SSL_read() returning SSL_ERROR_SYSCALL with errno 11EAGAIN

Viktor Dukhovni openssl-users at
Tue Apr 30 17:18:36 UTC 2019

> On Apr 30, 2019, at 12:31 PM, Michael Wojcik <Michael.Wojcik at> wrote:
> I haven't seen a reply to this, so I'll take a stab...
> I haven't looked at the code, but my impression is that WANT_READ and WANT_WRITE are returned in two cases: when OpenSSL has received or sent a partial record and needs to complete it; or when the TLS state is such that OpenSSL needs to perform the associated operation and it hasn't been requested by the application - for example, if the application is trying to receive data but OpenSSL needs to send renegotiation information.
> If you do a non-blocking receive at a record boundary (so you don't have an incomplete record) and OpenSSL doesn't currently need to send for TLS reasons, OpenSSL will see the EAGAIN (or EWOULDBLOCK, depending on platform). I think in this case it does just return SSL_ERROR_SYSCALL, because OpenSSL itself doesn't "want" to receive. If OpenSSL had already received a partial record, then you'd get WANT_READ.

I think the above guess is not correct.  A cursory look at the
code suggests that even user-initiated reads normally return
SSL_ERROR_WANT_READ when the network bio signals a retriable

The OP has not provided much detail about the connections in
question are created.  Is the connection made by the
application, and SSL negotiated over an existing socket, or
is the connection established by OpenSSL over a "connect bio"?

Is the handshake explicit, or does the application just call
SSL_read(), with OpenSSL performing the handshake as needed?

In any case, I would not expect SSL_ERROR_SYSCALL under normal
conditions.  The documentation says:

           Some non-recoverable, fatal I/O error occurred. The OpenSSL error
           queue may contain more information on the error. For socket I/O on
           Unix systems, consult errno for details. If this error occurs then
           no further I/O operations should be performed on the connection and
           SSL_shutdown() must not be called.

           This value can also be returned for other errors, check the error
           queue for details.


More information about the openssl-users mailing list