[openssl-users] SSL_read() returns -1, and SSL_read_ex does not update readbytes where a record containing a session ticket is being read (TLS 1.3)

Kurt Roeckx kurt at roeckx.be
Fri Jan 25 22:14:03 UTC 2019

On Thu, Jan 24, 2019 at 11:09:40PM +0700, Arran Cudbard-Bell wrote:
> We could use this to determine what SSL_ERROR_WANT_READ is indicating.  As it seems  SSL_ERROR_WANT_READ could indicate two conditions in this scenario:
> 1) No pending bytes - Additional handshake messages were processed, there's an expectation of additional application_data, but no hint that more application_data will be forthcoming.
> 2) Pending bytes - There is an incomplete record that needs processing.  Additional data should be fed into the BIO.

If you call SSL_read() and you get SSL_ERROR_WANT_READ it means
we can't return any application data at this time. Try again later.

With SSL_MODE_AUTO_RETRY off, it could be that calling it directly
again can now return application data. If it's on, it means it
wasn't available yet and you need to wait for it to arrive.

If you use an fd BIO and select(), SSL_ERROR_WANT_READ just means
you should wait with select() for more data.


More information about the openssl-users mailing list