[openssl-users] Graceful shutdown of TLS connection for blocking sockets

Kyle Hamilton aerowolf at gmail.com
Mon Oct 9 01:06:21 UTC 2017

Important caveat: SSL_read() and SSL_write() don't directly return
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. Those values are returned
by SSL_get_error().

I apologize for the misstatement.

-Kyle H

On Sun, Oct 8, 2017 at 5:58 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
> Do you have a reference to what should be done instead?
> My understanding of what happens with blocking sockets is that
> SSL_read() will return SSL_ERROR_WANT_READ if it needs additional data
> read from a socket that doesn't have it available (and will return
> SSL_ERROR_WANT_WRITE if it needs to write for a handful of reasons,
> but can't).  I had thought that the appropriate response would be to
> add that descriptor to the appropriate set to query on the next call
> to select(), and then call the same function with the same parameters
> so the library can advance its state machine.
> write() and read() have the means to tell you how much data was
> written or read, and that's what you're supposed to use to keep
> blocking descriptors from hanging your application, I thought.
> -Kyle H
> On Sun, Oct 8, 2017 at 6:48 AM, Thomas J. Hruska
> <shinelight at shininglightpro.com> wrote:
>> On 10/8/2017 4:17 AM, Kyle Hamilton wrote:
>>> The way to handle this situation is simply to never enter SSL_read() if
>>> there isn't anything to read on the socket.  select() or pselect() are
>>> your
>>> friends, here, because they'll tell you if there's data to read from the
>>> underlying file descriptor.
>>> I hope this helps!
>>> -Kyle H
>> Since the OP is talking about blocking sockets, I'm going to reiterate
>> something someone pointed out to me on this very list many years ago and
>> save someone a LOT of headaches:
>> select() should NEVER, EVER be used for blocking sockets.
>> Just because select() returns any given descriptor doesn't mean that a call
>> won't still block when working with blocking sockets.  select() is for
>> non-blocking descriptors ONLY.  The amount of extra code involved for
>> handling non-blocking sockets is actually quite minimal when a state engine
>> is adopted.
>> I'd love to see select() implementations raise an exception and kill the
>> whole application off when passing it a blocking descriptor.  Then we would
>> discover how much broken software is floating around out there. Since I
>> still see lots of recommendations for using select() with blocking
>> descriptors and all of the official system-level documentation for select()
>> is silent on this issue, I'm guessing a lot.
>> --
>> Thomas Hruska
>> Shining Light Productions
>> Home of BMP2AVI and Win32 OpenSSL.
>> http://www.slproweb.com/
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list