.
http://www.slproweb.com/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171008/8d71fbb4/attachment.bin>


More information about the openssl-users mailing list